Major NSW govt agencies still without disaster recovery plans for all systems

A handful of the NSW government’s largest agencies are still without disaster recovery plans for all their IT systems and infrastructure, the state’s auditor-general has found.

In an annual review [pdf] of internal controls and governance, the NSW audit office identified shortcomings in disaster recovery and business continuity planning, as well as in general IT controls.

The audit assessed 40 of the largest agencies in the NSW public sector – which are responsible for the state’s most critical IT systems and around 85 percent of all expenditure – prior to the pandemic.

While most agencies were found to have disaster recovery plans in place for “some or all of their critical IT systems” during 2019, 19 percent are still without such plans for all key IT systems.

As the 40 largest agencies in the state, the audit notes that this means “there is no plan in place to recover some key IT systems and infrastructure that support critical agency functions”.

The audit also found 43 percent of agencies had “not developed and tested their disaster recovery plans” during 2019.

The audit notes that there is currently “no specific NSW government direction that requires agencies to maintain business continuity and disaster recovery planning arrangements”.

There are, however, requirements for a risk management framework under the internal audit and risk management policy and an approved cyber security plan under the NSW cyber security policy.

A further 23 percent of agencies were also found not to have conducted a business impact analysis (BIA), while 20 percent of those that had were only performing it on an ad-hoc basis.

A BIA “helps agencies identify critical business functions that support an agency’s business objectives, including target recovery times”, the audit explains.

Around 10 percent of BIAs that were conducted “did not include recovery time objectives”, while six percent “did not identify key IT systems that support critical business functions”.

“Without an up-to-date and comprehensive BIA there is a risk that agencies will not be able to restore critical business functions within an acceptable timeframe,” the audit said.

“Agencies may also not know what to do in the event of a disruption if key systems and dependencies and interdependencies have not been identified, further elevating the risk.”

IT control deficiencies climb

The audit also highlights that the number of IT control deficiencies increased by 11 percent between 2019 and 2020.

A “significant number” of the IT control deficiencies are related to unresolved IT control difficulties from last year.

“In 2019-20 repeat findings increased by 13 percent, from 69 in 2018-19 to 78 in 2019-20,” the audit said.

“Also, new IT control deficiencies have increased slightly from 83 in 2018–19 to 92 in 2019–20.”

The NSW audit office is now planning to conduct a performance audit on business continuity and disaster recovery planning, with a particularly focus on the pandemic.

It is also currently conducting a review of agency compliance with the NSW cyber security policy after it found low levels of maturity under the Essential Eight model across government.