Overview
During our audit, we reviewed the Massachusetts Water Resources Authority’s (MWRA’s) information security program (ISP) and determined that it had not been reviewed annually. Specifically, Policy ADM.30 (MWRA Information Technology User Responsibilities) and Policy ADM.31 (MWRA Information Security Policy) of MWRA’s ISP were last reviewed in 2017.
As a result, there is a higher-than-acceptable risk that MWRA’s information systems may not be adequately protected from vulnerabilities, which could result in the loss of protected information.
Authoritative Guidance
According to Policy ADM.31, “The ISP will be reviewed annually.”
Reasons for Issue
MWRA officials told us they were not aware of the requirement to do an annual review of the ISP. Additionally, MWRA did not have internal controls in place to ensure that it reviewed the ISP.
Recommendations
- MWRA should review its ISP annually.
- MWRA should develop and implement internal controls to ensure that it reviews its ISP annually.
Auditee’s Response
MWRA has comprehensively revised its Information Security Policy ADM.31, including additional requirements on annual updating processes, required staff training, roles and responsibilities, and enforcement mechanisms. That policy review was already underway while the audit was being conducted. The revised policy is undergoing final senior management review and is anticipated to be approved before the end of June. While the policy itself had not been formally reviewed annually, MWRA’s Information Security Council, made up of senior staff from process controls, administrative and physical security, meets monthly to discuss events in cyber and physical security and their impact on MWRA policies and procedures. Following the Department of Homeland Security’s recommended best practices, MWRA has a process for distributing and installing security upgrades and patches to all systems.
MWRA internal audit staff will develop and implement the necessary internal controls to ensure that annual reviews of the policy are conducted.
Auditor’s Reply
Based on its response, MWRA is taking measures to address our concerns on this matter.
Date published: | August 25, 2023 |
---|