This page, DOR Did Not Have Documented and Tested Incident Response Procedures., is offered by
Office of the State Auditor

DOR Did Not Have Documented and Tested Incident Response Procedures.

The report notes DOR did not have procedures in place to guide its response to IT security incidents.

You skipped the table of contents section.

Overview

Although DOR had a “Security Incident Response Policy,” which included a policy outline and high-level responsibilities, it had not developed the “Security Incident Response Procedure” document that DOR management officials told us they planned to develop. This document would have outlined what DOR would do to implement its “Security Incident Response Policy” and what controls it would put in place to detect, respond to, and resolve incidents affecting the security of the personally identifiable information (PII) that DOR maintains. In addition, DOR could not provide evidence of an incident response test. Without documented and tested incident response procedures, there is a higher-than-acceptable risk that DOR may not be able to respond properly to information security incidents, which may result in delayed identification of an incident, additional loss of data, or negative public opinion.

Authoritative Guidance

DOR’s “Security Incident Response Policy,” dated July 1 2015, states,

The DOR Security Incident Response Procedure should be consulted for more detailed process information.

In addition, the “Incident Response” section of the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-53, Revision 4, establishes the following best practices:

IR-1           INCIDENT RESPONSE POLICY AND PROCEDURES

Control: The organization:

a.   Develops, documents, and disseminates . . .

1.   An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2.   Procedures to facilitate the implementation of the incident response policy and associated incident response controls. . . .

IR-3           INCIDENT RESPONSE TESTING

Control: The organization tests the incident response capability for the information system . . . to determine the incident response effectiveness and documents the results.

Reasons for Issue

DOR management officials stated that because of the vast number of scenarios that this incident response plan would have to cover, they are still in the process of developing it. They could not tell us when it would be developed.

Recommendations

1. DOR should develop and document security incident response procedures to facilitate the implementation of its “Security Incident Response Policy” and associated incident response controls.

2. Once security incident response procedures are documented, DOR should test them regularly.

Auditee’s Response

The Incident Response Policy and Incident Response Plan (Plan) have been under revision. The Plan includes roles, responsibilities, and communication strategies for notifying and informing the appropriate individuals and groups. DOR will collaborate with [Executive Office for Administration and Finance] IT to develop and execute annual tests of the Plan, which may include (but not be limited to) tabletop exercises and drills.

Auditor’s Reply

Based on its response, DOR is taking measures to address this issue.

Date published:	December 13, 2019

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.