Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

University of Massachusetts Medical School's Data Center Relocation

September 30, 2011 · University of Massachusetts Medical School · Read the full official report (PDF) ↗

Published September 30, 2011 Audit covers July 1, 2008 – August 31, 2010 Under Suzanne M. Bump · 2011–2023

In plain English
UMass Medical School moved its data center and generally had good controls in place, but the auditors found it needed stronger disaster recovery plans and a more formal IT strategy.
source
“However, our audit determined that improvements were necessary in UMMS’s disaster recovery and business continuity planning and in its IT strategic planning.”
Read the plain-English breakdown
What is this?

This is a state IT audit of UMass Medical School’s data center relocation, covering planning, contracts, security, environmental safeguards, and recovery planning.

“In accordance with Chapter 11, Section 12, of the General Laws, we performed an IT audit regarding the relocation of UMMS’s data center for the period July 1, 2008 through August 31, 2010.”
Why was it audited?

The auditor reviewed whether the school had enough controls to manage the move safely and protect the systems in the new data center.

“Our primary audit objective was to determine whether UMMS’s IT-related internal control environment, including policies, procedures, practices, and organizational structure, provided reasonable assurance that control objectives would be met to support UMMS’s project planning and relocation to the new data center.”
Why it matters

If the data center went down, weak recovery planning could slow the return of important computer systems used by the school.

“Nevertheless, UMMS could experience delays in recovering IT operations because its disaster recovery and business continuity plans need to be more comprehensive and detailed.”
What's in it for me?

For ordinary residents, this matters because UMMS is a public institution, and its technology supports education, research, health care work, and administrative services.

“UMMS’s primary mission is to advance the health and well-being of people through pioneering advances in education, research, and health care delivery.”
The bottom line

The move appears to have been handled well overall, but the school needed better written, tested plans for major outages and better long-term IT planning.

“Based on our examination, we have concluded that, except as noted in the Audit Results section of this report, for the period July 1, 2008 through August 31, 2010, adequate internal controls were in place to provide reasonable assurance that IT control objectives would be met regarding IT organization and management, on-site and off-site storage of back-up copies of magnetic tape media, and IT-related service contracts associated with the data center relocation.”
What happens next

The auditor recommended that UMMS improve recovery planning, test plans, clarify responsibilities, train staff, and build a formal IT strategic planning process.

“We recommend that IS adopt an IT strategic planning process in which IT strategic plans are developed in alignment with UMMS’s organizational business strategy.”
Why it's significant

The biggest risk was not that the new data center lacked security or capacity; it was that UMMS did not yet have fully formal, detailed plans for recovery and IT governance.

“Without a comprehensive and well-documented formal business continuity and disaster recovery strategy for all IS functions and operations, UMMS may be unable to recover mission-critical and essential business activities in an acceptable and timely manner.”
Jargon, unpacked

“Disaster recovery and business continuity” means having detailed plans so essential computer systems and business work can restart after a major outage or emergency.

“IT business continuity planning consists of a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of mission-critical and essential IT systems and operations and access to online information.”

What the Auditor checked

What the Auditor found

UMMS lacked tested and approved disaster recovery and business continuity plans for all IT functions.
internal controlsrecordkeeping/documentationcybersecurity

Why it matters: UMMS could experience delays recovering mission-critical and essential IT operations after a disaster or major emergency.

Standard: Sound management practices and industry and government standards requiring comprehensive backup procedures and business continuity plans. ( Chapter 11, Section 12, of the Massachusetts General Laws )

3 recommendations
  • Develop and maintain appropriate recovery strategies to regain mission-critical and essential processing within acceptable time periods.
  • Perform a detailed business impact analysis for functional areas to confirm the impact of IT system loss and restoration requirements.
  • Document a comprehensive disaster recovery plan with recovery strategies for various disaster scenarios.
Agency response & Auditor reply
Agency: "UMMS Information Services recognizes the need for the development of a formal Disaster Recovery Plan (DRP) as well as completing the UMMS Business Continuity Plan (BCP)."
UMMS’s IT strategic planning and project management procedures were not sufficiently formal or detailed.
internal controlsrecordkeeping/documentation

Why it matters: UMMS had inadequate assurance that IT investments supported business objectives and that IT projects would meet expectations without time or budget overruns.

Standard: IT strategic planning should align IT activities, investments, projects, costs, risks, and governance with organizational business strategy.

2 recommendations
  • Adopt an IT strategic planning process in which IT strategic plans are developed in alignment with UMMS’s organizational business strategy.
  • Develop an IT strategic plan that defines how IT goals will contribute to UMMS’s strategic objectives and related costs and risks.
Agency response & Auditor reply
Agency: "The Medical School Information Services has recently implemented a tightly integrated governance structure that will significantly enhance the strategic planning process and the documentation of same."