Massachusetts State College Building Authority - Finding 2

In our previous audit (Audit No. 2018-0209-3A), we reported that MSCBA had not developed a business continuity plan (BCP). During the current audit, we found that MSCBA has since developed a BCP, but it did not meet the requirements outlined by the Executive Office of Technology Services and Security (EOTSS). Specifically, MSCBA’s BCP did not have the following critical components:

• a detailed inventory of critical information assets;
• a clear definition of mission-essential functions;
• identification of and management procedures for risks associated with the potential loss or disruption of essential business processes and information assets;
• an analysis of critical business processes;
• an assessment of likely disruptive events;
• insights from business impact analyses and risk assessments; and
• documentation of an order of succession, delegation of authority, and a list of essential records.

Without a comprehensive BCP, MSCBA cannot ensure that it has adequate procedures in place to protect critical information assets or to recover essential operations in the event of a disruption or disaster.

According to Section 6.1 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005,

Commonwealth Agencies and Offices must establish a Business Continuity Program

6.1.1.2     Perform a risk assessment of critical information assets: Establish controls to identify, contain and mitigate the risks associated with the loss or disruption of critical business processes and information assets. . . .

6.1.1.4     Develop business continuity plans (BCP): Commonwealth Agencies and Offices will develop BCPs for critical business processes based on prioritization of likely disruptive events in light of their probability, severity and consequences for information security identified through the [business impact analysis] and risk assessment processes. . . .

6.1.1.4.3     BCPs must be updated whenever a major organizational change occurs or at least annually, whichever comes first. . . .

6.1.1.4.4.1      Identify essential mission and business functions and a plan for maintaining these functions in the event of system or environment compromise, disruption, or failure. . . .

6.1.1.4.6.1      Perform annual tests of the BCPs to identify incorrect assumptions, oversights, and account for updates to equipment or personnel changes. Test results will be reported to senior management, the Commonwealth [chief information security officer], or his or her designee, and the Security Office.

Although MSCBA is not required to follow this standard, since it is not a Commonwealth agency within the executive branch and is instead categorized as a quasi-governmental agency, EOTSS still recommends that non-executive branch state agencies follow these standards. We also consider them best practices.

MSCBA officials stated that they were in the process of developing the BCP when the COVID-19 pandemic began. The unexpected pandemic required the agency to shift its focus, delaying completion of its BCP.

MSCBA should update its BCP to include all critical components outlined by EOTSS.

The Authority has made significant progress on the development of a BCP since the [Office of the State Auditor’s (OSA’s)] 2018 audit (Audit No. 2018-0209-3A). Many of the elements of business continuity that relate to technology cited in OSA’s 2018 report have been rectified. For example, the Authority completes an annual disaster recovery drill, performed by its external [information technology) network support provider. As noted in the OSA’s 2018 report and during discussions regarding the OSA’s 2024 audit of the Authority, these disaster recovery drills are performed annually to ensure that all information assets are safeguarded and recoverable should a disruption to access occur. These annual drills have successfully recovered all Authority information assets for seven (7) consecutive years since 2018. Moreover, the Authority is committed to continuing to develop and refine the BCP so that it is continually focused on improving the Authority’s response in the event of a disruption or disaster.

We acknowledge MSCBA’s efforts in developing a BCP since our prior audit and commend its consistent annual testing of its disaster recovery plan. However, as noted above, MSCBA’s BCP remains incomplete and does not fully align with the requirements established by EOTSS. While disaster recovery is a key element of business continuity, a comprehensive BCP must also address organizational mission-essential functions, risk management procedures, business impact analysis, and succession planning—among other critical areas—which we found are still lacking in the current plan.

We encourage MSCBA to fully implement our recommendation and expand the scope of its BCP to ensure compliance with EOTSS standards, strengthening its ability to withstand and recover from operational disruptions.