CenITex has no disaster recovery plan, audit finds

Victorian shared services agency CenITex does not have any disaster recovery capabilities to combat a significant disruption to the agencies using its IT services, the state’s auditor general has found. 

It’s the second damning report to come out of the state today, after another auditor-general's report found the state government had big holes in its cyber security strategy, leaving it vulnerable to attack.

The auditor reviewed 11 of the state’s portfolio departments and found weaknesses in business continuity and disaster recovery planning which, if not addressed, would risk continuity of service. 

It found that while all of the 11 departments had disaster recovery plans (DRPs), the plans were rendered almost ineffective in the event of a significant disruption because CenITex, which provides IT services to 10 of the 11 reviewed departments, had no similar disaster recovery plan.

“The lack of a DRP at CenITex to respond to a significant event means that most portfolio departments do not have assurance that they will be able to restore their IT promptly in the event of a significant disruption,” the report found.

“Consequently, the ability to provide essential public services and operate after a significant event is at risk. Such a risk should be unacceptable to Parliament and the public.”

The report found the risk was compounded because agencies were not educating themselves properly about CenITex’s disaster recovery capabilities. 

It also found eight of the 10 department contracts held with CenITex did not even address DR as part of the service agreement, and CeniTex does not test its DR capabilities unless specifically requested - and even then only if the department in question pays for it.

“This means that for the 10 portfolio departments whose information systems are supported by CenITex, the ability to recover operations and provide essential public services is at risk."

CenITex had been informing portfolio departments annually that it had no DR plan in the instance of failures, but agencies had failed to act on the associated risks. 

The auditor-general said it was the portfolio departments' responsibility to ensure appropriate management of risks to their business.

"This responsibility extends to knowing and understanding risks arising as a result of outsourcing. Portfolio departments are not addressing this responsibility adequately.”

However, CenITex did not escape the auditor-general’s fire. The report said while it was not CenITex’s role to manage risks impacting on its customers data, the agency’s inaction on working with the departments to develop a DRP meant it was leaving members of the public who use government services exposed. 

“CenITex and portfolio departments must work together to assess, manage and mitigate disaster recovery risks. In not doing so they are failing in their roles by exposing the public to an unacceptable risk of being unable to recover after a significant event," it said.

"As the role of CenITex changes in the future to brokering and managing services, portfolio departments will be further removed from the service delivery provider which may increase this disaster recovery risk further.”

It recommended CenITex lead the development and regular testing of a DR plan, while it and the departments needed to clarify where the responsibility for DR lay. 

In September the Victorian Government began its quest to outsource the services CenITex currently delivers internally. In 2012 the agency serviced 15 departments with $153 million worth of contracts.

The shared services agency has long been a thorn in the side of the Victorian government. The underperforming agency had notched up a number of damaging scandals in recent years, including allegations of corruption and nepotism.