Although DOR had a “Security Incident Response Policy,” which included a policy outline and high-level responsibilities, it had not developed the “Security Incident Response Procedure” document that DOR management officials told us they planned to develop. This document would have outlined what DOR would do to implement its “Security Incident Response Policy” and what controls it would put in place to detect, respond to, and resolve incidents affecting the security of the personally identifiable information (PII) that DOR maintains. In addition, DOR could not provide evidence of an incident response test. Without documented and tested incident response procedures, there is a higher-than-acceptable risk that DOR may not be able to respond properly to information security incidents, which may result in delayed identification of an incident, additional loss of data, or negative public opinion.
DOR’s “Security Incident Response Policy,” dated July 1 2015, states,
The DOR Security Incident Response Procedure should be consulted for more detailed process information.
In addition, the “Incident Response” section of the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-53, Revision 4, establishes the following best practices:
IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES
Control: The organization:
a. Develops, documents, and disseminates . . .
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls. . . .
IR-3 INCIDENT RESPONSE TESTING
Control: The organization tests the incident response capability for the information system . . . to determine the incident response effectiveness and documents the results.
Reasons for Issue
DOR management officials stated that because of the vast number of scenarios that this incident response plan would have to cover, they are still in the process of developing it. They could not tell us when it would be developed.
1. DOR should develop and document security incident response procedures to facilitate the implementation of its “Security Incident Response Policy” and associated incident response controls.
2. Once security incident response procedures are documented, DOR should test them regularly.
The Incident Response Policy and Incident Response Plan (Plan) have been under revision. The Plan includes roles, responsibilities, and communication strategies for notifying and informing the appropriate individuals and groups. DOR will collaborate with [Executive Office for Administration and Finance] IT to develop and execute annual tests of the Plan, which may include (but not be limited to) tabletop exercises and drills.
Based on its response, DOR is taking measures to address this issue.
|Date published:||December 13, 2019|