Official Audit Report Issued July 14, 2011

Similar documents
The Commonwealth of Massachusetts

University of Massachusetts Medical School's Data Center Relocation For the period July 1, 2008 through August 31, 2010

The Commonwealth of Massachusetts

The Commonwealth of Massachusetts AUDITOR OF THE COMMONWEALTH

Sample audit - A Review of the IT Department (PCDA)

The Commonwealth of Massachusetts

The Commonwealth of Massachusetts

Massachusetts State College Building Authority For the period July 1, 2009 through June 30, 2011

Information System Audit Report Office Of The State Comptroller

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

MULTI-AGENCY EMERGENCY PREPAREDNESS AT SELECTED STATE AGENCIES. Report 2007-S-29 OFFICE OF THE NEW YORK STATE COMPTROLLER

Ohio Supercomputer Center

DEPARTMENT OF ALCOHOLIC BEVERAGE CONTROL REPORT ON AUDIT FOR THE YEAR ENDED JUNE 30, 2012

SAMPLE IT CONTINGENCY PLAN FORMAT

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

The Commonwealth of Massachusetts AUDITOR OF THE COMMONWEALTH

Tailored Technologies LLC

The Commonwealth of Massachusetts

Division of Insurance Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014

Advisory Guidelines of the Financial Supervision Authority. Requirements for Organising the Business Continuity Process of Supervised Entities

Maryland Transportation Authority

MCDONOUGH COUNTY, ILLINOIS MANAGEMENT LETTER. For the Year Ended November 30, 2014

MANAGEMENT AUDIT REPORT SECURING CRITICAL DATA CITYWIDE REPORT NO City of Albuquerque Office of Internal Audit and Investigations

OIG. Improvements Are Needed for Information Technology Controls at the Las Vegas Finance Center. Audit Report OFFICE OF INSPECTOR GENERAL

University of Michigan Disaster Recovery / Business Continuity Administrative Information Systems 4/6/2004 1

Building and Maintaining a Business Continuity Program

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology

REPORT NO OCTOBER 2012 UNIVERSITY OF FLORIDA. Operational Audit

February 22, Dear Ms. Kastrin:

Workers' Compensation Board

Disaster Recovery Policy

Our Colorado region is offering a FREE Disaster Recovery Review promotional through June 30, 2009!

Attachment #2. BUSINESS CONTINUITY PLAN Plan Development Guidelines

COMMUNITY SERVICES BOARD PERFORMANCE AUDIT

The Commonwealth of Massachusetts AUDITOR OF THE COMMONWEALTH

Unit Guide to Business Continuity/Resumption Planning

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

Virginia Commonwealth University School of Medicine Information Security Standard

Sound Transit Internal Audit Report - No

Maintenance Connection Disaster Recovery Plan

Disaster Recovery and Business Continuity Plan

Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention

INFORMATION TECHNOLOGY CONTROLS

Business Continuity Plan

Processing Sites for Commonwealth Agencies

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

Business Continuity Management Review

Connecticut Sports Foundation, Inc. (CSF) RECORD RETENTION AND DESTRUCTION POLICY

BERNARD HEROLD & CO., INC. BUSINESS CONTINUITY PLAN

STATE OF NEW HAMPSHIRE LIQUOR COMMISSION MANAGEMENT LETTER FOR THE FISCAL YEAR ENDED JUNE 30, 2014

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

LOCAL GOVERNMENT MANAGEMENT ASSESSMENT OVERVIEW AND QUESTIONNAIRE

AMERICAN INVESTORS GROUP, INC. BUSINESS CONTINUITY PLAN (BCP)

Information Technology Division

TOWN OF TEWKSBURY, MASSACHUSETTS MANAGEMENT LETTER JUNE 30, 2013

University System of Maryland University of Maryland Biotechnology Institute

AUDIT REPORT INTERNAL AUDIT DIVISION. Audit of the Riskmetrics system in the Investment Management Division of UNJSPF

SCHEDULE 25. Business Continuity

Maryland State Department of Education

Ms. Debbie Davenport Auditor General Office of the Auditor General 2910 North 44 th Street, Suite 410 Phoenix, Arizona Dear Ms.

How To Read A Commonwealth Of Massachusetts Senate Statement Of Available Resources And Expenditures

University of Massachusetts System For the period July 1, 2009 through June 30, 2012

ITSM Tools Operation Continuity Plan Example

REGIONAL CENTER DISASTER RECOVERY PLAN

DEPARTMENT OF CIVIL SERVICE HEALTH INSURANCE PREMIUMS FOR PARTICIPATING EMPLOYERS. Report 2007-S-83 OFFICE OF THE NEW YORK STATE COMPTROLLER

U.S. Department of the Interior Office of Inspector General AUDIT REPORT

(Mr. Krirk Vanikkul) Assistant Governor, Financial Institutions Policy Group Governor For

B U S I N E S S C O N T I N U I T Y P L A N

EXECUTIVE SUMMARY. We found that back-up activities were reasonably effective to minimize data loss but that improvements were needed in the areas of:

DRAFT Disaster Recovery Policy Template

Decision on adequate information system management. (Official Gazette 37/2010)

Office of Information Technology E-Government Services

Executive Office of Health and Human Services and Its Departments Administration of Cell Phones For the period January 1, 2012 through June 30, 2013

4) Suspension of Record Disposal In Event of Litigation or Claims

The City of New York Office of the Comptroller Bureau of Financial Audit EDP Audit Division

Administration Department. {Insert Name of Organization} Operating Policy Record Retention and Destruction

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

NEW YORK STATE INSURANCE FUND INTERNAL CONTROLS OVER SELECTED FINANCIAL OPERATIONS. Report 2005-S-57 OFFICE OF THE NEW YORK STATE COMPTROLLER

Prudential Practice Guide

Department of Finance. Strategic Plan California s Fiscal Policy Experts

SCHEDULE 25. Business Continuity

July 30, Internal Audit Report Information Technology Business Continuity Plan Information Technology Department

815 CMR 9.00: DEBT COLLECTION AND INTERCEPT. Section

FEDERAL ELECTION COMMISSION OFFICE OF INSPECTOR GENERAL

Audit of Case Activity Tracking System Security Report No. OIG-AMR

NASCIO STATE RECOGNITION AWARDS 2015

815 CMR: COMPTROLLER'S DIVISION 815 CMR 9.00: DEBT COLLECTION AND INTERCEPT. Section

Financial Audit Division Office of the Legislative Auditor State of Minnesota

July 6, Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

University of Ulster Policy Cover Sheet

Comptroller of Maryland Information Technology Division Annapolis Data Center Operations

Business Continuity Plan (BCP)

Table Of Contents. iii

ICT Disaster Recovery Plan

Massachusetts College of Art and Design Student Financial Assistance Programs - Follow-up For the period July 1, 2010 through June 30, 2011

STATE OF NORTH CAROLINA

Massachusetts Bay Community College Student Financial Assistance Programs - Follow Up For the period July 1, 2010 through June 30, 2011

Office of Inspector General

Transcription:

Official Audit Report Issued July 14, 2011 Information Technology Controls Pertaining to Business Continuity Planning for the Office of the State Treasurer and Receiver General For the period January 1, 2010 through December 31, 2010 State House Room 230 Boston, MA 02133 auditor@sao.state.ma.us www.mass.gov/auditor

TABLE OF CONTENTS/EXECUTIVE SUMMARY TABLE OF CONTENTS/EXECUTIVE SUMMARY INTRODUCTION 1 The State Treasurer and Receiver General, an elected constitutional officer of the Commonwealth, has direct jurisdiction over the Office of the Treasurer and Receiver General (OST), the State Board of Retirement, the Alcoholic Beverages Control Commission, and the Veterans Welcome Home Bonus program. In addition, the State Treasurer is the chairperson of the State Lottery Commission, the School Building Authority, the Massachusetts Water Pollution Abatement Trust, and the Pension Reserves Investment Management (PRIM) Board, and is the sole trustee of the Commonwealth s Deferred Compensation Plan. The OST is responsible for a variety of important financial functions, as established by Chapter 10, Sections 1 through 69, of the Massachusetts General Laws, including receiving, managing, and investing all funds paid to the Commonwealth; issuing and managing the state s debt; paying state employees and retirees; administering the pension system for state employees and retirees; oversight of tax-deferred retirement savings accounts for over 280,000 government workers; processing and paying the Commonwealth s bills in concert with the Office of the State Comptroller (OSC); managing the Unpaid Check Fund; receiving, safeguarding, and liquidating abandoned property; and making local aid distributions. In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, we performed an audit of selected information technology- (IT) related controls regarding disaster recovery and business continuity planning at OST for the period January 1, 2010 through December 31, 2010. Our examination included a review of the 36 various application systems involved in the electronic data backup process of OST; the areas under its direct jurisdiction, including the State Board of Retirement, the Alcoholic Beverages Control Commission, and the Veterans Welcome Home Bonus program; and the Massachusetts Water Pollution Abatement Trust. These application systems govern such functions as OST s cash management, state retirement, payment processing, legislative payroll, and unclaimed property systems. Based on our review, we have concluded that, except for the issues addressed in the Audit Results section of this report, during the period January 1, 2010 through December 31, 2010, the OST maintained adequate disaster recovery and business continuity planning for business operations supported by technology and had adequate on-site and off-site storage of backup copies of magnetic media. AUDIT RESULTS 4 BUSINESS CONTINUITY PLANNING 4 Our audit found that OST lacked sufficiently detailed and approved disaster recovery and business continuity plans. Although there is a reasonable likelihood that OST would be able to resume mission-critical business operations, and backup files are generated and electronically transferred to off-site locations, we found that the documentation of the strategies for recovering information technology (IT) capabilities needed to be strengthened given then critical nature of the data in OST's systems (including data related to funds paid i

TABLE OF CONTENTS/EXECUTIVE SUMMARY to the Commonwealth, issuing and managing the state s debt, paying state employees and retirees, administering the pension system for state employees and retirees, etc.). The OST has taken steps to minimize the risk of being unable to recover IT processing should IT systems be rendered inoperable; however, further efforts at documenting its recovery strategies for IT and related business operations are needed to provide increased assurance that business operations can be recovered within an acceptable time period. We noted that the OST did have a draft disaster recovery plan, last updated January 2011, and a draft business continuity plan for the Division of Cash Management, last updated as of February 2011; however, an enterprise-based disaster recovery and business continuity plan for the entire OST did not exist. In addition, OST has not documented a risk assessment, taking into account different scenarios under which IT resources might be rendered inoperable or unobtainable. ii

INTRODUCTION INTRODUCTION Background The State Treasurer and Receiver General, an elected constitutional officer of the Commonwealth, has direct jurisdiction over the Office of the Treasurer and Receiver General (OST), the State Board of Retirement, the Alcoholic Beverages Control Commission, and the Veterans Welcome Home Bonus program. In addition, the State Treasurer is the chairperson of the State Lottery Commission, the School Building Authority, the Massachusetts Water Pollution Abatement Trust, and the Pension Reserves Investment Management (PRIM) Board, and is the sole trustee of the Commonwealth s Deferred Compensation Plan. The OST is responsible for a variety of important financial functions, as established by Chapter 10, Sections 1 through 69, of the Massachusetts General Laws, including receiving, managing, and investing all funds paid to the Commonwealth; issuing and managing the state s debt; paying state employees and retirees; administering the pension system for state employees and retirees; oversight of tax-deferred retirement savings accounts for over 280,000 government workers; processing and paying the Commonwealth s bills in concert with the Office of the State Comptroller (OSC); managing the Unpaid Check Fund; receiving, safeguarding, and liquidating abandoned property; and making local aid distributions. The fiscal year 2011 OST-approved state budget included seven appropriations, excluding the State Lottery Commission. The total amount for these seven appropriations for fiscal year 2011 was approximately $15 million. Audit Scope, Objectives, and Methodology In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, we performed an audit of selected information technology (IT) related controls regarding disaster recovery and business continuity planning at the Office of the State Treasurer and Receiver General (OST) for the period January 1, 2010 through December 31, 2010. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Our audit was also conducted in accordance with generally accepted industry practices. Audit criteria included generally accepted management control practices as noted in Executive Order 490 1

INTRODUCTION and in Control Objectives for Information and Related Technology (CobiT version 4.1), as issued by the Information Systems Audit and Control Association, July 2007. The scope of our audit was to assess the extent to which OST had addressed disaster recovery and business continuity planning for business operations supported by technology and had in place adequate on-site and off-site storage of backup copies of magnetic media. Our audit included an assessment of OST s capabilities to restore mission-critical application systems and related business processes and partner with the Commonwealth s Information Technology Division (ITD) for business continuity support. Our examination included a review of the 36 various application systems involved in the electronic data backup process of OST; the areas under its direct jurisdiction, including the State Board of Retirement, the Alcoholic Beverages Control Commission, and the Veterans Welcome Home Bonus program; and the Massachusetts Water Pollution Abatement Trust. These application systems govern such functions as OST s cash management, state retirement, payment processing, legislative payroll, and unclaimed property systems. We evaluated whether an effective disaster recovery and business continuity plan had been developed and adequate resources would be available to provide reasonable assurance that missioncritical and essential business operations would be efficiently recovered should IT operations be rendered inoperable or inaccessible for an extended period of time. We evaluated whether the disaster recovery and business continuity plan had been tested, reviewed, and approved to provide reasonable assurance of the plan s viability. In this regard, our objective was to also assess whether backup copies of electronic application systems and data files were being generated and stored at secure on-site and off-site locations. Because OST is dependent upon Massachusetts Information Technology Division s (ITD) Massachusetts Information Technology Center (MITC) for the operation of application systems that support budgetary and human resource functions, we determined whether OST and ITD had collaborated on identifying IT recovery requirements to support implementation of appropriate business continuity plans. We also identified the degree of assistance provided by ITD to assist OST in developing viable business continuity plans. We determined whether ITD provided alternate processing and backup storage facilities and has disaster recovery plans in place to ensure timely restoration of those OST systems and data files supported by MITC. 2

INTRODUCTION To determine the audit scope and objectives, we conducted pre-audit work that included obtaining and recording an understanding of relevant operations and performing a preliminary review concerning disaster recovery and business continuity planning at OST. We obtained a high-level understanding of the OST s IT environment, identified mission-critical application systems, and conducted a high-level risk assessment pertaining to disaster recovery. Upon completion of our preaudit work, we determined the scope and objectives of the audit. We interviewed senior management to obtain an understanding of OST's internal control environment, primary business functions, and stated controls. We obtained an understanding of OST s mission-critical functions and application systems by requesting, obtaining, and reviewing ITrelated documentation. We interviewed agency officials regarding contingency planning, and IT staff regarding the provision of IT functions for the OST. Documentation requested included OST s plans for the continuation of business operations, such as continuity of operations plans, business continuity plans, and disaster recovery plans. We also interviewed ITD staff who were assigned business continuity planning responsibilities to determine the extent of disaster recovery and business continuity services provided to the OST. In addition, we determined the extent to which OST complied with generally accepted control practices for disaster recovery. Based on our review, we have concluded that, except for the issues addressed in the Audit Results section of this report, during the period January 1, 2010 through December 31, 2010, the OST maintained adequate disaster recovery and business continuity planning for business operations supported by technology and had adequate on-site and off-site storage of backup copies of magnetic media. 3

AUDIT RESULTS AUDIT RESULTS BUSINESS CONTINUITY PLANNING Our audit found that the Office of the State Treasurer and Receiver General (OST) lacked sufficiently detailed and approved disaster recovery and business continuity plans. Although there is a reasonable likelihood that OST would be able to resume mission-critical business operations, and backup files are generated and electronically transferred to off-site locations, we found that the documentation of the strategies for recovering information technology (IT) capabilities needed to be strengthened given then critical nature of the data in OST's systems (including data related to funds paid to the Commonwealth, issuing and managing the state s debt, paying state employees and retirees, administering the pension system for state employees and retirees, etc.). The OST has taken steps to minimize the risk of being unable to recover IT processing should IT systems be rendered inoperable; however, further efforts at documenting its recovery strategies for IT and related business operations are needed to provide increased assurance that business operations can be recovered within an acceptable time period. We noted that the OST did have a draft disaster recovery plan last updated January 2011 and a draft business continuity plan for the Division of Cash Management, last updated as of February 2011; however, an enterprise-based disaster recovery and business continuity plan for the entire OST did not exist. OST s two data centers are located within five miles of each other at One Ashburton Place in Boston and the Massachusetts Information Technology Center (MITC) in Chelsea. Each data center functions as a primary processing location as well as a backup processing site for the other IT facility. OST utilizes the two data centers to ensure timely recovery of mission-critical and essential functions should an event render applications or data information inoperable or inaccessible at either of the locations. As a general rule, data centers that support mission-critical business operations and also serve as back-up sites are recommended to be located within separate power grids and at a sufficient distance where they would not be impacted by area-wide disasters. OST has performed a successful self-failover recovery test exercise between the two data center locations using backup copies of data and system applications to restore processing capabilities. In addition, it participated in a successful recovery test of the Massachusetts Management Accounting and Reporting System (MMARS) in November of 2007 in conjunction with Massachusetts Information Technology Division (ITD) at MITC. Furthermore, four designated OST employees 4

AUDIT RESULTS have virtual private network (VPN) access capabilities to assist them in performing disaster recovery tasks in a timely manner. Planning for a disaster can have many steps or phases in order to minimize the impact on business operations. A business continuity plan should be sufficiently detailed to guide an organization s recovery efforts and encompass a disaster recovery plan and user area plans. OST s business process owners and IT operations should collaborate with the ITD to develop formal documented and approved plans. In the event of an emergency or disruption of IT services that is specific to either one of the two data centers, OST will execute its recovery effort rather than relying on ITD for restoration of the OST-owned application systems. We note that OST, like other state agencies, relies on technology not under its control. For example, OST relies on such technology to support the Commonwealth s accounts payable function to print hardcopy checks, generate electronic checks, and electronically transfer funds. During fiscal year 2010, OST printed over 1.2 million paper checks and generated almost 5 million electronic check transactions. Regarding the generation and off-site storage of backup copies of application systems and data files, OST performs daily backups of its electronic processing systems at each location. Daily backups are generated at both OST data centers with backup copies sent to a secure vendor-owned storage facility outside of Boston. The off-site tapes are cycled regularly every two weeks. In addition, each data center electronically transfers transactions to the other data center. OST is dependent on the Massachusetts Management Accounting and Reporting System (MMARS) and the Human Resources/Compensation Management Systems (HR/CMS) for financial accounting and human resource management, which are both located at MITC. In regards to MITC, although the ITD performs an annual disaster recovery test at the out-of-state vendorsupported Sungard facility in New Jersey, the recovery testing is limited to only a portion of the application systems supported at the center. At the time of the audit, the state did not have an alternative processing facility owned by the Commonwealth for the systems operated at MITC. However, ITD is in the process of establishing a second data center as an alternate processing and backup site in western Massachusetts. State agencies, per executive orders of the governor, have been required to perform and document their planning efforts for the continuity of operations and government. However, OST is a 5

AUDIT RESULTS constitutional office and as such does not report to the governor. Per Executive Order 490, Executive Branch agencies are required to maintain plans for the continuation of government services in the event of a disaster. These business continuity plans should be incorporated into the daily operations of every secretariat and agency in the executive department, should be reviewed on a regular basis, and tested regularly for those agencies responsible for supplying services during emergencies. With respect to helping to minimize potential risks to IT operations caused by environmental conditions, we found that there were appropriate environmental protection controls in place over the IT environment for OST s two data centers. For example, OST s two data centers, which contain a total of 38 servers, were well maintained and had fire detection and suppression equipment, backup air-conditioning, and an uninterruptible power supply (UPS). Business continuity plans should be tested to validate their viability and to reduce both the risk of errors and omissions as well as the time needed to restore computer operations. In addition, an effective recovery plan should provide specific instructions for various courses of action to address different types of disaster scenarios that would render IT systems inoperable. Specifically, the plan should identify how essential services would be provided for each scenario without the full use of the data processing facility, and the manner and order in which processing resources would be restored or replaced. Furthermore, the plan should identify the policies and procedures to be followed, including details of the logical order for restoring critical data processing functions, either at the original site or at an alternate site. The plan would also identify and explain the tasks and responsibilities necessary to transfer and safeguard backup magnetic copies of data files, program software, and system documentation from off-site storage to the site being used for restoration efforts. Sound management practices, as well as industry and government standards, support the need for comprehensive and effective backup procedures and business continuity plans for organizations that depend on technology for information processing. Contingency planning should be viewed as a process to be incorporated within an organization, rather than as a project completed upon the drafting of a formal documented plan. Since the criticality of systems may change, a process should be in place that will identify a change in criticality and amend the contingency plans accordingly. System modifications to IT equipment configurations and user requirements should be assessed in terms of their impact to existing business continuity plans. 6

AUDIT RESULTS Recommendation We recommend that OST strengthen its business continuity process by enhancing and documenting its recovery strategies to regain mission-critical and essential processing within acceptable time periods. OST needs to ensure that the office-wide disaster recovery and business continuity plan adequately documents recovery strategies with respect to various disaster scenarios, and contains all pertinent information required to effectively and efficiently recover IT and business operations. In addition, OST should develop user area plans to document contingencies and the steps to be followed to continue business operations to the extent possible should IT resources become unavailable. We recommend that all recovery and business continuity planning documents be available in hardcopy and electronic media and stored off-site in secure and accessible locations. In collaboration with ITD, OST should establish procedures to ensure that the criticality of systems is evaluated and business continuity requirements are assessed on an annual basis, or upon major changes to user requirements, the automated systems, or business requirements. As part of business continuity planning, OST should incorporate a strategy in which it collaborates with the Division of Capital Asset Management in the event that an additional alternate processing site is needed to ensure the continuity of operations. Furthermore, although not explicitly required, we recommend that OST use Executive Order No. 490 for further guidance to address continuity of operations and business continuity planning. Auditee s Response The OST agrees that its office-wide disaster recovery and business continuity plan documents need to be strengthened. The OST is discussing internally the process to strengthen the documentation of its plan and has had discussions with the Office of the State Comptroller regarding collaboration between OST and OSC for certain key processes. OST will also utilize the recommendations provided by OSA in its process. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information