NSW agencies fall short on disaster recovery

Almost one in five of NSW’s 76 largest agencies have no formal plans for recovering their key financial systems in the event of a catastrophe, a State Government audit has revealed.

NSW Auditor-General Peter Achterstraat assessed agencies’ information security, data centre and network operations, change management and disaster recovery planning for his report to State Parliament this week (pdf).

Compared to a similar report published last year, Achterstraat said agencies’ data centre security and network operations had improved.

But issues remained, he said, noting that agencies had addressed only 38 percent of recommendations made in his 2011 report.

Achterstraat was particularly concerned that agencies’ disaster recovery plans were outdated, ineffective and untested.

Although all agencies said they stored off-site backup copies of “significant” applications and data, only 82 percent had formal disaster recovery plans.

Only 55 percent of agencies had tested their disaster recovery plans in the past year, while five percent admitted to not having “any type of arrangement to recover its financial systems in the event of an emergency”.

Meanwhile, agencies that had outsourced their disaster recovery activities under shared service arrangements had failed to establish accountability processes and monitoring, Achterstraat reported.

The Auditor-General said agencies’ disaster recovery activities were under-resourced due to a lack of senior management buy-in and involvement.

“I am concerned about the State’s readiness to recover its financial systems,” he stated. “Disaster recovery plans must be well constructed and regularly tested.”

Information security issues – particularly around user administration, privileged access and passwords – underpinned 61 percent of the Auditor-General’s ongoing IT concerns.

Achterstraat noted that unauthorised users had been granted “potent administrative access” to agencies financial systems, and external service providers had “unrestricted access” to privileged user accounts.

He warned that some agencies had “not sufficiently understood” their electronic information security risks, and renewed calls for mandatory, whole-of-government security standards to protect the state’s $2 billion a year investment in IT.