The Examination Of Information Technology Related Controls At The George Fingold Library
JANUARY 6, 2011 · Information Technology Related Controls At The George Fingold Library · Read the full official report (PDF) ↗
source
“Our audit indicated that although the Commonwealth’s Information Technology Division (ITD) generates and stores backup copies of data files for the automated systems used by the George Fingold Library, the Library does not have a sufficiently detailed business continuity plan for recovering business operations.”
Read the plain-English breakdown
This is a follow-up State Auditor review of the George Fingold Library’s technology controls, focused on disaster recovery and business continuity.
“The Office of the State Auditor’s audit was limited to a review of IT general controls regarding disaster recovery and business continuity planning.”
Auditors wanted to see whether the library fixed earlier problems with disaster recovery and keeping operations going during an emergency.
“Our primary objective was to determine whether corrective action had been taken to implement recommendations regarding disaster recovery and business continuity planning as identified in our prior audit report issued on June 28, 2006.”
State agencies are supposed to plan ahead so public services can continue during emergencies, disasters, or system failures.
“State agencies have been required to document their planning efforts for the continuity of operations and government per executive orders of the governor.”
For residents, this matters because the State Library provides public access to government documents and research materials, including online resources.
“The general public and state government employees have access to databases and other online resources.”
The technology backup issue was considered resolved, but the broader plan for continuing library services was still not strong enough.
“Although the Library has a documented COOP, the plan lacks sufficient detail to serve as a business continuity plan.”
The auditor recommended that the library create a fuller plan, test it where possible, formally approve it, and keep it updated.
“We recommend that the business continuity plan and COOP be formally reviewed, tested to the degree possible, and approved.”
The main significance is that the library depended on key systems and public services, but its emergency operating plan did not clearly explain who would do what, where work would happen, or what resources would be available.
“Essentially, the Library needs to develop a more detailed business continuity plan that will provide sufficient guidance to enable recovery of essential Library operations and research capabilities.”
A COOP is a Continuity of Operations Plan: a document that should explain how the library keeps essential services running if normal operations are disrupted.
“Although the Library has a documented Continuity of Operations Plan (COOP), the plan does not contain detailed instructions for recovering business operations and had not been reviewed, approved, or tested.”
What the Auditor checked
- Partially Determine whether corrective action had been taken to implement recommendations regarding disaster recovery and business continuity planning as identified in the prior audit report issued on June 28, 2006.
- Did not comply Determine whether the George Fingold Library had a documented business continuity plan that outlines strategies to regain business operations should IT systems become inoperable or library operations need to be relocated.
- Complied Determine whether adequate procedures were in place for off-site storage of backup copies of electronic media required for restoration of IT systems used by the Library.
What the Auditor found
Why it matters: The Library may not be able to recover essential operations, research capabilities, access to systems, staff responsibilities, equipment, or alternate site operations after a disruption.
Standard: Executive Order No. 144, Executive Order No. 475, and Executive Order No. 490 required agencies to plan for continuity of operations and government services. ( Executive Order No. 144; Executive Order No. 475; Executive Order No. 490 )
4 recommendations
- Develop a business continuity plan and enhance the current COOP to include instructions necessary for recovery of business operations at an alternate operations site.agency: agreed
- Formally review, test to the degree possible, and approve the business continuity plan and COOP.agency: agreed
- Include detailed staff instructions, recovery responsibilities, contact information, resource needs, equipment acquisition instructions, office space access, and contingencies for hardcopy materials.agency: agreed
- Identify IT capability and application system requirements and the disaster recovery strategy to be executed by ITD.agency: agreed
Agency response & Auditor reply
Agency: "The State Library of Massachusetts will follow the recommendations from the Office of the Auditor and develop a business continuity plan to update our Continuity of Operations Plan (COOP)."
Auditor: "We acknowledge the Library’s goal to update its Continuity of Operations Plan for business continuity and document its planned efforts to provide services to the public from designated remote locations."
Prior findings revisited
"Our current review of disaster recovery planning revealed that the file server that had been located in the State House at the Library had been moved to the Commonwealth’s Information Technology Division’s (ITD) primary data center, which provides on-site and off-site backup services for Library files."
"Although the Library has a documented Continuity of Operations Plan (COOP), the plan has not been enhanced to include instructions necessary for continuation of operations to provide library-related services at an alternate location."