Although MassCEC stores backup copies of its own network-based information both on site and off site, it did not have a documented and tested disaster-recovery plan (DRP) or business-continuity plan (BCP) for restoring system functionality if its computer systems were rendered inoperable or inaccessible.
The lack of a documented, tested, and approved plan to address the resumption of system functionality may significantly affect MassCEC’s efforts to properly recover and restore mission-critical and confidential data. Further, without such a plan, MassCEC could experience delays in reestablishing mission-critical software for processing transactions, financial data, and sales and marketing performance data. Recovery tests are a key component of an effective BCP.
The Enterprise Business Continuity for IT Management Policy issued June 5, 2013 by the Executive Office of Technology Services and Security (EOTSS) states,
1. Agencies are required to develop, implement, test and maintain a Business Continuity Plan (BCP) for all Information Technology Resources (ITR) that deliver or support core Critical Business Functions on behalf of the Commonwealth of Massachusetts. . . .
8. Agencies are required to document, implement and annually test plans including the testing of all appropriate security provisions to minimize impact to systems or processes from the effects of major failures of IT Resources or disasters.
In addition, EOTSS’s Enterprise Information Security Policy requires agencies to do the following:
Document, implement and annually test plans including the testing of all appropriate security provisions to minimize impact to systems or processes from the effects of major failures of IT Resources or disasters via adoption of:
- Continuity of operations plan and
- A disaster recovery plan.
Although MassCEC may not specifically be required to follow these policies, they represent a best practice that should be followed by all Commonwealth government organizations, including MassCEC.
Reasons for Issues
MassCEC’s management said they believed that the agency’s plan for storing backup data off site, described in its internal control plan, was sufficient documentation for the restoration of its computer systems. However, MassCEC’s plan did not contain the elements that a BCP or DRP is required to include.
MassCEC should assess its computer systems from a risk-management and business-continuity perspective and develop and test an appropriate DRP and BCP. It should reassess such plans at least annually or upon major changes to its operations or overall IT environment.
MassCEC is committed to strengthening our IT operations, and has continually enhanced our IT environment, policies and procedures over the last several years. As previously discussed with the audit team, MassCEC has disaster recovery and offsite data backup procedures which have been documented and are periodically tested. We acknowledge that certain elements were not documented in a centralized policy. In response to the state auditor’s recommendation, management is in the process of enhancing the current backup and disaster recovery procedures by formalizing them into a centralized business continuity and disaster recovery plan in order to ensure more effective communication and implementation throughout the entire organization. This enhancement will include a requirement to assess the plans at least annually or upon a significant change to the overall IT environment.
|Date published:||June 11, 2018|