Finding 2022-007 ADP Security Program Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully...
Finding 2022-007 ADP Security Program Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the SOM Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the SOM DRP repository. The State?s environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones for all information systems even after expiration of the authority to operate. In addition, MDHHS is required to audit a portion of these systems (Community Health Automated Medicaid Processing System (CHAMPS), Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate effectiveness of controls. Planned Corrective Action For part a., MDHHS will add the missing elements identified to the business continuity plan (BCP) and perform annual reviewing and testing of the BCP. For parts b. and c., MDHHS and DTMB disagree with the finding and do not intend to take further action. Anticipated Completion Date a. December 31, 2023 b. and c. Not applicable Responsible Individual(s) Jim Bowen, MDHHS Nathan Buckwalter, DTMB Heather Frick, DTMB Alana Lowe, MDHHS Jennifer Tate, MDHHS