27.10.15
City councils failing to test critical disaster recovery plans regularly
Although all major city councils in the UK have disaster recovery (DR) plans in place, almost 40% have not tested their plans in the past 12 months.
A Freedom of Information request issued on behalf of disaster recovery specialist Databarracks to major cities including Birmingham, Liverpool, Manchester, Leeds, Newcastle, Sheffield and Bristol found that they all who responded had DR plans, but 38% of those surveyed had not regularly tested theirs.
The company’s managing director, Peter Groucott, said just having a DR plan in place is not enough; they need to be regularly maintained, updated, revised and tested to guarantee their effectiveness. “The results of our FoI request exposed that a significant proportion of city councils had not tested plans for over a year, meaning that they cannot be confident in their effectiveness in the event of a genuine crisis.
“With services to constituents, such as childcare or benefits, as well as management of income being affected by IT disasters, city councils have a duty to ensure that their DR plan is up to date, tested and verified,” he added.
He advised councils to update their DR plan every time something in the organisation changes so the plan reflects an accurate picture of the authority, while testing it helps locate any gaps.
“If you don’t test our DR plan, these things won’t get picked up until your time of crisis – at which point the damage they could cause is huge,” Groucott continued.
The findings also shed a light on large variances between councils in regards to recovery time objectives (RTOs) and recovery point objectives (RPOs).
Analysts looked at how long it would take to retrieve council tax data and found that, while some councils could recover within a few hours, others saw an RTO for as long as four days.
Earlier in the year, Databarracks conducted a similar survey across London borough councils which found that RTOs varied from 24 hours to two weeks.
Groucutt concluded that it was encouraging that all councils have a plan in place and show “excellent best practice” when it comes to prioritising critical IT systems in a disaster – something “particularly difficult” for the public sector, which must protect revenue-generating systems like council tax just as much as it needs to protect care systems such as children’s services.
But he argued that that’s only half the job: “To guarantee effectiveness, regular DR testing must be performed and plans must be constantly updated.”