A series of audits across three states have drawn attention to the importance of government agencies having adequate disaster recovery plans, particularly as they relate to critical IT systems.
The South Australian and Victorian audit offices both published detailed reports on disaster recovery plans in late November which suggest there is a lot of room for improvement, and their New South Wales counterparts made a similar assessment.
The audit offices in the two southern states are keen to impress on public servants how important best-practice disaster planning is for government agencies, given the public will look to them in a time of crisis. They need robust backups and comprehensive recovery plans based on detailed risk assessments and regular testing.
Two key concepts mentioned by both the SA and Victorian audits are recovery times, or how soon the organisation needs to fix things after a disaster, and recovery points — standards for the point in time before the breakdown to which they will need to recover data.
Both reports offer a range of recommendations that would be useful for agencies in any jurisdiction to review, lest they find out the hard way that their own disaster plans are wanting.
In Victoria, there is “an unacceptably high risk” of a breakdown in critical functions of government agencies and continued delivery of public services in the event of a disaster.
The auditors looked at the police and four major departments: Economic Development, Jobs, Transport and Resources (DEDJTR); Environment, Land, Water and Planning (DELWP); Health and Human Services (DHHS); and Justice and Regulation (DJR).
“At present, none of the agencies we audited have sufficient assurance that they can recover and restore all of their critical systems to meet business requirements in the event of a disruption,” they reported.
“They do not have sufficient and necessary processes to identify, plan and recover their systems following a disruption. Compounding this is the relatively high number of obsolete ICT systems all agencies are still using to deliver some of their critical business functions.
“This both increases the likelihood of disruptions though hardware and software failure or external attack, and makes recovery more difficult and costly.”
According to the report, Victorian agencies “are only just beginning to fully understand the importance” of preparing for the worst.
“They need to significantly improve and develop well-resourced and established processes that fully account for and can efficiently recover the critical business functions of agencies following a disruption.”
In South Australia, an audit of 19 agencies found most had some contingency plans such as secondary data centres, although three did not, and that the statewide blackout in September 2016 had led some to review and strengthen their arrangements.
“However … many of the agencies we reviewed had not implemented sufficient processes and controls to mitigate their key disaster recovery risks,” the report adds.
Six agencies didn’t have any disaster recovery plan for some or all systems. Nine did not have detailed recovery procedures for all systems or had procedures that were deemed insufficient in the audit.
The SA auditors found that 12 agencies did not have recovery time objectives and recovery point objectives (explained above) for some or all systems, and “maximum allowable outage times” were not set for some or all business processes in eight agencies.
Only one agency did full disaster recovery testing for all of its key systems, and two did not at all.
There were 16 with partial testing in place, and 14 without formal testing schedules for all key business systems.
The audit also found six agencies had not recently conducted a risk assessment to support disaster recovery, and 10 did not have enough IT resources to effectively conduct recover from a disaster.
The auditors made a range of sensible recommendations and acknowledge that adequate resourcing is an issue, especially for smaller agencies. “One agency in particular cited underfunding and a lack of resourcing as the reasons for their control deficiencies,” the report notes.
New South Wales
“Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans,” the NSW audit office commented in its wider summary report on internal controls and governance, published in late December.
“This includes reviewing and testing their plans on a timely basis. A smaller percentage of agencies need to improve change control processes to avoid unauthorised or inaccurate system changes.”
The report, which covers the state’s 39 biggest public sector bodies, representing 95% of total agency expenditure, includes two high-level recommendations for IT:
“Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans.
“Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems.”
Compared to all other chapters in the summary report — asset management, governance, ethics and risk management — it is IT where the audit office found most room for improvement:
“While 95 per cent of agencies have policies about IT system user access, almost one-third had identified instances where they were not fully complying with these policies.
“Most agencies do not sufficiently monitor or restrict privileged access to their systems and some do not enforce password controls.”
Overall, the NSW audit office reports “financial and IT control deficiencies” have decreased over the past three years but notes a “sizeable proportion” of IT controls that were missing in action had previously been highlighted as issues to address.
There was a pattern of “poor or absent IT controls” related to user access management, password management, privileged access management, and user acceptance testing. Similar issues have been regularly found by audits in other states over the past few years.
The auditors remind agencies of basic stuff like password controls, regularly reviewing who has access to sensitive systems, only giving access as required, monitoring how “privileged” access is used, and quickly removing access for people who no longer need it.
In terms of inadequate IT governance, the most common problems related to: cyber security risk management; capital project governance; managing shared service arrangements; conflicts of interest; gifts and benefits; general risk management maturity; and ethical behaviour policies and statements.