Massachusetts Emergency Management Agency - Other Matters

During the audit, we noted that there was no documentation to support that Criminal Offender Record Information (CORI) background checks were conducted for 5 of the 10 MEMA employees we tested to comply with our data reliability assessment testing of MEMA’s information system controls. This occurred despite the fact that these employees had access to critical systems, such as the Massachusetts Management Accounting and Reporting System (MMARS). Furthermore, our audit revealed a lack of formalized policies and procedures governing the requirement and execution of CORI background checks for MEMA employees.

The absence of background checks for employees with access to critical systems increases the risk of unauthorized access, fraud, and potential malicious activities within the organization. Moreover, the lack of formalized policies and procedures governing this process may lead to inconsistent application, lack of accountability, and potential noncompliance with regulatory requirements.

According to Section PS-3 of Chapter 3.14 of the National Institute of Standards and Technology’s Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, organizations should do the following:

a.   Screen individuals prior to authorizing access to the system; and

b.   Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening was so indicated, the frequency of rescreening]

Discussion: Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

MEMA officials told us that while they do perform background checks on new employees, they do not have the policy or procedure documented. Regarding the exceptions we identified, MEMA informed us that it was unable to locate the evidence to show that these employees received CORI background checks.

We recommend that MEMA establish and maintain formal policies to ensure that it consistently performs CORI background checks and that it retains evidence of those background checks in compliance with applicable regulations. This should occur for all employees, especially employees with access to critical systems and sensitive information.

MEMA agrees that it should have a written policy and procedure as described in the “other matters” section of the draft audit report. MEMA is in the process of documenting, in policy and procedure, its practice of conducting CORI checks on all prospective new hires and employees selected for promotions. The policy will also address record retention, in accordance with the Massachusetts Statewide Retention Schedule, and storage requirements.

Based on MEMA’s response, it is taking measures to address our concerns regarding this matter.