Overview
The information security incident response plan and procedures that DOS relies on do not include guidance for implementing corrective actions or post-incident analysis, criteria for business recovery, data backup processes, an analysis of legal requirements for reporting IT system compromises, or incident response procedures from required external parties.
Without an adequate information security incident response plan and procedures, DOS cannot ensure that it takes sufficient containment measures when it identifies a security incident and subsequently completes proper documentation, an investigation, a risk analysis, and an impact analysis.
Authoritative Guidance
EOTSS’s Information Security Incident Management Standard IS.009 states,
6.5.1. Incident response procedures
Commonwealth offices and agencies must document procedures for responding to security incidents to limit further damage to the Commonwealth’s information assets. Procedures shall include:
6.5.1.1. Identification of the cause of the incident
6.5.1.2. Execution of corrective actions
6.5.1.3. Post-incident analysis
6.5.1.4. Communication strategy
6.5.2. Incident response plan
Commonwealth Offices and Agencies shall establish an incident response plan. The incident response plan shall include, at a minimum:
6.5.2.1. Roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of required internal and external parties.
6.5.2.2. Specific incident response procedures.
6.5.2.3. Execution of corrective actions and post-incident analysis.
6.5.2.4. Establish criteria to activate business recovery and continuity processes. . . .
6.5.2.5. Data backup processes. . . .
6.5.2.6. Analysis of legal requirements for reporting [IT system] compromises.
6.5.2.7. Reference or inclusion of incident response procedures from required external parties.
Reasons for Issue
DOS management stated that the Executive Office of Economic Development and EOTSS handle DOS’s information security incident response management functions.
Recommendation
DOS should rely on an information security incident response plan and procedures that include all required elements. Alternatively, DOS could establish a supplemental information security incident response plan and procedures that include guidance for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, and an analysis of legal requirements for reporting IT system compromises.
Auditee’s Response
DOS relies on and follows the information security incident response plan and procedures adopted by [the Executive Office of Economic Development (EOED)]. As discussed during the Audit, because DOS lacks the technical expertise required to independently develop and implement a supplemental incident response plan and procedures as suggested, DOS will work with EOTSS and EOED IT to ensure that our information security incident response plan and procedures, or any supplements thereto, include all elements required by EOTSS’ Information Security Incident Management Standard IS.009.
Auditor’s Reply
While we acknowledge that EOTSS (as the oversight agency) plays a role in ensuring that DOS has a sufficient information security incident response plan, DOS must develop an information security incident response plan in compliance with EOTSS’s Information Security Incident Management Standard IS.009. This is pursuant to Section 2 of Chapter 7D of the General Laws, which requires all state executive branch agencies, including DOS, to “adhere to the policies, procedures, and objectives established by the executive office of technology services and security.” Based on its response, DOS is taking measures to address our concerns on this matter.
| Date published: | March 19, 2024 |
|---|