DTA Did Not Have a Tested Incident Response Plan.

During our audit period, DTA did not test an incident response plan. DTA provided us with a copy of an incident response plan, but stated that it was still in draft form and had not been tested at DTA. Without a tested incident response plan, there is a higher-than-acceptable risk that DTA cannot effectively identify and respond to information security incidents.

Section 6.5.2 of EOTSS information security standard IS.009, “Information Security Incident Management,” effective October 15, 2018, requires the following:

Commonwealth Offices and Agencies shall establish a process to modify and evolve the incident response plan and procedures according to lessons learned. The incident response plan and procedures shall be tested at least annually.

Section IR-8 of the National Institute of Standards and Technology Special Publication 800-53, Revision 4, establishes the following best practices:

The organization:

a.         Develops an incident response plan that:

1.   Provides the organization with a roadmap for implementing its incident response capability;

2.   Describes the structure and organization of the incident response capability.

DTA personnel stated that they had previously conducted incident response tests with the Massachusetts Office of Information Technology (MassIT) before the audit period; however, this was not continued with EOTSS.

DTA should conduct incident response tests annually and modify its plan according to lessons learned.

EOHHS provided the following response on DTA’s behalf.

As acknowledged in the audit report, while EOTSS previously engaged in incident management activities with DTA, those activities have not been conducted for some time. As a result, EOHHS operationalized an incident management program to assist with incident management at DTA and other EOHHS Agencies. EOHHS has developed an enterprise-wide incident response plan in its enterprise standards—which are the agency implementation standards of the EOTSS security policies—and will be meeting with DTA in January to begin operationalization of that plan at DTA. EOTSS has also stated that they will be primarily responsible for incident management at the Commonwealth. EOHHS is awaiting further definition of that role before proceeding too far with its incident response plan, as EOHHS is required to align its plan with EOTSS per the requirements of IS.009.

Based on its response, EOHHS and DTA are taking measures to address our concerns in this area. DTA, EOHHS, and EOTSS should continue to work together to define their roles in the development and implementation of the incident response plan and ensure that the plan is tested annually.