CPCS Did Not Have a Business Continuity and Disaster Recovery Plan.

As of the end of our audit period, CPCS had not developed, documented, or tested a business continuity and disaster recovery plan for its business and operational objectives, potential risks and exposures, and the relative importance of the committee’s systems and data.

Without a business continuity and disaster recovery plan, employees may not be sufficiently trained in performing recovery efforts, including those related to CPCS’s mission-critical applications. In addition, CPCS has not assessed its ability to continue operations in the event of a business interruption, which could lead to reputational loss, financial loss, or breach of data.

Section 6 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 states,

Commonwealth Executive Offices and Agencies must establish a Business Continuity Program. . . .

6.1.1.4     Develop business continuity plans (BCP): Each agency shall develop BCPs for critical business processes based on prioritization of likely disruptive events in light of their probability, severity and consequences for information security identified through the [business impact analysis] and risk assessment processes.

CPCS management stated that in fiscal year 2019, the staff member assigned to write the business continuity and disaster recovery plan took a leave of absence, and in fiscal year 2020, CPCS put out a request for proposals for a vendor to prepare a business continuity and disaster recovery plan. In fiscal year 2021, CPCS’s chief information officer resigned before CPCS awarded a contract to a vendor, and as of the end of our audit period, CPCS was waiting for a new chief information officer to resume the process.

CPCS should develop, document, and test a business continuity and disaster recovery plan to implement.

CPCS has documented a Continuity of Operations Plan (“COOP”). The COOP was developed by CPCS senior management in collaboration with consultants with expertise in creating robust Business Continuity Plans for government agencies. This process was completed last year, and the formal plan has been presented to and reviewed by our governing board.

Further, senior management will be participating in table-top exercises in March 2023 to test and enhance our crisis management skills and the agency’s resiliency in the event of a cyber (or other) attack on agency systems which could impact both the provision of legal services to our clients and the regular business operations of CPCS. These exercises will help to hone the skills required to manage the agency during a major crisis or other disruptions with the smallest possible impact on our clients and staff.

Finally, regarding disaster recovery, the [Information Technology, or IT] Department at CPCS oversees several information security products and services to monitor and defend against ongoing cybersecurity risks, including but not limited to:

• Firewall & Endpoint Protection
• Managed Detection and Response
• E-Mail & Web Filtering
• Multifactor Authentication
• Ongoing Cybersecurity Awareness Training and Phishing Testing
• Virtual Information Security Officer Strategic Services

Implementation and ongoing maintenance of these services is sponsored and supported by senior leadership at the agency.

CPCS currently utilizes IT disaster recovery procedures to guide recovery, including but not limited to tightly controlled access to the broader internet as well as a multi-level cloud and on-premises backup strategy.

CPCS’ COOP includes an embedded business impact analysis summary to set strategic expectations for recovery objectives. As an additional step, the agency is currently working to further formalize its continuity planning by gathering and integrating business impact analyses from all practice and operational areas into a set of detailed business continuity plans which will inform the IT disaster recovery plan expected to be completed by the end of calendar year 2023.

Based on its response, CPCS is taking measures to address our concerns in this area.