The Division of Insurance Did Not Update Its Business Continuity Plan or Have a Disaster Recovery Plan.

DOI did not update its business continuity plan and did not have a disaster recovery plan during the audit period.

Without an updated business continuity plan or a disaster recovery plan, DOI cannot ensure that it has procedures for protecting information assets or a plan to recover critical operations when an interruption or disaster occurs. Additionally, a business continuity plan would ensure that DOI has an adequate response to unplanned business disruptions like the COVID-19 pandemic.

EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 states,

6.1.1.4    Develop business continuity plans (BCP): Each agency shall develop BCPs for critical business processes. . . .

               6.1.1.4.3  BCPs shall be updated whenever a major organizational change occurs or at least annually,                                whichever comes first. . . .

6.2.1  Commonwealth Executive Offices and Agencies must develop and maintain processes for disaster recovery plans at both onsite primary Commonwealth locations and at alternate offsite locations. [Disaster recovery] plans shall include step-by-step emergency procedures.

DOI management stated that process changes brought on by the COVID-19 pandemic were the primary cause for not updating the agency’s business continuity plan. DOI management added that updates to the 2020 business continuity plan, which will take into account agency-wide process changes, are currently in progress and should be released by the end of calendar year 2023.

DOI management stated that elements of a disaster recovery plan are included in the business continuity plan and internal control plan.

1. DOI should update its business continuity plan annually and whenever a major organization change occurs.
2. DOI should develop and implement a disaster recovery plan.

The DOI is working in conjunction with EOTSS to update its current business continuity plan in accordance with all applicable requirements and will issue it as soon as possible.

Two basic requirements of a disaster recovery plan are the identification of a substitute site from which senior management can run agency operations when a disaster occurs, and a back-up IT operation that further enables an agency’s network and business functions to continue working at full capacity. These requirements are beyond the scope of the DOI to develop independently. The DOI is committed to working to ensure that appropriate disaster recovery plans are in place and consistent with the “Business Continuity and Disaster Recovery Standard” established and maintained by the Commonwealth’s Chief Information Security Officer.

While we acknowledge that EOTSS (as the oversight agency) plays a role in ensuring that DOI has a sufficient disaster recovery plan, DOI must develop a disaster recovery plan in compliance with EOTSS’s Business Continuity and Disaster Recovery Standard IS.005. This is pursuant to Section 2 of Chapter 7D of the General Laws, which requires all state executive branch agencies, including DOI, to “adhere to the policies, procedures, and objectives established by the executive office of technology services and security.” Based on its response, DOI is taking measures to address our concerns on this matter.