The Australian Taxation Office has been asked to produce a “full list” of all the IT system outages it has experienced over the past 18 months for senate scrutiny.
The dataset has the potential to be a relatively lengthy log file as there was no limit placed - at least for now - on the length of outage that is to be reported.
ATO commissioner Chris Jordan noted that some outages were “really little ones” of 30 seconds or less. The outage log will also cut across multiple ATO systems.
“It’s important to note we don’t have one system - we have multiple systems, and often times it is a single system that gets impacted, not all of them,” chief information officer Ramez Katf said.
The request for data came as senators sought to understand post-incident reporting and investigations in the wake of a pair of debilitating storage area network (SAN) outages in December 2016 and February 2017.
PwC was called in to investigate the initial December outage and provide recommendations on how to address the failure.
The report was meant to be finalised back in March. But it emerged today that the report had only been completed in the past few weeks.
“We have just in the last few weeks finalised their report so we now have a final version of it,” Katf said.
Katf said he thought the ATO had “incorporated all of PwC’s recommendations into” a separate report that the ATO handed down over the outages back in June.
That report was an amalgam of data from internal investigations, the then-draft PwC report, '"plus a number of other elements,” Katf said.
Jordan indicated there had been “various versions” of the separate PwC report and that its compilation had been “an iterative process” with the ATO.
However, he strongly refuted any suggestion that the ATO’s involvement affected the PwC report’s independence.
“In any review you’re going to have input into it. You don’t just give them the keys and say ‘here’s some passes go for it’,” Jordan said.
“You have to - in any review of anything - brief the people, answer questions, and provide information.
“[PwC is] also obviously dealing with [SAN supplier] HPE as well as other suppliers [in addition to the ATO]. But you can’t say it’s not an independent review.”
There was no commitment from the ATO to release the final version of the PwC report.
“We need to carefully look at the commercial-in-confidence information in there about our systems and investments required,” Jordan said.
“We’ll need to go to the market [for fixes or upgrades]. Some of the things in there we would not necessarily want potential vendors to know about. It might put us at a disadvantage.”
Jordan said the ATO had already “published extensive information around the outages” to date.
“We’ve moved on and we’ve had a great tax time for 2017,” he said.