Seventy-nine per cent of the IT systems relied on by Victoria Police to support critical business functions are “obsolete,” an investigation by the Victorian Auditor-General’s Office has concluded.
“Victoria Police has not effectively managed the risk of system obsolescence, as shown by the high percentage of its critical systems that are obsolete,” a VAGO audit of disaster recovery (DR) preparedness states.
Overall the audit concluded that Victoria Police’s “disaster recovery processes are not robust enough to effectively and efficiently recover all critical systems after a disruption”.
“The agency currently only has capability to recover selected critical systems,” the VAGO report states. “Victoria Police needs to do additional work to further develop its disaster recovery processes and capabilities to minimise any loss of critical services in the event of a disruption.”
Victoria Police accepted the findings of the audit, but in its response to VAGO said that it had already commenced a “significant program of work” to enhance its DR capability.
The force embarked on a plan to boost its DR capability based on an internal October 2016 audit and expects to complete the work by 31 December.
VAGO also assessed DR preparedness at the Department of Economic Development, Jobs, Transport and Resources; the Department of Environment, Land, Water and Planning; the Department of Health and Human Services; and the Department of Justice and Regulation.
The auditor-general concluded that none of the agencies had “sufficient assurance that they can recover and restore all of their critical systems to meet business requirements in the event of a disruption.”
“They do not have sufficient and necessary processes to identify, plan and recover their systems following a disruption,” the report states
“Compounding this is the relatively high number of obsolete ICT systems all agencies are still using to deliver some of their critical business functions. This both increases the likelihood of disruptions though hardware and software failure or external attack, and makes recovery more difficult and costly.”
Across the agencies, some 49 per cent of systems supporting critical business functions are obsolete, the report said.
An investigation released yesterday by South Australia’s Auditor-General’s Department found that most SA government agencies “have implemented some disaster recovery controls”, but many of the 19 agencies scrutinised “had not implemented sufficient processes and controls to mitigate their key disaster recovery risks.”