NSW agencies risk catastrophe with no disaster recovery plans

The NSW audit office has discovered that at least four agencies running “financially significant” systems still have no strategy to cope if their infrastructure is suddenly taken out.

The office has been on a crusade in recent years to shame state government agencies into preparing IT disaster recovery plans.

It this week reviewed 30 agencies and found four with no DR plan, three with untested plans and one without a plan for one of its four financially significant systems.

The state's Treasury demands all agencies have a DR plan and that it be tested comprehensively at least once every two years.

But the audit office would prefer agencies test every 12 months, and has asked Treasury to review its stance in keeping with international best practice.

More than half of the 30 agencies reviewed were only partially testing their disaster recovery plans if at all, the audit report said.

Two agencies failed to physically separate their production and disaster recovery data centres, it found.

The audit office has been hounding NSW government agencies about their IT back-up plans for four years now, and said over this period 20 percent of reviewed entities had come up empty handed when asked about their DR provisions.

Despite this drive, in 2012 the total number of agencies with no DR plan rose, from a total of 14 across government to 17.

It is not a problem exclusive to NSW’s public sector, however.

In 2013 Victoria’s auditor-general found the state’s central IT services provider, CenITex, had no adequate strategy to get systems up and running if a serious incident was to hit its IT infrastructure.