Vic Auditor-General slams agencies’ ICT recovery capabilities

The Victorian Auditor-General’s Office (VAGO) has released a scathing report into the disaster recover processes of the information and communications technology (ICT) systems of five of the state’s key agencies.

The agencies audited were Victoria Police and the Department of Economic Development, Jobs, Transport and Resources (DEDJTR), the Department of Environment, Land, Water and Planning (DELWP), the Department of Health and Human Services (DHHS) and the Department of Justice and Regulation (DJR).

None of them passed VAGO’s assessment.

“The audit assessed whether their ICT disaster recovery processes are likely to be effective in the event of a disruption,” explains the report. “At present, none of the agencies we audited have sufficient assurance that they can recover and restore all of their critical systems to meet business requirements in the event of a disruption.

“They do not have sufficient and necessary processes to identify, plan and recover their systems following a disruption.”

The report says the problems are compounded by the relatively high number of obsolete ICT systems that all agencies are still using to deliver some of their critical business functions.

“This both increases the likelihood of disruptions though hardware and software failure or external attack, and makes recovery more difficult and costly. These circumstances place critical business functions and the continued delivery of public services at an unacceptably high risk should a disruption occur.”

The findings are bad news for the agencies concerned. Victoria Police in particular has a sorry history in the management of its ICT, with its aging systems struggling to enable the sharing of information across the agency. Now, the VAGO report shows just fragile it is.

Although there is only a low possibility of a major disaster or significant disruption to ICT systems, the report points out that the consequences of a system failure that cannot be restored could be catastrophic.

“Without effective disaster recovery capability, agencies risk:

  • extended disruption or inability to deliver public services that depend on systems
  • inability to recover systems and restore lost data
  • subsequent financial loss to themselves and the Victorian economy
  • reputational damage, including loss of community confidence in the effective delivery of government services.

“Agencies can reduce the likelihood of disruption events, however this approach can require significant investment compared to the direct costs of responding to a disruption when it occurs. It can therefore be challenging for agencies to determine the balance between focusing on preventative actions and planning to manage the consequences of possible disruptions.”

The VAGO report found that none of the agencies’ business impact analysis (BIA) processes are robust enough to identify and prioritise critical business functions and the recovery requirements for related ICT systems.

It says that the maturity of agencies’ processes varies, but that there are a number of common weaknesses:

  • not all business functions and related ICT systems are clearly identified and prioritised
  • system recovery requirements are assessed in isolation, and many system dependency requirements are not identified and considered
  • system recovery requirements determined by the business have not been aligned with ICT service delivery and system recovery capabilities.

“Agencies are either not performing BIA periodically, or their BIA does not have defined trigger events that prompt them to revise the analysis in response to changes at the agency—for example, a different operating environment, new services or an altered risk profile.”

VAGO measured agencies’ BIA processes against the globally accepted model outlined the widely used COBIT 5 model.

“Without a robust BIA, agencies have difficulty determining which systems need disaster recovery capability and in what order they should recover systems. The immaturity of these BIA processes means agencies risk not being able to identify all the systems that support their critical business functions.

“Further, they risk not having the necessary disaster recovery capability to ensure that their ICT systems can provide continuous service or be recovered rapidly following a disruption. In this report, our assessment is based on the critical systems that agencies have identified.”

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required