Overview
The Massachusetts District Attorneys Association (MDAA) does not retain information technology (IT) records, such as reports or audit log history, as required by its own policy and the Executive Office of Technology Services and Security’s (EOTSS’s) Logging and Event Monitoring Standard IS.011.
Specifically, during the audit period, MDAA did not keep 101 of 104 antivirus reports, 24 of 24 Internet event monitoring reports, 5 of 730 firewall reports, 706 of 730 network monitoring reports, and 706 of 730 network compliance reports.
IT Reports
|
Type |
Frequency |
Total Reports from Audit Period |
Reports Kept |
Reports Not Kept |
|
Antivirus |
Weekly |
104 |
3 |
101 |
|
Internet Event Monitoring |
Every 30 days |
24 |
0 |
24 |
|
Firewall |
Daily |
730 |
725 |
5 |
|
Network Monitoring |
Daily |
730 |
24 |
706 |
|
Network Compliance |
Daily |
730 |
24 |
706 |
Because MDAA does not retain IT reports or audit log history, it cannot effectively audit to identify cybersecurity threats or to ensure that its network has been effectively and efficiently protected.
According to MDAA’s “Media and Records Policy,”
All correspondence, phone logs, emails, work-product and other files maintained in the normal course of business shall be retained for a minimum of three years after the last activity pertaining to the document, except that documents related to policy development shall be retained for a minimum of five years.
According to Section 6.1.6.4 of EOTSS’s Logging and Event Monitoring Standard IS.011, MDAA should do the following:
Retain audit trails for the required retention periods per business, legal or regulatory need. Audit log history must be retained for at least one (1) year, with a minimum of three (3) months immediately available for analysis.
From our interviews and observations of MDAA’s IT processes, it appears that MDAA did not fully understand the requirements of its “Media and Records Policy” or Section 6.1.6.4 of EOTSS’s Logging and Event Monitoring Standard IS.011. In addition, according to MDAA’s chief information officer (CIO), reports were not retained because the alerts recorded in them had been mitigated or identified as incorrect (the alerts were in response to false threats) in real time and compiling them in a database would be cost and resource prohibitive. According to both MDAA’s CIO and its chief information security officer, MDAA retained emails and documents only when an employee determined that there would be a need in the future (if there was a specific business requirement, another documented requirement, or an event requiring retention).
MDAA should follow the record retention requirements in its policy and retain an audit log history in accordance with Section 6.1.6.4 of EOTSS’s Logging and Event Monitoring Standard IS.011.
Auditee’s Response
MDAA will review its record retention policy and ensure that all staff receive and follow the updated policy. MDAA is working to comply with Section 6.1.6.4 of EOTSS’s Logging and Event Monitoring Standard IS.011.
Auditor’s Reply
Based on its response, MDAA is taking measures to address our concerns on this matter.
| Date published: | June 2, 2022 |
|---|