The Australian National Audit Office has given Centrelink's IT high marks in its attempts to implement business continuity management, with only limited recommendations on possible improvements.
The auditor made five recommendations in its report released today, down from the previous eleven it had made in a similar study in 2003. The auditors' only recommendation which touched deeply and specifically on IT was that Centrelink's Business Continuity, Crisis Management and Security (BCCM & S) Sub-committee be provided with reports on IT business continuity issues.
Yet this recommendation was likely already fulfilled, according to the auditors, who noted that the committee had undergone a reorganisation in February which had led to it receiving IT business continuity information.
"This is supported by early evidence of reporting to the February 2009 meeting of the BCCM & S Sub-committee that included IT business continuity related information," the report said.
The report also noted that the IT business continuity risks identified in the previous audit relating to datacentres, offsite data storage and IT back-up arrangements were being addressed by the agency. Although the report noted that Centrelink would soon have to find new datacentre space as it would reach capacity in its current centre by this month, it also praised the agency's mainframe storage and back-up practices as mature.
Centrelink had a number of tools which helped it to document and manage IT business processes according to the auditors, including an ITIL framework (collection of best IT practices), an Enterprise Service Desk Incident and Problem Management suite of tools (automates management and monitoring of the agency's IT systems), a Centrelink Repository (central database with documents for services to be recovered quickly in a crisis) and an IT services catalogue (a list of IT services supporting the business).
Centrelink received criticism for not maintaining the catalogue since 2006, especially since it together with a business criticality review conducted in 2002 were the basis of the agency's IT service recovery priority list. Yet since the auditors said the catalogue was to be replaced by an ITIL service level management framework, their only real recommendation was that the business carry out a business criticality review.
The auditors noted that the agency had finished 12 of 16 disaster recovery plans and that all of them would be up to date by the end of September, to be tested in October. The office reviewed the 12 plans which had been completed.
"The plans also adopted a consistent and logical approach and provided easy-to-follow, step-by-step guidance to recovering IT systems following a disaster, including advice on other organisations that should be consulted," the report said.
The auditor, however, drew attention to the fact that although Centrelink did schedule tests of its IT disaster recovery plans, those weren't completed on time because the release schedule, IT production and emergencies took precedence. The auditors suggested more rigorous testing of those plans.
The audit team also reviewed five IT projects on their use of Centrelink's operational readiness checklist and found that all the selected projects had completed the necessary checkpoints. The managers had also "comprehensively" documented the business continuity processes.
IT also got the mention as the only committee which received business continuity reports based on a balanced scorecard. Although it noted the scorecard could be improved, the auditors wanted other areas to follow IT's suit.