SAN JUAN – The Office of the Inspector General of Puerto Rico (OIG) published an examination report carried out to the Comprehensive Cancer Center of Puerto Rico, in which it was reported on findings and deficiencies related to the information systems area.
The examination was aimed at validating whether the operations of the Information Systems Division (DSI) of the Comprehensive Cancer Center of the University of Puerto Rico (Comprehensive Center), have been implemented in accordance with the applicable standards, particularly as regards to the effectiveness of internal controls for the administration of security, continuity of service and access.
As a result of the examination carried out, deficiencies in controls were found such as: lack of a risk analysis; lack of plans for incident management; programs and plans for the continuity of operations in cases of emergencies; absence of an alternate center; there is a lack of an awareness and training program for personnel; absence of trained and trained personnel in security and the management of cybersecurity equipment; deficiencies in the preparation of access request forms and lack of organizational independence.
Similarly, a special comment was added to the report, since, as part of the analysis carried out, deficiencies in the management and control of public property attached to the information systems division were detected, which deserve to be addressed and corrected.
As part of the recommendations you make to Management, the OIG requests the Comprehensive Center to establish an Incident Management Plan in which all security and information systems occurrences are documented and how they were resolved, so that they can be solve in the shortest possible time without affecting information systems and the continuity of operations.
In addition, the Comprehensive Center must temper the Emergency Management Program and Crisis Communication Program, in accordance with the professional practices established by the Disaster Recovery Institute International (DRII). As part of this program, it will be necessary to: assign the official spokespersons of the agency, define the means of communication, establish guidelines to face adverse situations and to ensure that all personnel are familiar with the basic communication procedures and their role in the event of a crisis.
This report was prepared and published in accordance with the provisions of Act No. 15-2017, as amended, known as the Inspector General of Puerto Rico Act (Act 15-2017) and the applicable regulations. It is available on the website www.oig.pr.gov.