Comhairle nan Eilean Siar Internal Audit Review Information Technology Final Report 2014/15-06 3 rd November 2014
CONTENTS Page SECTION 1 - EXECUTIVE SUMMARY 1-6 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS 7-14 SECTION 3 - ACTION PLAN 15 APPENDIX A - RESPECTIVE RESPONSIBILITIES OF MANAGEMENT 16 AND INTERNAL AUDIT APPENDIX B - ISOLATED EXCEPTIONS TO EXPECTED PROCEDURES 17 Date of Visit August/September 2014 Draft Report Issued 22 nd September 2014 Management Response Received 03 rd November 2014 Final Report Issued 03 rd November 2014 Issued to: Director of Finance & Corporate Resources Chief Executive External Audit Head of IT and Customer Services Robert Emmott Malcolm Burr Karen Jones Angus MacArthur 3 rd November 2014
SECTION 1: EXECUTIVE SUMMARY Introduction 1.1 This report has been prepared following an internal audit review of Disaster Recovery Arrangements and as part of the operational annual internal audit plan for 2014/15. The purpose of this report is to provide an overview of the Comhairle s arrangements for the operation and management of Disaster Recovery and in terms of the objectives noted below. Background information 1.2 The IT Unit operates from the Comhairle building at Sandwick Road but provides services, via its network, to offices and schools in all parts of the Western Isles. All its core systems are housed in the machine room in the Sandwick Road building. Its main purpose is to provide the IT infrastructure over which all the Comhairle s IT systems run. This ranges from standard desktop PC s, laptops, mobile devices including ipads, all telephony services, central servers, network switches, wireless units and all cabling. The Comhairle has over 1000 registered users, supports almost 100 servers and has a broadband network which stretches from the North of Lewis to Barra 1.3 In order to provide the kind of support required for this scale of operation the IT Unit is staffed by a 9 person Technical Support team and a 6 person Business Support team. As is most organisations of this size, the Comhairle are highly dependent on its IT infrastructure and systems in the delivery of its core day to day services and support functions. It is therefore important that the Comhairle has suitable disaster recovery arrangements in place as part of a wider business continuity planning process. Internal audit objective 1.4 In accordance with the remit outlined within the operational annual internal audit plan for 2014/15 and further documented within the agreed terms of reference, our internal audit work was designed to obtain assurance that the Comhairle s arrangements for Disaster Recovery and associated processes were appropriate and operating as expected. In practice, we assessed whether the overall objective was being achieved by confirming that:- The organisation demonstrates VFM in all the services provided/supported and evidences that alternatives have been adequately considered, where available and appropriate; There is a corporate business continuity management policy and supporting procedures in place which identifies the organisations mission critical activities and prioritised recovery; The organisation has produced a business impact analysis and risk assessment and these have been agreed corporately; 3 rd November 2014 1
SECTION 1: EXECUTIVE SUMMARY (CONTINUED) The IT section have identified hazards and threats in relation to IT architecture, networks, suppliers, documentation, hardware, software, storage, back-ups, staffing, buildings, facilities, security, systems monitoring, power, data communications, archiving and environmental factors such as air conditioning in data rooms; There has been appropriate testing of disaster recovery arrangements, together with a review of learning points with have been filtered into updated procedures and processes, where appropriate; There is supporting documentation held within the organisation, the IT unit and in offsite locations which provide clear instruction for staff which include, responsibilities, authorisations and relocation; Third party arrangements are supported by a contract and have appropriate security, authorisations, recognised practices in accordance with international standards of IT management, and There are suitable budgetary provisions in place to facilitate appropriate business continuity and disaster recovery arrangements within the Comhairle. 1.5 Areas of good practice A secure alternate location for backups and recovery; A reciprocal agreement is in place for the Comhairle s virtualised servers to be housed within a secure location at NHS-WI premises; and A modern virtualised infrastructure with a fast, dedicated communication link between Comhairle HQ and the Disaster recovery site is in place. 3 rd November 2014 2
SECTION 1: EXECUTIVE SUMMARY (CONTINUED) 1.6 Concluding remarks Our detailed findings are included in the body of this report. We would point out that the most significant issues arising from our review which require management attention are: Whilst there is the basis for the development of adequate IT disaster recovery provision, particularly now that the off-site storage arrangements are in place; there is however, further work required to be undertaken to take forward a number of key issues, for example, the prioritisation of a corporate approach to system recovery before the Comhairle is in a position to have a robust IT disaster recovery arrangement in place. (Paragraphs 2.1, 2.2 and 2.6) The Comhairle s IT Disaster Recovery plan requires to be completed in full, together with advising staff of their responsibilities/duties in relation to the plan, and with suitable annual training/testing of the plan to be taken forward once all key issues have been dealt with in terms of systems infrastructure and reconfiguration. (Paragraphs 2.8 and 2.9) We are advised by the Head of IT and Customer Services that PSN compliance took priority over much of the unit s work programme and that, as a result, limited progress was made in completing the residual parts of the DR plan. 3 rd November 2014 3
SECTION 1: EXECUTIVE SUMMARY (CONTINUED) 1.7 We have graded our detailed findings and recommendations, based on the likelihood of the identified weakness occurring and the impact on the Comhairle if it should occur, using the following criteria: Grade 1 - Critical High likelihood, High impact (HH) The weakness is almost bound to happen or is already happening (likelihood) and could have a significant impact on the Comhairle s services, reputation, control, financial position, statutory, regulatory or constitutional compliance if not contained Grade 2 - Contingent/Insurable Risk - Low likelihood, High impact (LH) The weakness is unlikely to happen, but would have a significant impact on the Comhairle s services, reputation, control, financial position, statutory, regulatory or constitutional compliance if it did occur Grade 3 - Housekeeping High likelihood, Low impact (HL) The weakness is almost bound to happen or is already happening but is unlikely to have a material impact on the Comhairle s services, reputation, control, financial position, statutory, regulatory or constitutional compliance, and can be contained Grade 4 - Value for Money High likelihood, Value for money impact (HV) The weakness is almost bound to happen or is already happening but if contained would have a positive impact on economy, efficiency and effectiveness in the use of resources Where we have identified isolated exceptions in our sample testing, and we consider that: - They are unlikely to recur; and Would have no significant impact if they should occur, we have classified them as low likelihood and low impact (LL), discussed them with relevant officers and detailed them in Appendix B to this report. 3 rd November 2014 4
SECTION 1: EXECUTIVE SUMMARY (CONTINUED) 1.8 Our recommendations can be summarised and prioritised as follows: Recommendation 2.1 The IT Unit Business Continuity Plan be completed, together with a system prioritisation plan as a matter of priority. Overall grading 4 3 2 1 2.2 The Head of IT and Customer Services in discussions with the Comhairle s Management Team and other relevant sections within the Comhairle, determine the key critical systems to be prioritised in the event of a disaster or business continuity event. 2.3 The Head of IT and Customer Services takes forward the alternative link contained within the disaster recovery plan or considers another option to achieve the planned outcome. 2.4 The Head of IT and Customer Services appends third party SLA s to IT Unit Disaster Recovery Plan. 2.5 The Head of IT and Customer Services communicates the timetable for recovery of systems to all key staff named in IT Unit Disaster Recovery Plan in order that staff are aware of their duties. 2.6 The Head of IT and Customer Services addresses the incomplete infrastructure, systems and supporting protocols which are required as part of the disaster recovery plan. 2.7 The Head of IT and Customer Services as part of developing the testing arrangements, involves third parties in order to determine any areas of concern or where improvement may be required. 3 rd November 2014 5
SECTION 1: EXECUTIVE SUMMARY (CONTINUED) 1.8 Our recommendations can be summarised and prioritised as follows: Recommendation 2.8 The Head of IT and Customer Services should inform staff, once a suitable disaster and business continuity plan for IT has been developed, of their responsibilities, authorisations, relocation arrangements in relation to disaster recovery. Overall grading 4 3 2 1 1.9 We would like to thank all staff for the co-operation and goodwill we received during the course of our internal audit fieldwork. For Comhairle Nan Eilean Siar Internal Audit Section Internal Audit Comhairle Nan Eilean Siar Sandwick Road Stornoway Isle of Lewis HS1 2BW 3 rd November 2014 3 rd November 2014 6
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1: There is a corporate business continuity management policy and supporting procedures in place which identifies the organisations mission critical activities and prioritised recovery. The Comhairle s Business Continuity H H The IT Unit Business Continuity 1 Core elements of the plan are Strategy and policy require each Head of Plan be completed, together with already in place and resources Service to ensure that a Business a system prioritisation plan as a have been diverted to other Continuity Plan exists that can deliver matter of priority. priority work over the last 9 acceptable standards of service for each 12 months. The plan is critical area. Each service must exercise its scheduled for completion by Business Continuity Plan at least once a March 2015. year. We reviewed the IT Unit Business Continuity Plan and note that the plan is incomplete in a number of key areas, therefore not meeting the requirements contained within the corporate policy or strategy. The IT Unit Business Continuity Plan is incomplete and insufficient to meet the needs of the Comhairle as outlined in the corporate Business Continuity Management strategy and policy. 3 rd November 2014 7
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.2 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 3: The organisation has produced a business impact analysis and risk assessment and these have been agreed corporately. We understand that departments have H H The Head of IT and Customer 1 This recommendation is identified systems requiring to be restored Services in discussions with the consistent with the outcomes of in the event of a disaster or business Comhairle s Management Team the Corporate Business continuity event, this has not been and other relevant sections within Continuity Management developed strategically where systems have the Comhairle, determine the key exercise and will be completed been prioritised and identified as Mission critical systems to be prioritised once all departments Business Critical Activities. (MCA) in the event of a disaster or Continuity Plans are in place. business continuity event. This increases the risk that the Comhairle are unable to identify or implement a defined plan of systems recovery which is prioritised to meet the critical activities of the organisation. 3 rd November 2014 8
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.3 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 3: The organisation has produced a business impact analysis and risk assessment and these have been agreed corporately. L H The Head of IT and Customer Services takes forward the alternative link contained within the disaster recovery plan or considers another option to achieve the planned outcome. There are systems and processes in place which could support the MCA key services but these have yet to be considered in terms of the Comhairle s overall disaster response, together with progress of the IT Unit Disaster Recovery Plan. We note that the implementation of the alternative connected communities link is currently not in place. This increases the risk that elements of the disaster recovery plan have not been fully implemented. 2 The implementation of New Generation Broadband (NGB) in 2015 will provided increased resilience until then a contingency plan will be developed. 3 rd November 2014 9
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.4 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 7: Third party arrangements are supported by a contract and have appropriate security, authorisations, recognised practices in accordance with international standards of IT management. We note that although there is provision H L The Head of IT and Customer 3 Agreed. within the IT Unit Disaster Recovery Plan Services appends third party for third party SLA s, for example, SLA s to IT Unit Disaster Resourcelink/Authority Financials; these Recovery Plan. should be appended to the plan for ease of access and provide an instant record of key contacts and system details. Increases the risk that this may prevent staff accessing detailed information as part of the plan, along with key contacts and systems data. 3 rd November 2014 10
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.5 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 5: There has been appropriate testing of disaster recovery arrangements, together with a review of learning points with have been filtered into updated procedures and processes, where appropriate. We spoke with key staff within the IT L H The Head of IT and Customer 2 Training will be completed by section who are named within the plan and Services communicates the March 2015. note that whilst some were aware of the IT timetable for recovery of Unit Disaster Recovery Plan, most had not systems to all key staff named in received any training in this area or were IT Unit Disaster Recovery Plan aware of where to find the document in order that staff are aware of their duties. The timetable outlined within the IT business continuity plan has not been communicated and all key staff named in such documents are not all aware of their duties. 3 rd November 2014 11
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.6 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 3: The organisation has produced a business impact analysis and risk assessment and these have been agreed corporately. Whilst there is an infrastructure in place H H The Head of IT and Customer 1 Acknowledge that there is for disaster recovery, there are a number of Services addresses the some further work required and areas of development, testing and training incomplete infrastructure, this is scheduled to commence to be undertaken before the Comhairle can systems and supporting after the completion of PSN be satisfied that it can respond in a protocols which are required as compliance. comprehensive manner to a disaster event part of the disaster recovery in terms of IT response. Such areas plan. include: The reconfiguration of the Unix systems, in terms of replication at the NHS side; As each stage of the disaster recovery process develops, this will need to lead to the culmination of a full annual systems testing protocol. There are element of the disaster recovery systems and supporting protocols which are not developed to a sufficient stage which will support the Comhairle in a disaster event. 3 rd November 2014 12
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.7 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 5: There has been appropriate testing of disaster recovery arrangements, together with a review of learning points with have been filtered into updated procedures and processes, where appropriate. Whilst we are advised by the Head of IT L H The Head of IT and Customer 2 Contracts will be reviewed as and Customer Services that contracts with Services as part of developing they are renewed. suppliers outline generic arrangements for the testing arrangements, disaster recovery, we found that these involves third parties in order to arrangements have not been tested to a determine any areas of concern sufficient standard. or where improvement may be required. Third party arrangements have not been tested insofar as there has not been a coordinated testing of disaster recovery with systems providers. As part of the disaster recovery protocols and testing the use of third party providers must be included in order to assess the robustness of the Comhairle s disaster recovery arrangements. 3 rd November 2014 13
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.8 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 6: There is supporting documentation held within the organisation, the IT unit and in off-site locations which provide clear instruction for staff which include, responsibilities, authorisations and relocation. We issued a questionnaire to relevant IT L H The Head of IT and Customer 2 All IT staff will be briefed on staff in relation to their knowledge and Services should inform staff, Business Continuity awareness of disaster recovery protocol once a suitable disaster and Management arrangements on and received the following responses. In business continuity plan for IT a regular basis. general, it was felt that there was some has been developed, of their awareness to varying degrees in relation to responsibilities, authorisations, disaster recovery but most had not received relocation arrangements in training or were aware of their role in such relation to disaster recovery. an event. Staff were not sufficiently aware of their responsibilities, authorisations, relocation arrangements in relation to disaster recovery. This increase the risk of a disjointed and unorganised response by the Comhairle to a serious event which may further affect resilience to deal with core activities. 3 rd November 2014 14
SECTION 3 - ACTION PLAN Ref. RECOMMENDATION RESPONSIBLE OFFICER 2.1 The IT Unit Business Continuity Plan be The Head of IT and completed, together with a system Customer Services prioritisation plan as a matter of priority. DATE OF IMPLEMENTATION March 2015 2.2 The Head of IT and Customer Services in discussions with the Comhairle s Management Team and other relevant sections within the Comhairle, determine the key critical systems to be prioritised in the event of a disaster or business continuity event. 2.3 The Head of IT and Customer Services takes forward the alternative link contained within the disaster recovery plan or considers another option to achieve the planned outcome. 2.4 The Head of IT and Customer Services appends third party SLA s to IT Unit Disaster Recovery Plan. 2.5 The Head of IT and Customer Services communicates the timetable for recovery of systems to all key staff named in IT Unit Disaster Recovery Plan in order that staff are aware of their duties. 2.6 The Head of IT and Customer Services addresses the incomplete infrastructure, systems and supporting protocols which are required as part of the disaster recovery plan. 2.7 The Head of IT and Customer Services as part of developing the testing arrangements, involves third parties in order to determine any areas of concern or where improvement may be required. 2.8 The Head of IT and Customer Services should inform staff, once a suitable disaster and business continuity plan for IT has been developed, of their responsibilities, authorisations, relocation arrangements in relation to disaster recovery. The Head of IT and Customer Services The Head of IT and Customer Services The Head of IT and Customer Services The Head of IT and Customer Services The Head of IT and Customer Services The Head of IT and Customer Services The Head of IT and Customer Services March 2015 December 2015 March 2015 March 2015 March 2015 Ongoing and review in December 2015 December 2015 15
APPENDIX A: RESPECTIVE RESPONSIBILITIES OF MANAGEMENT AND INTERNAL AUDIT Responsibility in relation to internal controls It is the responsibility of the Comhairle s management to maintain adequate and effective financial systems and to arrange for a system of internal controls. Our responsibility as internal auditors is to evaluate the financial systems and associated internal controls. In practice, we cannot examine every financial implication and accounting procedure within an activity, and we cannot substitute for management s responsibility to maintain adequate systems of internal controls over financial systems. We therefore may not identify all weaknesses that exist in this regard. Responsibilities in relation to fraud and corruption The prime responsibility for the prevention and detection of fraud and irregularities rests with management. They also have a duty to take reasonable steps to limit the opportunity for corrupt practices. It is our responsibility to review the adequacy of these arrangements, but our work does not remove the possibility that fraud, corruption or irregularity may have occurred and remained undetected. We nevertheless endeavour to plan our internal audit work so that we have reasonable expectation of detecting material fraud, but our examination should not be relied upon to disclose all such material frauds that may exist. 16
APPENDIX B: ISOLATED EXCEPTIONS TO EXPECTED PROCEDURES AND CONTROLS ITEM ISOLATED EXCEPTION RESPONSIBLE OFFICER AGREED Y/N DATE OF DISCUSSION 17