Information Technology Controls Pertaining to Business Continuity Planning for the Office of the State Treasurer and Receiver General
July 14, 2011 · Read the full official report (PDF) ↗
source
“Our audit found that the Office of the State Treasurer and Receiver General (OST) lacked sufficiently detailed and approved disaster recovery and business continuity plans.”
Read the plain-English breakdown
This is a 2011 state audit of the Massachusetts Treasurer’s technology plans for keeping important operations running after a disruption.
“In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, we performed an audit of selected information technology (IT) related controls regarding disaster recovery and business continuity planning at the Office of the State Treasurer and Receiver General (OST) for the period January 1, 2010 through December 31, 2010.”
Auditors wanted to see whether the office could recover critical computer systems and had proper backup storage if technology failed or became unavailable.
“The scope of our audit was to assess the extent to which OST had addressed disaster recovery and business continuity planning for business operations supported by technology and had in place adequate on-site and off-site storage of backup copies of magnetic media.”
The Treasurer’s systems support state money, debt, payroll, pensions, bills, and local aid, so downtime could affect many public services and payments.
“The OST is responsible for a variety of important financial functions, as established by Chapter 10, Sections 1 through 69, of the Massachusetts General Laws, including receiving, managing, and investing all funds paid to the Commonwealth; issuing and managing the state’s debt; paying state employees and retirees; administering the pension system for state employees and retirees; oversight of tax-deferred retirement savings accounts for over 280,000 government workers; processing and paying the Commonwealth’s bills in concert with the Office of the State Comptroller (OSC); managing the Unpaid Check Fund; receiving, safeguarding, and liquidating abandoned property; and making local aid distributions.”
If you are a state worker, retiree, vendor, taxpayer, or someone owed state funds, these plans help make sure payments and records can continue after a major disruption.
“These application systems govern such functions as OST’s cash management, state retirement, payment processing, legislative payroll, and unclaimed property systems.”
The office had some safeguards, including backups and tests, but needed stronger written plans covering the whole agency and different disaster situations.
“We noted that the OST did have a draft disaster recovery plan last updated January 2011 and a draft business continuity plan for the Division of Cash Management, last updated as of February 2011; however, an enterprise-based disaster recovery and business continuity plan for the entire OST did not exist.”
The auditors recommended strengthening the plans, documenting recovery steps, keeping copies off-site, reassessing system importance regularly, and coordinating with other state agencies.
“We recommend that OST strengthen its business continuity process by enhancing and documenting its recovery strategies to regain mission-critical and essential processing within acceptable time periods.”
The finding is significant because the auditors believed recovery was likely, but not documented well enough to give strong assurance that critical operations would come back within an acceptable time.
“The OST has taken steps to minimize the risk of being unable to recover IT processing should IT systems be rendered inoperable; however, further efforts at documenting its recovery strategies for IT and related business operations are needed to provide increased assurance that business operations can be recovered within an acceptable time period.”
Business continuity planning means having detailed, tested instructions for how an organization keeps operating and restores technology after a disruption.
“A business continuity plan should be sufficiently detailed to guide an organization’s recovery efforts and encompass a disaster recovery plan and user area plans.”
What the Auditor checked
- Complied Assess whether backup copies of electronic application systems and data files were generated and stored securely on-site and off-site.
What the Auditor found
Why it matters: Without sufficiently documented recovery strategies and user area plans, OST has less assurance that mission-critical IT and business operations can be restored within an acceptable time period after a disruption.
Standard: Generally accepted management control practices, Executive Order 490, and Control Objectives for Information and Related Technology (CobiT version 4.1). ( Chapter 11, Section 12, of the Massachusetts General Laws )
6 recommendations
- OST should strengthen its business continuity process by enhancing and documenting recovery strategies to regain mission-critical and essential processing within acceptable time periods.agency: agreed
- OST should ensure the office-wide disaster recovery and business continuity plan documents recovery strategies for various disaster scenarios and contains information needed to recover IT and business operations.agency: agreed
- OST should develop user area plans for contingencies and steps to continue business operations if IT resources become unavailable.
- OST should keep recovery and business continuity planning documents in hardcopy and electronic media stored off-site in secure and accessible locations.
- OST should collaborate with ITD to annually evaluate system criticality and business continuity requirements, or when major changes occur.
- OST should use Executive Order No. 490 for additional guidance on continuity of operations and business continuity planning.
Agency response & Auditor reply
Agency: "The OST agrees that its office-wide disaster recovery and business continuity plan documents need to be strengthened."