The Massachusetts Department of Transportation’s Aeronautics Division Does Not Have a Business Continuity Plan.

In our two previous audits (2008-0044-4T, issued November 13, 2008, and 2016-0044-4A, issued August 18, 2017), we reported that the Massachusetts Department of Transportation’s (MassDOT’s) Aeronautics Division had not documented and tested a business continuity plan (BCP) to restore mission-critical and essential business functions in the event of an emergency. The division has still not developed, documented, and tested a BCP for business and operational objectives, potential risks and exposures, and the relative importance of the division’s systems and data.

Without a BCP, staff members may not be sufficiently trained in performing recovery efforts, including those related to the Aeronautics Division’s mission-critical applications. In addition, the division has not assessed its ability to continue operations in the event of a business interruption, which could lead to reputational loss, financial loss, or breaches of data.

Section 6 of the Executive Office of Technology Services and Security’s (EOTSS’s) Business Continuity and Disaster Recovery Standard IS.005 states,

Commonwealth Executive Offices and Agencies must establish a Business Continuity Program. . . .

6.1.1.4  Develop business continuity plans (BCP): Each agency shall develop BCPs for critical business processes based on prioritization of likely disruptive events in light of their probability, severity and consequences for information security identified through the [business impact analysis] and risk assessment processes.

6.1.1.4.1  BCPs shall address both manual and automated processes used by the agency and document minimum operating requirements to resume critical functions/applications in an appropriate period of time.

The Aeronautics Division did not provide a reason that it did not have a BCP. However, during our audit, we learned that MassDOT had added two employees to support the development of BCPs.

The Aeronautics Division, in conjunction with the new MassDOT employees, should develop, document, and test a BCP.

Management concurs with the auditors’ Recommendations, and the following actions will be taken to correct the situation.

The Aeronautics Division Deputy Administrator will immediately begin to work with the Aeronautics Administrator to ensure the business continuity plan (BCP) is developed and implemented. After implementation, the BCP will be reviewed on an annual basis.

The Deputy Administrator will work with the MassDOT IT Department to finalize and implement the Aeronautics Division BCP. The development, documentation, and testing will be accomplished in accordance with the Executive Office of Technology Services and Security’s (EOTSS) Business Continuity and Disaster Recovery Standard.

In addition, the BCP will evaluate and document the effects and heightened risks resulting from the 2019 coronavirus (COVID-19) pandemic. The Aeronautics Division Deputy Administrator will ensure that all Aeronautics Division staff are advised of any BCP revisions.

Based on its response, the Aeronautics Division has taken measures to address our concerns on this matter.