The Office of the Inspector General of Puerto Rico (OIG) published the findings of the examination carried out at the Comprehensive Cancer Center of Puerto Rico, in which deficiencies related to the information systems area were reported.
The examination was aimed at validating whether the operations of the Information Systems Division (DSI) of the Comprehensive Cancer Center of the University of Puerto Rico have been implemented in accordance with the applicable standards, particularly with regard to the effectiveness of the internal controls for the administration of security, continuity of service and access, indicated in writing by the OIG.
“As a result of the examination carried out, deficiencies in controls were found such as: lack of a risk analysis; lack of plans for incident management; programs and plans for the continuity of operations in cases of emergencies; absence of an alternate center; there is a lack of an awareness and training program for personnel; absence of trained and trained personnel in security and the management of cybersecurity equipment; deficiencies in the preparation of access request forms and lack of organizational independence. Similarly, a special comment was added to the report, since, as part of the analysis carried out, deficiencies were detected in the management and control of public property attached to the information systems division, which deserve to be addressed and corrected ”, details the communication.
The OIG asked the management of the Comprehensive Center -as part of its recommendations- to establish an Incident Management Plan in which all security incidents and information systems are documented and how they were resolved, “so that, can solve in the shortest time possible without affecting the information systems and the continuity of operations ”he.
In addition, the report recommends to the Comprehensive Center that it should temper the Emergency Management Program and Crisis Communication Program, in accordance with the professional practices established by the Disaster Recovery Institute International (DRII). “As part of this program, it will be necessary to: assign the official spokespersons of the agency, define the means of communication, establish guidelines to face adverse situations and to ensure that all personnel are familiar with the basic communication procedures and their role in the event of an eventuality. of a crisis ”, it was specified.
This report -prepared and published in accordance with the provisions of Act No. 15-2017, as amended, known as the Inspector General Act of Puerto Rico (Act 15-2017) and the applicable regulations-, is available on the website www.oig.pr.gov.