Victorian auditor finds government has insufficient disaster recovery processes

The Victorian Auditor-General's Office has provided 15 recommendations to five government agencies after concluding that their disaster recovery processes are not sufficient to recover and restore critical IT systems following disruptions.
Written by Tas Bindi, Contributor on

The Victorian Auditor-General's Office (VAGO) has completed its examination into the disaster recovery process of Victoria Police and four government departments, presenting 15 recommendations in its report tabled on Wednesday.

In addition to Victoria Police, the VAGO audited the Department of Economic Development, Jobs, Transport and Resources; the Department of Environment, Land, Water and Planning; the Department of Health and Human Services; and the Department of Justice and Regulation to determine the extent to which they are able to recover and restore IT systems and data in the event of a disruption.

The VAGO concluded that none of the auditees have "sufficient and necessary processes" to recover and restore the critical IT systems they rely on to manage operations -- such as criminal justice and policing operations -- and fulfil statutory obligations.

"Compounding this is the relatively high number of obsolete ICT systems all agencies are still using to deliver some of their critical business functions. This both increases the likelihood of disruptions though hardware and software failure or external attack, and makes recovery more difficult and costly," the VAGO stated in its ICT Disaster Recovery Planning report.

"These circumstances place critical business functions and the continued delivery of public services at an unacceptably high risk should a disruption occur."

Of particular concern to the VAGO is the lack of an "established, coordinated department-wide approach" to disaster recovery planning, saying that instead, disaster recovery is decentralised and managed by individual business units across all audited agencies.

Additionally, only 84 out of the 222 systems that support critical business functions have disaster recovery plans.

"Agencies have not performed a risk assessment to determine which critical systems need a disaster recovery plan or identified appropriate continuity processes for when systems are unavailable," the VAGO stated in its report.

According to the VAGO, the Department of Economic Development, Jobs, Transport and Resources has 13 critical systems, four of which have no disaster recovery plan (DRP) and two have untested plans; the Department of Environment, Land, Water and Planning has 80 critical systems, 43 of which have no DRP and six have untested plans; the Department of Health and Human Services has 45 critical systems, 23 of which have no DRP and 11 have untested plans; the Department of Justice and Regulation has 60 critical systems, 47 of which have no DRP and three untested plans; and Victoria Police has 24 critical systems, 21 of which have no DRP.

Furthermore, the VAGO concluded that none of the agencies' functional disaster recovery testing confirms whether they are able to recover systems to meet two key objectives: The target time required for the recovery of an ICT system after a disruption, and the time in which an agency must restore data after a disruption.

Five recommendations were provided to all auditees, including the formation of a "collaborative disaster recovery working group" to provide advice and technical support; share learnings from the disaster recovery tests and exercises undertaken; coordinate disaster recovery requirements for resources shared between agencies; identify, develop, implement, and manage initiatives impacting multiple agencies; and coordinate funding requests to ensure certain investments and requirements are prioritised.

The second recommendation to all of the auditees includes performing a gap analysis on their disaster recovery requirements and resource capabilities in order to determine the amount of investment that will be required; while the third recommendation is to develop and test disaster recovery plans for the IT systems that support critical business functions.

The VAGO also recommends that auditees provide advice and training to staff on specific disaster recovery systems, as well as newly developed frameworks, policies, standards, and procedures to increase awareness and adoption of those systems.

The fifth recommendation to all auditees is to establish "system obsolescence management processes" in order to identify and manage systems at risk of becoming obsolete; enable strategic planning, lifecycle optimisation, and the development of long-term business cases for system lifecycle support; and provide agency executives with information that will allow them to make risk-based investment decisions.

The VAGO found that 49 percent of the audited systems that support business functions -- such as financial management, child protection, and managing critical justice -- are obsolete.

According to its report, 79 percent of Victoria Police's critical systems are obsolete, which was the highest percentage across the five auditees, while the Department of Environment, Land, Water and Planning had the lowest percentage of obsolete systems, coming in at 26 percent.

The Department of Economic Development, Jobs, Transport and Resources, the Department of Health and Human Services, the Department of Justice and Regulation, and Victoria Police received an additional recommendation from the VAGO to set up IT disaster recovery frameworks providing guidelines and minimum standards around the "levels of readiness and appropriate governance oversight", as well as the requirements, frequency, and format of disaster recovery tests depending on the criticality of IT systems.

The VAGO said there were no objections from the auditees on the recommendations, with some providing action plans on how they've begun addressing the recommendations and the timeframe for these activities.

Recent Coverage

Victorian Human Services uses 'platform plus agile' approach for new applications

More than 30 new business systems have been delivered by the Victorian Department of Human Services using the 'platform-plus-agile' approach in the last 12 to 18 months, faster than it has been able to before.

Motorola Solutions begins rolling out mobility service to Victoria Police

Transit safety police and protective services officers in Melbourne are the first to receive iPhones and iPads loaded with the mPol application.

Victoria appoints its first information commissioner

Office of the Victorian Information Commissioner will be active from Friday.

Australian startup prepares former military personnel to fill the IT skills shortage (TechRepublic)

Sydney-based Tom Moore returned to the daily grind from serving in Afghanistan, and after a poor transition process, founded a company that aims to change the way the veteran workforce is perceived by...

Editorial standards