Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

The Examination Of Information Technology Related Controls At The George Fingold Library

JANUARY 6, 2011 · Information Technology Related Controls At The George Fingold Library · Read the full official report (PDF) ↗

Published JANUARY 6, 2011 Audit covers June 29, 2006 – April 13, 2010 Under A. Joseph DeNucci · 1987–2011

In plain English
The library’s computer backups were being handled, but its plan for keeping services running after a major disruption was still too vague and untested.
source
“Our audit indicated that although the Commonwealth’s Information Technology Division (ITD) generates and stores backup copies of data files for the automated systems used by the George Fingold Library, the Library does not have a sufficiently detailed business continuity plan for recovering business operations.”
Read the plain-English breakdown
What is this?

This is a follow-up State Auditor review of the George Fingold Library’s technology controls, focused on disaster recovery and business continuity.

“The Office of the State Auditor’s audit was limited to a review of IT general controls regarding disaster recovery and business continuity planning.”
Why was it audited?

Auditors wanted to see whether the library fixed earlier problems with disaster recovery and keeping operations going during an emergency.

“Our primary objective was to determine whether corrective action had been taken to implement recommendations regarding disaster recovery and business continuity planning as identified in our prior audit report issued on June 28, 2006.”
Why it matters

State agencies are supposed to plan ahead so public services can continue during emergencies, disasters, or system failures.

“State agencies have been required to document their planning efforts for the continuity of operations and government per executive orders of the governor.”
What's in it for me?

For residents, this matters because the State Library provides public access to government documents and research materials, including online resources.

“The general public and state government employees have access to databases and other online resources.”
The bottom line

The technology backup issue was considered resolved, but the broader plan for continuing library services was still not strong enough.

“Although the Library has a documented COOP, the plan lacks sufficient detail to serve as a business continuity plan.”
What happens next

The auditor recommended that the library create a fuller plan, test it where possible, formally approve it, and keep it updated.

“We recommend that the business continuity plan and COOP be formally reviewed, tested to the degree possible, and approved.”
Why it's significant

The main significance is that the library depended on key systems and public services, but its emergency operating plan did not clearly explain who would do what, where work would happen, or what resources would be available.

“Essentially, the Library needs to develop a more detailed business continuity plan that will provide sufficient guidance to enable recovery of essential Library operations and research capabilities.”
Jargon, unpacked

A COOP is a Continuity of Operations Plan: a document that should explain how the library keeps essential services running if normal operations are disrupted.

“Although the Library has a documented Continuity of Operations Plan (COOP), the plan does not contain detailed instructions for recovering business operations and had not been reviewed, approved, or tested.”

What the Auditor checked

What the Auditor found

The Library's continuity plan lacked the detail needed to continue library services at an alternate location.
internal controlsrecordkeeping/documentationpublic safety

Why it matters: The Library may not be able to recover essential operations, research capabilities, access to systems, staff responsibilities, equipment, or alternate site operations after a disruption.

Standard: Executive Order No. 144, Executive Order No. 475, and Executive Order No. 490 required agencies to plan for continuity of operations and government services. ( Executive Order No. 144; Executive Order No. 475; Executive Order No. 490 )

4 recommendations
  • Develop a business continuity plan and enhance the current COOP to include instructions necessary for recovery of business operations at an alternate operations site.agency: agreed
  • Formally review, test to the degree possible, and approve the business continuity plan and COOP.agency: agreed
  • Include detailed staff instructions, recovery responsibilities, contact information, resource needs, equipment acquisition instructions, office space access, and contingencies for hardcopy materials.agency: agreed
  • Identify IT capability and application system requirements and the disaster recovery strategy to be executed by ITD.agency: agreed
Agency response & Auditor reply
Agency: "The State Library of Massachusetts will follow the recommendations from the Office of the Auditor and develop a business continuity plan to update our Continuity of Operations Plan (COOP)."
Auditor: "We acknowledge the Library’s goal to update its Continuity of Operations Plan for business continuity and document its planned efforts to provide services to the public from designated remote locations."

Prior findings revisited

Fixed
"Our current review of disaster recovery planning revealed that the file server that had been located in the State House at the Library had been moved to the Commonwealth’s Information Technology Division’s (ITD) primary data center, which provides on-site and off-site backup services for Library files."
Still a problem
"Although the Library has a documented Continuity of Operations Plan (COOP), the plan has not been enhanced to include instructions necessary for continuation of operations to provide library-related services at an alternate location."