Sixteen NSW agencies still have no DR, audit finds

Six months after releasing its revised and more compliance-friendly IT security policy, the NSW government has only managed to reduce the number of agencies with no disaster recovery provisions by one, the state's Auditor-General has found.

A list of entities with incomplete or absent plans to deal with a disaster or massive outage has been the bugbear of successive NSW Auditors-General, as well as the NSW Parliament’s public accounts and expenditure committee.

Between 2011 and 2012 the number of agencies on the blacklist actually increased, from 14 to 17 across the government, much to the chagrin of former AG Peter Acheterstraat.

The Department of Finance and Services (DFS) released its revised Digital Information Security Policy in November 2012, and anticipated that a new risk-based approach would improve compliance by removing the onerous one-size-fits all minimum standards required in the past.

All agencies were expected to have fully implemented the requirements of the new plan by the end of 2013, with interim progress reports checked the July before.

But in his first report of 2014, Auditor-General Grant Hehir found 16 agencies still had no disaster recovery plans as at the end of June 2013.

Despite some improvements, he said in a report tabled this morning, “disaster recover planning continues to be the area with the second highest number of issues, making up 17 percent of all IT issues reported in 2013”.

Additionally, another 11 agencies had not tested their disaster recovery provisions to make sure they will actually work if a crisis did hit.

However, the number of fully complete and fully tested disaster recovery plans increased from 36 as of June 2012 to 44 as of June 2013.

Hehir revealed the top security threat to the NSW government is shoddy passwords.

While information security issues made up 63 percent of all IT shortcomings identified by the audit office in 2013, well over half of these - and 38 percent of all complaints - related to weak user controls and password parameters.

“Information security requirements are often overlooked during new system implementations and during times of organisational change," the report stated.