The Division of Standards’ Business Continuity Plan Does Not Include All Required Elements, and It Does Not Have a Disaster Recovery Plan.

DOS’s business continuity plan does not include a risk assessment and business impact analysis. Further, DOS’s business continuity plan does not identify a business continuity lead, and it was not updated or tested annually during the audit period.

Additionally, DOS does not have a disaster recovery plan.

Without adequate and updated business continuity or disaster recovery plans, DOS cannot ensure that it has procedures for protecting information assets or a plan to recover critical operations when an interruption or disaster occurs. Additionally, DOS could use a business continuity plan to ensure that it responds adequately to unplanned business disruptions like the COVID-19 pandemic.

EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 states,

6.1.1.4  Develop business continuity plans (BCP): Each agency shall develop BCPs for critical business                           processes based on prioritization of likely disruptive events in light of their probability, severity and                       consequences for information security identified through the [Business Impact Analysis (BIA)] and risk                 assessment processes. . . .

             6.1.1.4.2  The primary responsibility for developing, maintaining and testing organizational and                                             functional BCPs shall reside with the Business Continuity Lead. . . .

                             6.1.1.4.2.2   Point(s) of contact should be identified from the customer side for any incident or                                                   crisis communication via call, messaging and/or email. The contact details of the                                                   point(s) of contact should be validated and updated at least annually. . . .

6.2.1   Commonwealth Executive Offices and Agencies must develop and maintain processes for disaster                       recovery plans at both onsite primary Commonwealth locations and at alternate offsite locations.                         [Disaster recovery] plans shall include step-by-step emergency procedures, including:

           6.2.1.1    Identify relevant stakeholders (primary and secondary) and establish a call tree.

           6.2.1.2    Conduct a damage assessment of the impacted IT infrastructure and applications.

           6.2.1.3    Establish procedures that allow facility access (e.g., recovery/secondary site) in support of the                              restoration of lost data in the event of an emergency.

           6.2.1.4    Recover critical agency services and information assets based on recovery priorities as                                      established during the BIA.

           6.2.1.5    Provide interim means for performing critical business processes at or above the minimum                                    service level defined in the BCP and within the tolerable length of time.

           6.2.1.6    Restore service at the original site of impact and migrate from the alternate locations to the                                  original site without unacceptable interruption or degradation in service.

DOS management was unaware that they should develop and maintain both a business continuity plan and a disaster recovery plan, and that these plans should be separate from the Executive Office of Economic Development’s and EOTSS’s policies, procedures, and standards.

1. DOS should update its business continuity plan to include all required elements. It should also update the plan annually and whenever a major organizational change occurs.
2. DOS should develop and implement a disaster recovery plan.

1. DOS is working in conjunction with EOTSS to update its current business continuity plan in accordance with all applicable requirements and will issue it as soon as possible. Specifically, DOS is working with EOTSS’ Office of Enterprise Risk Management and their vendor . . . to complete this work as soon as possible.
2. Two basic requirements of a disaster recovery plan are the identification of a substitute site from which senior management can run agency operations when a disaster occurs, and a back-up IT operation that further enables an agency’s network and business functions to continue working at full capacity. These requirements are beyond the scope of DOS to develop independently. DOS is committed to working to ensure that appropriate disaster recovery plans are in place and consistent with the “Business Continuity and Disaster Recovery Standard” established and maintained by the Commonwealth’s Chief Information Security Officer.

 While we acknowledge that EOTSS (as the oversight agency) plays a role in ensuring that DOS has a sufficient disaster recovery plan, DOS must develop a disaster recovery plan in compliance with EOTSS’s Business Continuity and Disaster Recovery Standard IS.005. This is pursuant to Section 2 of Chapter 7D of the General Laws, which requires all state executive branch agencies, including DOS, to “adhere to the policies, procedures, and objectives established by the executive office of technology services and security.” Based on its response, DOS is taking measures to address our concerns on this matter.