The Sex Offender Registry Board Does Not Have a Documented and Tested Business Continuity Plan and Disaster Recovery Plan

SORB does not have a documented and tested business continuity plan and disaster recovery plan to restore mission-critical and essential business functions in the event of an emergency. Without a business continuity plan and disaster recovery plan, employees may not be sufficiently trained in performing recovery efforts, including those related to SORB’s mission-critical applications.

Although the Executive Office of Technology Services and Security (EOTSS) provides offsite storage of SORIS2 in the form of electronic backup copies and magnetic media copies, SORB does not have offsite storage to restore SORIS2 in the event of an unforeseen interruption in its business operations.

As a result, SORB may be vulnerable to a disruption of services that could negatively affect its mission if its information technology systems are inoperable for an extended period.

Section 6 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, effective October 15, 2018 states,

Commonwealth Executive Offices and Agencies must establish a Business Continuity Program. . . .

             6.1.1.4     Develop business continuity plans (BCP): Each agency shall develop BCPs for critical                                           business processes based on prioritization of likely disruptive events in light of their                                               probability, severity and consequences for information security identified through the                                             [business impact analysis] and risk assessment processes.

                     6.1.1.4.1    BCPs shall address both manual and automated processes used by the agency and                                             document minimum operating requirements to resume critical functions/applications in                                         an appropriate period of time. . . .

                     6.2.1     Commonwealth Executive Offices and Agencies must develop and maintain processes for                                    disaster recovery plans at both onsite primary Commonwealth locations and at alternate                                      offsite locations. . . .

                     6.2.2     Commonwealth Executive Offices and Agencies must ensure that [disaster recovery]                                            plans shall be tested annually.

SORB management stated that they rely on EOTSS for business continuity planning and disaster recovery of SORIS2 data.

1. SORB should develop, document, and test a business continuity plan and disaster recovery plan.
2. SORB should select an offsite location to recover SORIS2 data. Once the site has been selected, SORB should update and test its disaster recovery plan and incorporate any test results into the plan.

SORB did not have an updated business continuity plan and disaster recovery plan to restore mission-critical and essential business functions during the audit period due to its office move in 2019. SORB did provide OSA with a continuity plan for its electronic databases provided by the Executive Office of Technology Services and Security (EOTSS). SORB has since finalized a Business Continuity and Disaster Recovery Plan and will test its plan later this summer. All SORB data migrated to OneDrive and SharePoint [digital document management/storage platforms] in the spring of 2022 and is available on the Commonwealth’s cloud-based network managed by the EOTSS. SORIS2 data is managed by [the Department of Criminal Justice Information Services (DCJIS)] and is housed within the Commonwealth’s Data Center, and as such, SORB is not responsible for restoring SORIS2 in the event of an unforeseen interruption. SORB is in constant contact with DCJIS and EOTSS and reports outages and issues when needed.

The regulations from EOTSS are clear in assigning each agency the responsibility of creating a business continuity plan and disaster recovery plan and stating that each agency should include the minimum operating requirements to restore business functions, applications, and services in a timely manner in these plans.

Based on SORB’s response, it is taking measures to address the concerns raised regarding this matter.