An unnamed council in Western Australia is operating its entire IT system off of one server.
The council has a disaster plan in place for a "48-hour server replacement," though it does not specify this nor the hardware needed with its third-party vendor, reports iTNews.
The discovery that the council was running on a single server was made during an auditing process of six councils in the Australian state. Of those six, none were found to be appropriately prepared for IT disasters or to fully recover key systems.
The single-server council was described in Case Study 1. The report notes: "If a disaster damages this server, the entity’s DRP requires the IT vendor to provide a replacement within 48 hours. However, the agreement with the vendor did not include the 48-hour timeframe nor outline hardware specifications for the replacement.
"If the hardware requirements are not clearly stated, the vendor may not be able to deliver appropriate equipment in the required timeframe. This may prolong the entity’s reliance on manual processes and increase the time needed to enter the backlog of information after restoration."
The audit found that the councils did not properly document their recovery plans, did not know if their plans would work, and had inadequate service agreements with IT vendors.
All councils were reliant on IT vendors to help with disaster recovery planning and testing. One council had only a verbal arrangement with its IT vendor and only began developing a written agreement following the audit.
Auditor General Caroline Spencer noted in her overview of the reliance of the public sector on IT systems about the importance of having a clear and effective plan in the case of disasters.
"My Office’s previous information systems audits have consistently found issues with local government disaster recovery planning. This audit was an opportunity to delve a little deeper into entities’ preparedness," said Spencer.
"Encouragingly, all the entities we audited were aware of the importance of disaster recovery planning to recover their IT systems and most had developed plans. However, none were fully prepared."
Spencer went on to acknowledge that the "timely recovery of IT systems after a disaster can reduce financial and reputational losses, and minimize delays in delivering services to the public."