The Operational Services Division Relies on an Information Security Incident Response Plan and Procedures That Do Not Include All Required Elements.

The information security incident response plan and procedures on which OSD relies do not include guidance for implementing corrective actions or post-incident analysis, criteria for business recovery, data backup processes, an analysis of legal requirements for reporting IT system compromises, or incident response procedures from required external parties.

Without an adequate information security incident response plan and procedures, OSD cannot ensure that it takes sufficient containment measures when it identifies a security event and completes proper documentation, investigation, risk analysis, and impact analysis.

EOTSS’s Information Security Incident Management Standard IS.009 states,

6.5.1.    Incident response procedures

             Commonwealth offices and agencies must document procedures for responding to security incidents to limit further damage to the Commonwealth’s information assets. Procedures shall include:

             6.5.1.1.   Identification of the cause of the incident

             6.5.1.2.   Execution of corrective actions

             6.5.1.3.   Post-incident analysis

             6.5.1.4.   Communication strategy

6.5.2.    Incident response plan

             Commonwealth Offices and Agencies shall establish an incident response plan. The incident response plan shall include, at a minimum:

             6.5.2.1.    Roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of required internal and external parties.

             6.5.2.2.    Specific incident response procedures.

             6.5.2.3.    Execution of corrective actions and post incident analysis.

             6.5.2.4.    Establish criteria to activate business recovery and continuity processes. . . .

             6.5.2.5.    Data backup processes. . . .

             6.5.2.6.    Analysis of legal requirements for reporting [IT system] compromises.

             6.5.2.7.    Reference or inclusion of incident response procedures from required external parties.

OSD management stated that its information security incident response management functions are handled by the Executive Office for Administration and Finance and EOTSS.

OSD should establish information security incident response procedures for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, and an analysis of legal requirements for reporting IT system compromises.

As discussed with the audit staff, information security for OSD internal systems and applications is managed by [the Executive Office for Administration and Finance] staff embedded within OSD and information security for Commonwealth enterprise applications utilized by OSD staff is managed by EOTSS. However, OSD acknowledges that it does not have a written plan that is fully compliant with EOTSS’s Information Security Incident Management Standard IS.009 and will develop a compliant written information security incident response plan.

We acknowledge that EOTSS and the Executive Office for Administration and Finance (as the oversight agency and secretariat agency, respectively) play a role in ensuring that OSD has a sufficient information security incident response plan and procedures. Nonetheless, OSD is required to develop an information security incident response plan that complies with EOTSS’s Information Security Incident Management Standard IS.009. This is pursuant to Section 2 of Chapter 7D of the General Laws, which requires all executive branch agencies, including OSD, to “adhere to the policies, procedures, and objectives established by the executive office of technology services and security.”

Based on its response, OSD is taking measures to address our concerns on this matter.