This page, DOR and EOTSS Did Not Have an Interdepartmental Service Agreement That Defined and Documented Updated Roles and Responsibilities., is offered by

DOR and EOTSS Did Not Have an Interdepartmental Service Agreement That Defined and Documented Updated Roles and Responsibilities.

Audit calls on DOR to update its interdepartmental service agreement with the Executive Office of Technology Services and Security (EOTSS) to clarify IT-related roles and responsibilities between the agencies.

Table of Contents

Overview

During our audit period, DOR migrated important IT functions, such as network security and user account management, to EOTSS. However, DOR did not have an interdepartmental service agreement (ISA) with EOTSS detailing each agency’s roles and responsibilities related to information security in these areas. Unclear roles and responsibilities may result in activities related to IT security not being effectively managed.

Authoritative Guidance

Section SA-9 of NIST’s Special Publication 800-53, Revision 4, establishes the following best practice:

[An] organization . . . defines and documents government oversight and user roles and responsibilities with regard to external information system services.

Because EOTSS is an external agency to DOR, DOR should follow this best practice.

Reasons for Noncompliance

DOR management officials told us that they had been trying for three years to negotiate an ISA with EOTSS. They mentioned organizational and managerial changes at EOTSS as a cause of the delay.

Recommendation

DOR should work with EOTSS to negotiate an updated ISA that spells out roles and responsibilities related to information security and IT governance at DOR.

Auditee’s Response

An ISA between DOR and EOTSS is currently being updated. The ISA will include roles and responsibilities of both parties.

Auditor’s Reply

Based on its response, DOR is taking measures to address this issue. We urge the agency to prioritize the development of an ISA to ensure that each agency’s roles and responsibilities related to information security are properly defined.

Date published: December 13, 2019
Feedback