The Operational Services Division Does Not Have a Business Continuity Plan or a Disaster Recovery Plan.

OSD does not have a business continuity plan or a disaster recovery plan to ensure the continuity of operations in the case of an interruption or disaster.

Without a business continuity plan or disaster recovery plan, OSD cannot ensure that it has established procedures for the continuation of critical business processes in the event of any organizational or information technology infrastructure failure. An interruption or disaster may result in lost or incorrectly processed data, creating financial losses, expensive recovery effects, and inaccurate or incomplete data. Additionally, if OSD is inoperable, statewide procurement may cease.

EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 states,

             6.1.1.4  Develop business continuity plans (BCP): Each agency shall develop BCPs for critical business processes based on prioritization of likely disruptive events in light of their probability, severity and consequences for information security identified through the [Business Impact Analysis] and risk assessment processes. . . .

6.2.1     Commonwealth Executive Offices and Agencies must develop and maintain processes for disaster recovery plans at both onsite primary Commonwealth locations and at alternate offsite locations. [Disaster recovery] plans shall include step-by-step emergency procedures.

OSD management was unaware that they should develop and maintain business continuity and disaster recovery plans separate from the Executive Office for Administration and Finance’s plan and EOTSS policies, procedures, and standards.

1.    OSD should develop, document, and test a business continuity plan.

2.    OSD should develop, document, and test a disaster recovery plan for both onsite and offsite recovery locations.

OSD acknowledges that it did not have a written plan that was fully compliant with EOTSS’s Business Continuity and Disaster Recovery Standard IS.005. OSD did have an obsolete plan that has been reviewed and updated to comply with the EOTSS standards since the audit took place. OSD will make a copy available to the audit team upon request.

OSD would like to note that it has always had procedures and systems in place to ensure that its operations continue in the case of infrastructure failures or disaster. OSD has demonstrated the ability to maintain operations during challenging circumstances. For example, OSD core functions continued with little to no disruption during the transition to remote work during the COVID-19 emergency. OSD also monitors the COMMBUYS website/application and is in constant communication with the vendor that maintains that system to ensure that it remains functioning and accessible to the user community.

Based on its response, OSD has taken measures to address our concerns on this matter.