The Examination Of Information Technology Controls At The Sex Offender Registry Board
FEBRUARY 15, 2011 · Sex Offender Registry Board · Read the full official report (PDF) ↗
source
“Based on our audit at the Sex Offender Registry Board (SORB), we found that IT resources, including the file servers and workstations installed at the SORB’s office in Salem, were adequately safeguarded and environmentally protected.”
Read the plain-English breakdown
This is a Massachusetts State Auditor review of technology controls at the Sex Offender Registry Board, plus a check on whether older audit problems had been fixed.
“Our current audit was limited to a review of certain IT general controls over and within the SORB’s IT environment and a follow-up review to determine whether corrective actions had been taken to address the audit results and recommendations in our prior audit report, No. 2006-1408-3S.”
The audit checked whether SORB’s technology rules, safeguards, and procedures were strong enough to support its work.
“Our primary audit objective was to determine whether SORB’s IT-related internal control environment and documented policies and procedures provided reasonable assurance that control objectives would be achieved to support their business functions.”
SORB’s systems support public safety information about sex offenders, so weak technology planning could affect important services.
“These functions serve to provide the public with information to raise the level of safety in the community.”
For residents, the practical issue is whether the systems that help track and release sex offender information are reliable, secure, and available when needed.
“The SORB’s classification of a sex offender determines if and how information pertaining to an offender may be released to the public.”
Most reviewed controls were adequate, and prior audit issues were resolved, but SORB still needed a stronger tested plan for continuing operations during a serious IT outage.
“Although the SORB had developed certain controls regarding business continuity planning, we found that it needed to strengthen controls to provide reasonable assurance that normal business operations could be resumed in a timely manner should automated resources be unavailable for an extended period.”
SORB said it would work with state technology and public safety officials to improve disaster recovery and business continuity planning.
“The SORB will continue to work with the SCIO and OTIS to address these findings and establish agency processes and protocols that provide clear direction for staff to ensure the integrity of essential services and resources is maintained.”
The main risk was not day-to-day security, but whether SORB could recover fast enough if key systems went down for a long time.
“Depending on the nature and extent of a loss of IT systems or processing, the SORB could experience difficulties in regaining mission-critical and essential business processes within an acceptable period of time given the absence of a sufficiently comprehensive recovery and business continuity plan specific to the SORB.”
“Business continuity planning” means having practical plans so essential work can continue or restart after a disaster, outage, or loss of computer systems.
“The objective of business continuity planning is to help ensure the continuation of mission-critical and essential functions enabled by technology should a disaster cause significant disruption or loss of computer or network operations.”
What the Auditor checked
- Partially Determine whether SORB’s IT-related internal control environment and documented policies and procedures provided reasonable assurance that control objectives would be achieved to support its business functions.
- Complied Determine the extent and nature of corrective actions taken by SORB to address prior audit results and recommendations.
What the Auditor found
Why it matters: Without a sufficiently comprehensive recovery and business continuity plan, the SORB could have difficulty restoring mission-critical and essential business processes within an acceptable period after a loss of IT systems or processing.
Standard: Generally accepted industry practices and standards for computer operations support an ongoing business continuity planning process that assesses system criticality and develops contingency and recovery plans. ( Chapter 11, Section 12, of the Massachusetts General Laws; Control Objectives for Information and Related Technology (CobiT version 4.1) )
4 recommendations
- Review disaster scenarios regarding loss of IT systems and develop and update recovery and business continuity strategies for each scenario.agency: agreed
- Designate an alternate processing site and test a documented disaster recovery plan.agency: agreed
- Perform an enterprise-based risk analysis and criticality assessment of IT systems and related capabilities.agency: agreed
- Develop and perform testing to provide assurance that recovery and business continuity plans are viable.agency: agreed
Agency response & Auditor reply
Agency: "The Sex Offender Registry Board (SORB) has reviewed the OSA findings and recommendations regarding business continuity and disaster recovery planning, and is working with the Executive Office of Public Safety and Security (EOPSS) Office of the Secretariat Chief Information Officer (SCIO) to implement the steps necessary to address the areas of concern referenced within the audit."
Auditor: "We acknowledge that SORB recognizes the need to enhance its business continuity and disaster recovery planning to address the areas of concern referenced within our audit report."
Prior findings revisited
"Our current audit determined that these prior audit results had been resolved."
"Our current audit disclosed that this matter had been resolved and SORB was registering and billing sex offenders for the annual fee."
More audits of this entity
Other Office of the State Auditor reports on Sex Offender Registry Board , including the prior audits referenced above.
- Sex Offender Registry Board (SORB)Authority / Commission · September 26, 2017
- Audit of the Sex Offender Registry Board (October 25, 2023)Authority / Commission · October 25, 2023