An unnamed Western Australian council has been running its entire IT system from a single physical server, with no vendor agreement on how it could be replaced in a disaster.
Although the council’s own disaster plan called for a 48-hour server replacement, it failed to specify this or the hardware’s specification with its third-party vendor, on which it would be reliant for disaster recovery.
The council was one of six audited.
None were found to be positioned to manage IT disasters and fully recover key systems.
According to the auditor general’s report, the councils “acknowledged the importance of disaster recovery planning” and most had developed plans.
However, only one of these was deemed adequate, and none of the plans had been tested.
One entity had not documented how it planned to recover its IT systems at all.
“As part of day-to-day operations, all had restored individual data files from their backups,” the audit report said.
“However, they had not tested if full IT systems recovery was possible or if recovered data was consistent across applications.”
The audit found all councils were reliant on IT vendors to help with DR planning and testing but had failed to create detailed service agreements with them.
One council had only a verbal arrangement with its IT vendor and only began developing a written agreement following the audit.
Others had written agreements that lacked key details such as a clear description of the service required and provided; descriptions of the hardware involved; timeframes for recovery; testing and processes for monitoring, tracking and evaluating vendor performance.
WA’s auditor general Caroline Spencer said “encouragingly” all the audited councils “were aware of the importance of disaster recovery planning to recover their IT systems and most had developed plans”.
“However, none were fully prepared,” she said.
“Timely recovery of IT systems after a disaster can reduce financial and reputational losses and minimise delays in delivering services to the public.”
