Office of Consumer Affairs and Business Regulation - Finding 4

OCABR management revealed to us in interviews that they did not perform a business impact analysis or risk assessment to classify their information systems. Information systems should be classified as low, medium, high, or critical, depending on the use of the system and the information it contains.

Without a business impact analysis or risk assessment to classify information systems, OCABR may not assess the criticality of systems based on the sensitivity of the information stored within them. If vital systems are not classified correctly, then they cannot be protected correctly, whether from cybersecurity threats, natural disasters, or fraud. As a result, OCABR could face challenges in planning for these potential disruptions and may not be able to prioritize IT resources effectively in the event of an emergency.

EOTSS's Asset Management Standard IS.004 states,

6.6.2     Commonwealth Agencies and Offices must conduct a business impact analysis or a risk assessment to determine information system classifications for their information assets.

OCABR management stated that during the last two years, they went through a transition period where IT personnel members from the Executive Office of Economic Development transitioned to EOTSS, leaving OCABR without proper IT staffing. During this time, the Executive Office of Economic Development began using a system for an initial inventory and creating macro-level risk classifications for over 90 applications used by the Executive Office of Economic Development, including OCABR’s applications. Although the majority of information was deemed accurate by the OCABR team, OCABR has found some inaccuracies which require detailed reviews and updates. OCABR management expects the aforementioned review to be completed by the end of the first quarter of 2025, after which a deeper-level risk assessment and business impact analysis will be conducted.

1. OCABR management should implement a policy to periodically conduct a business impact analysis or risk assessment in order to classify its information systems.
2. OCABR should review these classifications at least annually or anytime a significant system change occurs.

During and following the audit period, [Executive Office of Economic Development (EOED)] IT implemented an initial macro-level risk classification of over 90 applications using the Application Inventory Rating System (AIRS), including OCABR applications. While this first iteration provided a high-level view of business risk, these metrics represent an overall assessment and do not fully capture the nuanced operational and data sensitivity aspects of each application. A more comprehensive and detailed iteration is currently underway.

EOED IT recently onboarded a Salesforce developer who is helping to enhance AIRS, including the addition of key fields and refined calculation logic to enable more granular and policy-aligned classification of applications. This effort will better reflect the business impact and data sensitivity of each application, supporting more accurate prioritization and risk mitigation strategies.

OCABR is working to validate and update existing records and expects EOED’s enhanced AIRS-based risk classification framework to be in place by the end of [quarter] 3 2025. Following this, formal business impact analyses and deeper-level risk assessments will be conducted on a rolling basis for OCABR applications, in alignment with IS.004 and IS.010 requirements.

A policy for periodic reassessment—at least annually or in response to significant changes—will be formalized to maintain compliance and ensure adaptive risk management.

Based on its response, OCABR is taking measures to address our concerns regarding this matter.