EOE Did Not Ensure That All of Its Third-Party Contracts Contained Essential Security Provisions.

We selected 6 of 22 IT contracts that were ongoing during our audit period to determine whether they contained all of the required EOTSS security policies and found that none of the 6 contracts fully addressed EOTSS’s “Third-Party Information Security Standard.” Specifically, none contained all 16 of the IT-security-related contract provisions that this standard requires to be included in all IT contracts, such as the IT contractor’s obligation to periodically deliver an independent report to EOE on the effectiveness of its IT security controls. As a result, there is a higher-than-acceptable risk that EOE may experience security issues, such as misuse of confidential information, with some of its IT vendors.

On October 1, 2017, EOTSS published on its website the preliminary policy “Third-Party Information Security Standard,” which established the following best practices for the Commonwealth:

Commonwealth Offices and Agencies must ensure that Information Security policies and requirements are addressed and documented in any contract with the third party.

EOE management stated that they relied on OSD to ensure that these requirements were contained in master service agreements[1] that OSD established for these services. However, although EOE selected some of these vendors (four out of six) from a master service agreement, it ultimately negotiated separate contracts with all six vendors and therefore was responsible for ensuring that the contracts complied with EOTSS’s “Third-Party Information Security Standard.” EOE lacked the controls (i.e., policies and procedures) necessary to ensure compliance with these requirements.

EOE should establish policies and procedures that require that all IT contracts it negotiates with IT vendors comply with EOTSS’s “Third-Party Information Security Standard.”

EOE ensures that each third-party contract contains required security policies. . . . IT vendors commit to compliance with security policies when they enter a contractual relationship with EOE, whether through use of a statewide contract or in response to an agency-issued [Request for Response, or RFR]. As discussed above, whether EOE uses a statewide contract or an agency-issued RFR to procure IT deliverables or services, vendors commit to abiding by a variety of information security requirements—found, e.g., in the Standard Contract, the Commonwealth Terms and Conditions, the provisions of the statewide contract or RFR, the Executive Order 504 attestation, etc.

EOE also has identified internal policies, including our Procurement Policy and the half-dozen IT-related policies incorporated in our Internal Control Plan that establish security-related requirements and responsibilities, framing and orienting our ongoing work. The [audit team] cites a single policy—EOTSS’s Third-Party Information Security Standard—to which it proposes EOE comply. As previously noted, that Standard already applies to EOE by its terms, but EOE has added it as of July 2, 2019, to its Internal Control Plan policy list as EOE-IT-7 Third-Party Information Security Standard, providing an EOE cover memorandum followed by the EOTSS Standard in its entirety. Moving forward, EOE will provide each vendor with a copy of EOE-IT-7 upon bid award.

EOE also submitted supplemental information (contract provisions), presented in the Appendix to this report.

OSA acknowledges that EOE’s contracts with these six vendors contain various important provisions related to the management and protection of Commonwealth data that the vendors may obtain and/or access when providing goods or services. However, these standard contract provisions do not address all of the security provisions in the EOTSS standards, such as the IT contractor’s obligation to periodically deliver an independent report to EOE on the effectiveness of its IT security controls and the Commonwealth’s right to audit the performance of information security and other contractual responsibilities. Therefore, we again urge EOE to implement our recommendation.