The Department of Fire Services Relies on an Information Security Incident Response Plan and Procedures That Do Not Include All Required Elements.

The information security incident response plan and procedures that DFS relies on do not include guidance for implementing corrective actions or post-incident analysis, criteria for business recovery, data backup processes, or an analysis of legal requirements for reporting IT system compromises.

Without an adequate information security incident response plan and procedures, DFS cannot ensure that it takes sufficient containment measures when it identifies a security incident and subsequently completes proper documentation, an investigation, a risk analysis, and an impact analysis.

EOTSS’s Information Security Incident Management Standard IS.009 states,

6.5.1.    Incident response procedures

             Commonwealth offices and agencies must document procedures for responding to security                             incidents to limit further damage to the Commonwealth’s information assets. Procedures shall                     include:

             6.5.1.1.    Identification of the cause of the incident

             6.5.1.2.    Execution of corrective actions

             6.5.1.3.    Post-incident analysis

             6.5.1.4.    Communication strategy

6.5.2.    Incident response plan

             Commonwealth Offices and Agencies shall establish an incident response plan. The incident                         response plan shall include, at a minimum:

             6.5.2.1.    Roles, responsibilities, and communication and contact strategies in the event of a                                           compromise, including notification of required internal and external parties.

             6.5.2.2.    Specific incident response procedures.

             6.5.2.3.    Execution of corrective actions and post-incident analysis.

             6.5.2.4.    Establish criteria to activate business recovery and continuity processes. . . .

             6.5.2.5.    Data backup processes. . . .

             6.5.2.6.    Analysis of legal requirements for reporting [IT system] compromises.

             6.5.2.7.    Reference or inclusion of incident response procedures from required external parties.

DFS management stated that the Executive Office of Public Safety and Security and EOTSS handle DFS’s information security incident response management functions.

DFS should rely on an information security incident response plan and procedures that include all required elements. Alternatively, DFS could establish a supplemental information security incident response plan and procedures that include guidance for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, and an analysis of legal requirements for reporting IT system compromises.

The Department of Fire Services currently follows the Executive Office of Public Safety & Security (EOPSS) established process for reporting incidents through the [Secretariat Chief Information Officer], [Chief Information Security Officer] and to the EOTSS Security Operations Center. DFS will continue to collaborate with EOPSS and develop a DFS supplemental plan which will complement the secretariat-wide standards, and which will identify Information Security Response actions and procedures specific to DFS.

While we acknowledge that EOTSS (as the oversight agency) plays a role in ensuring that DFS has a sufficient information security incident response plan, DFS must develop an information security incident response plan in compliance with EOTSS’s Information Security Incident Management Standard IS.009. This is pursuant to Section 2 of Chapter 7D of the General Laws, which requires all state executive branch agencies, including DFS, to “adhere to the policies, procedures, and objectives established by the executive office of technology services and security.” Based on its response, DFS is taking measures to address our concerns on this matter.