news The NSW Government’s Auditor-General has severely criticised eight of the state’s agencies for failing to have basic elements relating to disaster recovery planning, in comments that come after the Queensland and Victorian Governments have recently suffered similar criticism.
In his most recent report, acting NSW Auditor-General Tony Whitfield wrote that every year his office considered agency compliance with key central agency requirements, including a requirement on disaster recover planning.
Over the past four years, an average of only about 80 prcent of agencies had a disaster recovery plan for their financial IT systems in place, and half had not sufficiently tested their plans. “Without a DRP, unforeseen events increase the risk of high financial costs, reputation loss and negative impacts on key stakeholders,” Whitfield wrote.
The auditor’s most recent report tested 30 agencies for compliance with disaster recovery requirements, including requirements from the NSW Treasurer’s Directions and the NSW Government Digital Information Security Policy. The report was first noted by iTnews.
“Eight agencies did not comply with the two most essential DRP requirements,” Whitfield wrote. “The two most essential elements of disaster recovery planning are having an effective DRP and testing it regularly. This compliance review was performed on 30 agencies and covered the financial systems most relevant to producing the financial information they use to manage their businesses and produce financial reports. The review found that: Four agencies did not have a DRP; three agencies’ DRPs were not tested in accordance with the plan; and one agency had no DRP for one of its four financially significant systems.”
“There are opportunities for some agencies to improve their disaster recovery planning processes for financial systems and for better monitoring,” wrote Whitfield.
The news comes as other states such as Queensland and Victoria have also suffered problems recently with respect to their disaster recovery planning.
For example, in December 2013, an audit of departments and agencies within the Victorian Government found many didn’t have sufficient business continuity/disaster recovery facilities to keep them operating in the event of a major disaster, with the situation exacerbated by the lack of capability found at IT shared services agency CenITex.
At the time, the Victorian Auditor-General auditor noted that almost all all portfolio departments and the Business Services Technology agency did have disaster recovery plans in place. However, the effectiveness of these plans in the event of a significant disruption was “unknown”, because “CenITex has no disaster recovery capabilities should this occur”.
Similarly, in July this year, the Queensland Auditor-General found two sizable Queensland Government departments had no central disaster recovery plan, despite the region’s ongoing struggles with extreme weather conditions that have previously knocked out telecommunications and data centre infrastructure.
Queensland has a history of inclement weather which has led to disaster recovery plans needing to be used.
The floods in the state in January 2011 took down substantial portions of the state’s telecommunications networks. Telstra was locked out of hundreds of telephone exchanges, while an AAPT datacentre went down and numerous other problems were experienced.
Queensland’s auditor noted in July that it would expected these events to have changed the way the state handled its technology infrastructure.