Western Australia council discovered operating entire IT infrastructure on a single server

A Western Australian council, which remains unnamed, has been managing its complete IT network from a sole physical server, devoid of any contractual agreement with a vendor regarding its potential replacement in a calamity.

Despite the council’s disaster strategy indicating a 48-hour server substitution requirement, it omitted to define this or the specifications of the hardware with its external vendor, which it would heavily rely on for disaster recuperation.

The council was among six audited entities.

None of them were deemed capable of handling IT crises and fully restoring essential systems.

As stated in the report from the auditor general, the councils “recognized the significance of disaster recovery planning” and most had formulated plans.

However, only one of these was considered satisfactory, and none of the strategies had undergone testing.

One organization had not documented any process for restoring its IT systems at all.

“As a part of their daily operations, all had successfully restored individual data files from their backups,” the audit report highlighted.

“Nevertheless, they did not verify if a complete IT system restoration was feasible or if the restored data was coherent across applications.”

It was discovered in the audit that all councils depended on IT vendors for assistance with DR planning and testing but had neglected to establish detailed service contracts with them.

One council had merely an oral agreement with its IT vendor and only initiated a written contract creation post-audit.

Other councils had written agreements that lacked critical specifics such as a distinct service description, hardware details, recovery timeframes, testing procedures, and mechanisms for monitoring, tracking, and appraising vendor performance.

Caroline Spencer, WA’s auditor general, mentioned that “thankfully” all scrutinized councils “recognized the value of disaster recovery planning to restore their IT systems and most had laid out plans”.

“However, none were completely ready,” she added.

“Swift restoration of IT systems post-disaster is vital in reducing financial and reputational setbacks and in diminishing service delivery delays to the public.”

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts