All New South Wales agencies could be required to regularly test their disaster recovery strategies across ICT systems if the Government adopts a recommendation by the Public Accounts Committee.
At the federal level, a near failure of IT systems at the Australian Transaction Reports and Analysis Centre (AUSTRAC) led to the agency undertaking a $16.1 million data centre project to house its IT systems and electronic records off-site, and transform its existing data centre into a disaster recovery facility.
Prior to the near failure, a report by the Australian National Audit Office found that AUSTRAC’s strategy “to mitigate the risk was to ‘rely on back-up systems’ which, in practical terms, did not exist."
In its Follow Up of the Auditor-General’s 2012 Financial Audit Reports, the NSW Public Accounts Committee “recommends that the NSW Government Digital Information Security Policy be amended to include a requirement that all agencies periodically test their disaster recovery plans and that this be included in the annual attestation requirements of the policy”.
The report defines a disaster as “any incident that causes [a financial system and its supporting IT infrastructure] to be unavailable for regular use”.
According to the Auditor-General’s 2012 Financial Audit Report, 45 per cent of the largest 76 agencies had not tested their disaster recovery plans within the last 12 months.
In addition, 17 agencies had no disaster recovery plans at all.
“Disaster recovery plans for financial systems…do not align with agencies’ business recovery requirements [and] do not properly identify and assess critical systems and processes”.
“Without a documented plan and sufficient testing, the effectiveness of disaster recovery solutions may only be determined when an actual disaster occurs.”
The Auditor-General revealed that only 38 percent of disaster recovery planning issues identified in 2010 had been entirely resolved by agencies. Many issues addressed in 2011 were ‘repeat’ issues that had been previously been identified by the Auditor-General.
The current NSW Government Digital Information Security Policy came into effect in November 2012. Currently, the policy has no extensive provisions pertaining to disaster recovery.
“Controls must be in place to counteract interruption to business activities and to protect from the effects of major failures of digital information systems or disasters,” mandates the policy.
All agencies are required to achieve full compliance with the policy by the end of the year.
The Public Accounts Committee observed that despite the policy’s requirement that agency Audit and Risk Committees review whether disaster recovery plans are tested periodically, “it does not appear that these Committees have been adequate in performing this function”.
However, the Public Accounts Committee did note that there has been a reduction in the number of agencies that did not have a disaster recovery plan.
According to the Auditor-General’s report Financial Audits Volume 1 2012 Focusing on Themes from 2011, the New South Wales Government spends more than $2 billion each year on ICT, underpinning the requirement for effective disaster recovery plans and strong management processes.
For more information, please contact the Editor (02) 9955 9896.