September 17, 2020
Download this report as a PDF »
Washington state agencies’ ability to provide essential services relies heavily on a variety of data and information technology (IT) systems. Any number of things can happen to interrupt the availability of those systems. Examples range from relatively mundane equipment failures to unforeseen natural disasters and malicious security attacks.
Effective preparation can minimize the risk of disruption to critical state services. It can prevent lost revenue and records, and help ensure the agency remains able to conduct business. When such events do happen, it is important for agencies to have reliable backups of their systems and their data, as well as a solid plan to recover their most important systems quickly.
State agencies must perform certain tasks to ensure their IT systems remain safe and operational. This audit evaluated whether four state agencies had proper backup strategies and disaster recovery procedures in place, including testing the plan, for selected systems. We compared our observations to state requirements and leading practices.
Read a two-page summary of the report.
View our #BeCyberSmart resources around data backup and disaster recovery.
Report Number 1026917
State Auditor’s Office contacts
State Auditor Pat McCarthy
Scott Frank – Director of Performance and IT Audit
Christopher Cortines, CPA – Assistant Director for Performance Audit
Shauna Good – Principal Performance Auditor
Diana Evans, CPA – Lead IT Auditor
Kathleen Cooper – Director of Communications
We found none of the four audited agencies fully and consistently met all state requirements in the areas the audit examined:
- Data backup
- Disaster recovery
Furthermore, we found three of the four agencies had not performed sufficient testing to ensure they could restore their systems and data to full operations.
The audit identified key areas for improvement to help agencies better prepare for potential future incidents. Closely following state security requirements and other sources of leading practices can help them improve. However, we also found these agencies lacked some of the resources and guidance they needed.
Note that confidentiality is key to preventing cyberattacks on state IT systems by those seeking to do harm. For this reason, the report does not name audited agencies. In addition, state law protects detailed information about the cybersecurity protocols of state agencies. Our report provides general examples of issues, consequences and remedies drawn from our research.
This audit looked at data and system backup and disaster recovery. A backup is simply a copy of your data or system. A disaster recovery plan sets out, in policies and procedures, how you will recover data and restore full system operations to ensure business continuity.
Earlier audits performed by our Office found agencies usually had data backup procedures. However, they did not consistently perform tests to verify they could restore critical data. Furthermore, even fewer had a current and tested disaster recovery plan.
This audit evaluated whether four state agencies had proper backup strategies and disaster recovery procedures in place, including testing the plan, for selected systems. We compared our observations to state requirements and leading practices.
The standards and policies published by the state’s Office of the Chief Information Officer describe at an overview level the actions agencies must undertake to ensure their data and systems are backed up and recoverable. However, each agency must tailor its policies and procedures to its own needs. To do this effectively, they should make use of tools such as:
- Business impact analyses – To evaluate the effects of disruptions to services
- IT risk assessments – To analyze potential threats and the likelihood they will happen
Essential elements in plans
Effective data backup and disaster recovery procedures should take multiple elements into account.
A data backup strategy describes which systems or data files should be backed up, how frequently the backup is to be performed, where the backup should be stored and how long to retain the backups.
A disaster recovery plan contains the information necessary to recover IT systems and data within an acceptable time frame. For example, disaster recovery plans should include roles and responsibilities, contact information for relevant staff, and detailed recovery procedures.
The Office of the Chief Information Officer directs state agencies to develop IT risk assessments. Leading practices advise recommendations to conductNone of the auditees adequately used these two tools to identify and explain risks to agency managers.
The results help executive managers decide how to invest in technology and staff. The resulting investments help agencies produce effective backup strategies and disaster recovery plans. However, we found executive managers at some agencies were not always aware of all risks and consequences. This meant they did not always allocate adequate resources to address the risks.
Better guidance could help
Finally, we found audited agencies lacked the resources and guidance they needed to establish comprehensive backup and disaster recovery procedures. Better statewide guidance and tools from the Office of the Chief Information Officer could help agencies put more effective backup strategies and disaster recovery plans in place.
We gave detailed recommendations to the four agencies that addressed three issues:
- Using IT risk assessments and business impact analyses to identify gaps in current backup and disaster recovery practices and procedures
- Ensuring management is aware of issues affecting data backup and disaster recovery efforts, so they can adequately address them
- Implementing backup and disaster recovery procedures and processes that align with state requirements and leading practices
We further recommended the Office of the Chief Information Officer provide clear and up-to-date guidance. This guidance should offer agencies comprehensive, effective procedures to manage backup and disaster recovery efforts.
We compiled the state’s requirements and leading practices in the appendices of the report. These are important resources, and we encourage all state agencies to take advantage of them as they develop their own data backup strategies and recovery plans.
Guidance for all
The report recommends all Washington state agencies consider the general recommendations included in this report as they implement backup and disaster recovery programs. Furthermore, this audit may also offer useful guidance to local governments. This #BeCyberSmart resource on data backup and disaster recovery, in our Office’s #BeCyberSmart library, applies to local governments in particular.