DOR and EOTSS Did Not Have an Interdepartmental Service Agreement That Defined and Documented Updated Roles and Responsibilities.

During our audit period, DOR migrated important IT functions, such as network security and user account management, to EOTSS. However, DOR did not have an interdepartmental service agreement (ISA) with EOTSS detailing each agency’s roles and responsibilities related to information security in these areas. Unclear roles and responsibilities may result in activities related to IT security not being effectively managed.

Section SA-9 of NIST’s Special Publication 800-53, Revision 4, establishes the following best practice:

[An] organization . . . defines and documents government oversight and user roles and responsibilities with regard to external information system services.

Because EOTSS is an external agency to DOR, DOR should follow this best practice.

DOR management officials told us that they had been trying for three years to negotiate an ISA with EOTSS. They mentioned organizational and managerial changes at EOTSS as a cause of the delay.

DOR should work with EOTSS to negotiate an updated ISA that spells out roles and responsibilities related to information security and IT governance at DOR.

An ISA between DOR and EOTSS is currently being updated. The ISA will include roles and responsibilities of both parties.

Based on its response, DOR is taking measures to address this issue. We urge the agency to prioritize the development of an ISA to ensure that each agency’s roles and responsibilities related to information security are properly defined.