The Department of Revenue Did Not Establish an Information Technology Strategy Committee.

The Department of Revenue (DOR) did not have an information technology (IT) strategy committee whose role would include ensuring IT governance, determining acceptable risk, aligning IT resources, and creating strategies to mitigate risk to an acceptable level in line with business needs. DOR previously had a security review board, but the board has not been active since early 2017. In addition, it did not have governance over the allocation of IT resources or the determination of acceptable risks. Without a committee or board charged with governing DOR’s IT environment, responsibility for IT governance and risk is not clear. This can result in information security risks and investments not being aligned with business needs.

The Information Systems Audit and Control Association’s Control Objectives for Information and Related Technology 4.1 establishes the following best practices for IT governance.

PO4     Define the IT Processes, Organization and Relationships . . .

A strategy committee ensures board oversight of IT, and one or more steering committees in which business and IT participate determine the prioritization of IT resources in line with business needs. . . .

PO4.2  IT Strategy Committee

Establish an IT strategy committee at the board level. This committee should ensure that IT governance, as part of enterprise governance, is adequately addressed; advise on strategic direction; and review major investments on behalf of the full board. . . .

PO4.8  Responsibility for Risk, Security and Compliance

Embed ownership and responsibility for IT-related risks within the business at an appropriate senior level. Define and assign roles critical for managing IT risks, including the specific responsibility for information security, physical security and compliance. Establish risk and security management responsibility at the enterprise level to deal with organization-wide issues. Additional security management responsibilities may need to be assigned at a system-specific level to deal with related security issues. Obtain direction from senior management on the appetite for IT risk and approval of any residual IT risks.

As part of the One Network initiative, the Executive Office of Technology Services and Security (EOTSS) is responsible for IT governance throughout the Commonwealth. However, EOTSS and DOR have not yet defined roles and responsibilities related to governance at DOR.

DOR should work with EOTSS to establish an IT strategy committee that meets regularly to ensure IT governance, determine acceptable risk, align IT resources, and create strategies to mitigate risk to an acceptable level in line with business needs.

DOR will work with EOTSS to establish a Governance, Risk, and Compliance (GRC) committee comprised of the following and/or their designees:

• Commissioner
• Chief Financial Officer
• General Counsel
• Chief Risk Officer
• Chief Information Officer.

GRC will meet at least annually or as needed to determine whether governance, risk management efforts, and resources (IT and non-IT) support the Agency's ability to achieve its mission.

Based on its response, DOR is taking measures to address this issue.