The Victorian Auditor-General’s Office (VAGO) has released a scathing report into the disaster recover processes of the information and communications technology (ICT) systems of five of the state’s key agencies.

The agencies audited were Victoria Police and the Department of Economic Development, Jobs, Transport and Resources (DEDJTR), the Department of Environment, Land, Water and Planning (DELWP), the Department of Health and Human Services (DHHS) and the Department of Justice and Regulation (DJR).

None of them passed VAGO’s assessment.

“The audit assessed whether their ICT disaster recovery processes are likely to be effective in the event of a disruption,” explains the report. “At present, none of the agencies we audited have sufficient assurance that they can recover and restore all of their critical systems to meet business requirements in the event of a disruption.

“They do not have sufficient and necessary processes to identify, plan and recover their systems following a disruption.”

The report says the problems are compounded by the relatively high number of obsolete ICT systems that all agencies are still using to deliver some of their critical business functions.

“This both increases the likelihood of disruptions though hardware and software failure or external attack, and makes recovery more difficult and costly. These circumstances place critical business functions and the continued delivery of public services at an unacceptably high risk should a disruption occur.”

The findings are bad news for the agencies concerned. Victoria Police in particular has a sorry history in the management of its ICT, with its aging systems struggling to enable the sharing of information across the agency. Now, the VAGO report shows just fragile it is.

Although there is only a low possibility of a major disaster or significant disruption to ICT systems, the report points out that the consequences of a system failure that cannot be restored could be catastrophic.

“Without effective disaster recovery capability, agencies risk:

extended disruption or inability to deliver public services that depend on systems
inability to recover systems and restore lost data
subsequent financial loss to themselves and the Victorian economy
reputational damage, including loss of community confidence in the effective delivery of government services.

“Agencies can reduce the likelihood of disruption events, however this approach can require significant investment compared to the direct costs of responding to a disruption when it occurs. It can therefore be challenging for agencies to determine the balance between focusing on preventative actions and planning to manage the consequences of possible disruptions.”

The VAGO report found that none of the agencies’ business impact analysis (BIA) processes are robust enough to identify and prioritise critical business functions and the recovery requirements for related ICT systems.

It says that the maturity of agencies’ processes varies, but that there are a number of common weaknesses:

not all business functions and related ICT systems are clearly identified and prioritised
system recovery requirements are assessed in isolation, and many system dependency requirements are not identified and considered
system recovery requirements determined by the business have not been aligned with ICT service delivery and system recovery capabilities.

“Agencies are either not performing BIA periodically, or their BIA does not have defined trigger events that prompt them to revise the analysis in response to changes at the agency—for example, a different operating environment, new services or an altered risk profile.”

VAGO measured agencies’ BIA processes against the globally accepted model outlined the widely used COBIT 5 model.

“Without a robust BIA, agencies have difficulty determining which systems need disaster recovery capability and in what order they should recover systems. The immaturity of these BIA processes means agencies risk not being able to identify all the systems that support their critical business functions.

“Further, they risk not having the necessary disaster recovery capability to ensure that their ICT systems can provide continuous service or be recovered rapidly following a disruption. In this report, our assessment is based on the critical systems that agencies have identified.”

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.

Sign up to the Government News newsletter

Graeme Philipson

Vic Auditor-General slams agencies’ ICT recovery capabilities

Related stories

Committee recommends review of Auditor-General powers

Victorian Auditor-General releases interim financial audit results

Agencies meet financial requirements: Auditor-General

Victorian councils should centralise service costing: Auditor-General

CCTV cameras get thumbs up from auditor general

Auditor General audits Melbourne Market project

TAGS

Leave a comment: Cancel reply

Latest comments

Sue Phillips on: 15 councils participate in SA emissions reduction trial

Garth Daddy on: War memorial contracts fudged, audit finds

Roger Buhlert on: New VLGA appointment vows to lift governance standards

Most read

Scathing report finds little has changed at PwC

Qld council welcomes progress on massive battery system

‘Local’ procurement turns out not to be so local, committee hears

Another report finds local government falling down on cyber security

MoG changes see regions, investment return to NSW Premier’s Department

Popular posts

Latest news

Niki Savva appointed to Board of Old Parliament House

Monitors at Glenelg reappointed amid ‘behaviours of concern’

AI picks up 2,000 road defects a week for disaster-hit NSW council

Australian healthcare expensive but good, research finds

Bureaucrats grilled over ‘fake’ govt emissions certificate during greenwash inquiry

Related Posts