The Division of Insurance Relies on an Information Security Incident Response Plan and Procedures That Do Not Include All Required Elements.

The information security incident response plan and procedures that DOI relies on do not include guidance for implementing corrective actions or post-incident analysis, criteria for business recovery, data backup processes, an analysis of legal requirements for reporting IT system compromises, or incident response procedures from required external parties.

Without an adequate information security incident response plan and procedures, DOI cannot ensure that it takes sufficient containment measures when it identifies a security incident and subsequently completes proper documentation, an investigation, a risk analysis, and an impact analysis.

EOTSS’s Information Security Incident Management Standard IS.009 states,

6.5.1.  Incident response procedures

Commonwealth offices and agencies must document procedures for responding to security incidents to limit further damage to the Commonwealth’s information assets. Procedures shall include:

     6.5.1.1.   Identification of the cause of the incident

     6.5.1.2.   Execution of corrective actions

     6.5.1.3.   Post-incident analysis

     6.5.1.4.   Communication strategy

6.5.2.  Incident response plan

Commonwealth Offices and Agencies shall establish an incident response plan. The incident response plan shall include, at a minimum:

     6.5.2.1.   Roles, responsibilities, and communication and contact strategies in the event of a compromise,                          including notification of required internal and external parties.

     6.5.2.2.   Specific incident response procedures.

     6.5.2.3.   Execution of corrective actions and post-incident analysis.

     6.5.2.4.   Establish criteria to activate business recovery and continuity processes. . . .

     6.5.2.5.   Data backup processes. . . .

     6.5.2.6.   Analysis of legal requirements for reporting [IT system] compromises.

     6.5.2.7.   Reference or inclusion of incident response procedures from required external parties.

DOI management stated that the Executive Office of Economic Development and EOTSS handle DOI’s information security incident response management functions.

DOI should rely on an information security incident response plan and procedures that include all required elements. Alternatively, DOI could establish a supplemental information security incident response plan and procedures that include guidance for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, an analysis of legal requirements for reporting IT system compromises, and incident response procedures from required external parties.

DOI relies on and follows the information security incident response plan and procedures adopted by the Executive Office of Economic Development (“EOED”). As discussed during the Audit, because DOI lacks the technical expertise required to independently develop and implement a supplemental incident response plan and procedures as suggested, DOI will work with EOTSS and EOED IT to ensure that our information security incident response plan and procedures, or any supplements thereto, include all elements required by EOTSS’ Information Security Incident Management Standard IS.009.

While we acknowledge that EOTSS (as the oversight agency) plays a role in ensuring that DOI has a sufficient information security incident response plan, DOI must develop an information security incident response plan in compliance with EOTSS’s Information Security Incident Management Standard IS.009. This is pursuant to Section 2 of Chapter 7D of the General Laws, which requires all state executive branch agencies, including DOI, to “adhere to the policies, procedures, and objectives established by the executive office of technology services and security.” Based on its response, DOI is taking measures to address our concerns on this matter.