news An audit of departments and agencies within the Victorian Government has found many don’t have sufficient business continuity/disaster recovery facilities to keep them operating in the event of a major disaster, with the situation exacerbated by the lack of capability found at IT shared services agency CenITex.
CenITex was set up in July 2008 from the merger of the previous Shared Services Centre and Information & Technology Services divisions under the Department of Treasury and Finance, and has since rolled in a number of major departments and agencies to use its services, such as the Departments of Human Services (health) and Justice.
However, the agency has failed a number of its core functions over the past several years and had also become a haven for unethical procurement practices. It has gone through several major redundancy rounds, and in September the Victorian Government went to market for IT outsourcing partners to replace large chunks of the service delivery functionality currently provided by the agency.
In a report published last week regarding the state’s 11 major portfolio departments and their 197 associated entities, Victorian Government Auditor-General piled more fuel onto the CenITex fire.
In the report, available online in PDF format, Doyle noted that the portfolio departments in general, which provided services to their constituent agencies, had business continuity plans for individual divisions but “lacked overarching plans that provided whole-of-agency coordination and prioritisation”.
As a result, if Victoria suffered a major disaster, the auditor wrote, “services may not be re-established efficiently, particularly if an event impacts more than one area of a portfolio department’s operations”.
Exacerbating the situation is the fact that a number of the agencies depend on CenITex for such capabilities, but the IT shared services agency itself was not adequately prepared for an emergency situation.
“The effectiveness of the plans of portfolio departments is at risk as CenITex do not have sufficient disaster recovery capability to respond to a significant event. Consequently, portfolio departments’ ability to recover from events affecting their information technology infrastructure and operations is at risk. Unassessed and unmanaged, such a risk should be unacceptable to Parliament and the public,” the report states.
“Portfolio departments, and the shared service providers upon which they rely, need to work together to mitigate the risk of prolonged service failure in the event of business disruption. At the date of this report, this has not occurred in the key area of IT infrastructure. The consequential risk of not knowing if public services and portfolio department operations can be recovered is significant and unacceptable.”
The auditor noted that almost all all portfolio departments and the Business Services Technology agency did have disaster recovery plans in place. However, the effectiveness of these plans in the event of a significant disruption was “unknown”, because “CenITex has no disaster recovery capabilities should this occur”.
“To compound this risk, portfolio departments are not informing themselves adequately about the disaster recovery capabilities of CenITex,” the report added. “The service agreement contracts between eight portfolio departments and CenITex do not address disaster recovery, and CenITex does not test its disaster recovery capabilities unless specifically requested to, and paid for by a portfolio department.”
“While it is not necessarily the role of an IT services provider to manage risks impacting on its customer data, CenITex is a not-for-profit entity providing essential infrastructure to enable services to be provided to the public. The public sector focus of CenITex means that by not working with the portfolio departments to develop a DRP, it is leaving the public exposed to an unacceptable risk of being unable to recover services after a significant event.”
opinion/analysis
Wow. You would think it would be a basic for any major Australian organisation to have a disaster recovery/business continuity plan, let alone a major IT shared services provider like CenITex. But, as I’ve previously written, nothing would surprise me when it comes to the agency. I sometimes wonder what precisely CenITex does do well, because so many reports into the agency have starkly demonstrated a huge list of things it needs to improve.
“You would think it would be a basic for any major Australian organisation to have a disaster recovery/business continuity plan”
You would think this…. but alas A lot of very ‘big name’ companies don’t have them, or at best haven’t tested them, or haven’t updated the DR plans since they made them way back in the day.
Cenitex DR capacity or lack of it, does not surprise me at all!
DR / Continuity doesn’t generally get support from a business (big or small) until the person writing the cheques has had massive data loss and a large outage to go with it.
On a side I’d like to know how much of the infrastructure for these dept’s are running in virtual workloads… and why there isnt some kind of SAN level replication in tandem with SAN level snap shots and DDT soluitions. its not rocket surgery people, I’d bet they have most of the kit to do it too.
CenITex has the capability in that it has two data centres and networking and switching between them to provide several levels of disaster recovery. This capability should cover everything from hot standby down to much simpler systems. Certainly the desktop was a disaster recovered system in 2012 and not much has changed since that time.
What CenITex does not have is the capital to create new systems; especially for departments who have up until now not considered DR to be unnecessary. Given the move away from the government owned shared model toward ‘cloud” based systems it makes little sense for departments to invest so that might be a wise decision.
What the observation does reflect is that CenITex has a longer shelf life before the new cloud based systems kick in. Consequently this leaves the Victorian Government seriously exposed. Perhaps it is time for the journalistic community to reveal the true story; which is what are the implantation plans for the cloud and particularly the operating costs of the new strategy and why is the strategy taking so long to implement?
Comments are closed.