Overview
During our audit period, DOR migrated important IT functions, such as network security and user account management, to EOTSS. However, DOR did not have an interdepartmental service agreement (ISA) with EOTSS detailing each agency’s roles and responsibilities related to information security in these areas. Unclear roles and responsibilities may result in activities related to IT security not being effectively managed.
Authoritative Guidance
Section SA-9 of NIST’s Special Publication 800-53, Revision 4, establishes the following best practice:
[An] organization . . . defines and documents government oversight and user roles and responsibilities with regard to external information system services.
Because EOTSS is an external agency to DOR, DOR should follow this best practice.
Reasons for Noncompliance
DOR management officials told us that they had been trying for three years to negotiate an ISA with EOTSS. They mentioned organizational and managerial changes at EOTSS as a cause of the delay.
Recommendation
DOR should work with EOTSS to negotiate an updated ISA that spells out roles and responsibilities related to information security and IT governance at DOR.
Auditee’s Response
An ISA between DOR and EOTSS is currently being updated. The ISA will include roles and responsibilities of both parties.
Auditor’s Reply
Based on its response, DOR is taking measures to address this issue. We urge the agency to prioritize the development of an ISA to ensure that each agency’s roles and responsibilities related to information security are properly defined.
Date published: | December 13, 2019 |
---|