Executives from the NSW Department of Finance and Services have copped a grilling from the parliament's public accounts committee on what they plan to do about the alarming shortage of disaster recovery provisions across the government.
The auditor-general reported an increase in the number of NSW agencies with no documented IT disaster recovery plan in place in the 2012 financial year, up from 14 in 2011 to 17 agencies.
Committee chair Jonathan O'Dea described the level of preparation as "substandard".
"I would say that the performance to date is not promising," he said.
However executive director of strategic policy at DFS, William Murphy, pointed out to the committee that in the months since the auditor-general's last survey his Department had issued a new information security approach that he believed would lift compliance.
The Digital Information Security Policy was released in November 2012.
"One of the auditor-general's concerns about the previous policy was that the bar was set very high," he said. "A test was put in place that required all agencies meet a very high standard of performance and that was seen as a barrier to the implementation of the policy."
"The new policy takes a risk-based approach which still draws upon a minimum set of controls that all agencies need to demonstrate and have in place. But only those agencies that have a slighter higher risk profile will need to also apply the relevant other parts of that standard."
To illustrate his logic he explained that the DFS website that lists the government's policies on project management could probably afford to be out for several hours, whereas the dispatch system for the Ambulance Service could not afford any period of inactivity.
He added that a higher level of accountability and visibility should work as a incentive for compliance, as agency heads were now required to attest to the adequacy of their disaster recovery provisions as part of annual reporting to parliament under the new scheme.
Comparable data on the rate of agencies with adequate plans was not available at the time of the hearing, he conceded, but added that progress reports suggested compliance "was going quite well".