Big Vic govt agencies fail disaster recovery audit

Five key Victorian government service agencies would not be able to recover all their critical systems in the event of disruption due to woeful disaster recovery processes, the state's auditor has found.

Auditor-general Andrew Greeves today revealed the problems were exacerbated by a "relatively high number" of obsolete systems.

The disaster recovery processes of Victoria Police and the Transport, Environment, Health, and Justice departments were assessed using the COBIT 5 model by the audit office.

It found the five agencies were vastly unprepared to restore systems following a disruption due to insufficient "processes to identity, plan and recover their systems following a disruption”.

“None of the agencies’ disaster recovery processes are robust enough to effectively and efficiently recover all critical systems in the event of a disruption,” the audit office wrote.

Eighty-four of the 222 assessed agency systems supporting critical business functions were found to have no disaster recovery plans, with Justice leading the pack for the largest number of systems without such a plan.

Agencies were also found to only perform disaster recovery tests on some of their critical systems, and when these tests were conducted, they weren't performed consistently. They also failed to meet two key recovery objectives: recovery time and recovery point, the audit office said.

This was largely a result of agencies’ business impact analysis (BIA) failing to “identify and prioritise critical business functions and the recovery requirements for related ICT systems”.

“Without having disaster recovery plans and testing them regularly, agencies risk not being able to recover systems in a timely way because of a lack of guidance for staff on what is required to bring systems back online,” the report states.

“As a result, critical government services - such as criminal justice and policing operations – may be unavailable for longer than is necessary, depending on the scale of the disruption."

Obsolete critical systems

The audit also revealed that almost half (49 percent) of the systems that support critical business functions - such as financial management, child protection and management of criminal justice - were obsolete.

Victoria Police was identified as having the highest proportion of archaic systems, with a massive 79 percent - or 19 of its 24 core systems - obsolete.

Although agencies recognised obsolete systems as a key risk and were implementing programs to upgrade or replace them, the auditor said this was “not occurring frequently enough and often only when systems are approach their end of life”.

“Systems that operate on obsolete hardware or software present a significant disaster recovery risk, because of the limited availability of hardware spare parts, vendor technical support, and staff knowledge and skill," the report states.

“At worst, agencies risk catastrophic equipment failure, extended outage of public services, and exploitation of vulnerable systems by computer virus attacks.”