Overview
The information security incident response plan and procedures that DFS relies on do not include guidance for implementing corrective actions or post-incident analysis, criteria for business recovery, data backup processes, or an analysis of legal requirements for reporting IT system compromises.
Without an adequate information security incident response plan and procedures, DFS cannot ensure that it takes sufficient containment measures when it identifies a security incident and subsequently completes proper documentation, an investigation, a risk analysis, and an impact analysis.
Authoritative Guidance
EOTSS’s Information Security Incident Management Standard IS.009 states,
6.5.1. Incident response procedures
Commonwealth offices and agencies must document procedures for responding to security incidents to limit further damage to the Commonwealth’s information assets. Procedures shall include:
6.5.1.1. Identification of the cause of the incident
6.5.1.2. Execution of corrective actions
6.5.1.3. Post-incident analysis
6.5.1.4. Communication strategy
6.5.2. Incident response plan
Commonwealth Offices and Agencies shall establish an incident response plan. The incident response plan shall include, at a minimum:
6.5.2.1. Roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of required internal and external parties.
6.5.2.2. Specific incident response procedures.
6.5.2.3. Execution of corrective actions and post-incident analysis.
6.5.2.4. Establish criteria to activate business recovery and continuity processes. . . .
6.5.2.5. Data backup processes. . . .
6.5.2.6. Analysis of legal requirements for reporting [IT system] compromises.
6.5.2.7. Reference or inclusion of incident response procedures from required external parties.
Reasons for Issue
DFS management stated that the Executive Office of Public Safety and Security and EOTSS handle DFS’s information security incident response management functions.
Recommendation
DFS should rely on an information security incident response plan and procedures that include all required elements. Alternatively, DFS could establish a supplemental information security incident response plan and procedures that include guidance for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, and an analysis of legal requirements for reporting IT system compromises.
Auditee’s Response
The Department of Fire Services currently follows the Executive Office of Public Safety & Security (EOPSS) established process for reporting incidents through the [Secretariat Chief Information Officer], [Chief Information Security Officer] and to the EOTSS Security Operations Center. DFS will continue to collaborate with EOPSS and develop a DFS supplemental plan which will complement the secretariat-wide standards, and which will identify Information Security Response actions and procedures specific to DFS.
Auditor’s Reply
While we acknowledge that EOTSS (as the oversight agency) plays a role in ensuring that DFS has a sufficient information security incident response plan, DFS must develop an information security incident response plan in compliance with EOTSS’s Information Security Incident Management Standard IS.009. This is pursuant to Section 2 of Chapter 7D of the General Laws, which requires all state executive branch agencies, including DFS, to “adhere to the policies, procedures, and objectives established by the executive office of technology services and security.” Based on its response, DFS is taking measures to address our concerns on this matter.
Date published: | March 20, 2024 |
---|