Agenda item

Report to follow.

The Committee considered the draft Disaster Recovery Internal Audit Report.

As part of the 2014/15 Internal Audit Plan an audit of IT Disaster Recovery (ITDR) was carried out. The objective of this review was to evaluate the effectiveness of the processes and controls surrounding ITDR Management. The overall opinion of this review was limited assurance.

In the ensuing debate, the following principal points were raised:

·         Scott Hughes, representing PricewaterhouseCoopers, the authors of the audit report commented that as part of the audit work, it was necessary to look at incidents that were less likely to occur but could have a high impact on service provision i.e. a large scale outage. A limited assurance was provided for this element

·         Scott Hughes stated that the option to outsource the IT contract presented a timely opportunity to rectify some of the issues highlighted in the audit report

·         Did the external auditor accept the management response as a reasonable response? Scott Hughes commented that the Council had to weigh up the cost of each of the options set out in the report against their benefit to the Council. It was worth examining outsourcing as an option before investing heavily in any potential solutions. The Chief Financial Officer added that a report would be brought to future meeting of Cabinet on the preferred bidder

·         Scott Hughes explained that a formally documented and communicated ITDR command and control structure was in place to manage IT outages as set out in the main ITDR Plan

·         Scott Hughes stated that a limited assurance assessment had been given for the end-to-end recovery processes because the Council did not have the capacity to respond to a major incident. The Chief Financial Officer added that the Head of Systems and Customer Access was examining the storage options for the server and it was possible that an off-site location would be sought as part of the outsourcing options. Scott Hughes added that it was considered plausible that a major fire could occur in the room where the server was kept and the lack of fire suppression facilities in that room was an issue for the Council to address

·         Should a fire occur, could the lack of a fire suppression system in the room where the server was kept result in several weeks of non-activity for the Council? The Chief Financial Officer advised that there was a back-up facility for SAP however there would be a problem for the other systems. Scott Hughes added that this was a particular problem for Framework i where both the server and the back-up server were kept in the same building and therefore there were limited recovery capabilities. The Chief Financial Officer explained that the Head of Systems and Customer Access was aware of the situation and was looking at mitigating the risk

·         It appeared to be a high risk strategy to maintain a server and back-up server in the same room. The obvious solution would be to move the back-up server elsewhere. Would it be practical to move the back-up Framework i server to the Wildwood campus? The Chief Financial Officer commented that this option had been considered but it was felt that the costs of such an arrangement were prohibitive

·         There appeared to be a 12 month delay before the implementation of the proposed changes, would the Council maintain responsibility during this period or would there be an immediate handover of responsibility to the contractor? The Chief Financial Officer commented that the preferred bidder was about to be appointed therefore it was too early in the process to say

·         It would appear that the risk of a catastrophic fire at County Hall was accepted in the short term on the basis that a new contractor would be appointed through the commissioning process. After the appointment of a new contractor, how long would it take for the issues set out in the audit report be addressed? The Chief Financial Officer explained that he was confident that any issues associated with the SAP system would be quick to implement but it depended on how the other systems interacted with each other. This was a matter that the Head of Systems and Customer Access would be able to address at the next Committee meeting

·         In response to a query, the Chief Financial Officer stated that there were a range of proposed actions in the Audit Report and although a number of them had yet to be implemented, the Head of Systems and Customer Access had provided assurance that they would be completed in time. Scott Hughes added that the Council had to weigh up the cost/risk implications of undertaking mitigating actions against the length of time required to implement the new contracts

·         The Committee requested that the Head of Systems and Customer Access write to members of the Committee outlining: whether all options had been considered to address the risks associated with the Framework i system;  what mitigation measures undertaken to address the risks in the short term; and the costs associated with addressing these risks

·         The Committee requested that a further report on ITDR be brought to its next meeting on 12 December 2014.

RESOLVED that:

a)    The content of the Draft Disaster Recovery Internal Audit report be noted;

b)    The Head of Systems and Customer Access be requested to write to members of the Committee outlining: whether all options had been considered to address the risks associated with the Framework i system;  what mitigation measures undertaken to address the risks in the short term; and the costs associated with addressing these risks; and

c)    An update report on It Disaster Recovery be brought to the Committee meeting on 12 December 2014.