Connecting state and local government leaders
The state’s Department of Technology, Management, and Budget began its own review before auditors released their findings and has already made improvements to data colocation and cloud security.
Michigan’s plans to maintain government operations supported by IT systems in the event of a major disaster are ineffective, according to state auditors.
The Michigan Auditor General found the Department of Technology, Management, and Budget’s disaster recovery and business continuity plans lacking in eight areas—four major, four minor—in a newly released report.
Among the most glaring shortcomings: the department failed to fully plan for restoration of the Red Card, its list of the state’s most critical systems and infrastructure services, in a disaster scenario within a 24-hour window. And the Red Card itself might be incomplete and inaccurate, according to the report, meaning recovery resources could be misallocated.
DTMB was also found to have not always coordinated with other state agencies on plan preparation or established a review process.
“DTMB agrees with the findings and has already begun efforts to strengthen our plans and processes,” spokesman Caleb Buhs wrote Route Fifty in an email. “DTMB and state agencies do have plans in place to recover key IT systems and maintain business continuity if disaster were to strike. The department began a comprehensive review of the response and recovery plans before the audit started which has led to a number of significant improvements already.”
Recent improvements include the colocation of a data center 50 miles from the current one, which can reduce risks posed by regional disasters. DTMB is also moving more information to the cloud, Buhs said, so data and servers can be backed up and hosted in multiple places.
In January, DTMB plans to begin using a new critical ranking metric the agency hopes will alleviate concerns it can quickly restore a comprehensive Red Card after everything from a power failure to a fire, natural disaster or terrorist attack.
The Great Lake State’s increased emphasis on security is in keeping with the National Association of State Chief Information Officers’ November survey of the top 10 CIO priorities for 2017, of which security, consolidation and cloud services capped the list.
“The survey results show a strong alignment between strategic plans and technology investment,” Mark Raymond, NASCIO president and Connecticut CIO, said in a November statement. “Data management, cloud solutions and certainly security are demanding our attention.”
Auditors’ minor findings included that not all servers were in place for Red Card systems, possibly delaying recovery at hosting centers, and DTMB hadn’t maintained appropriate access to disaster recovery plans in the Living Disaster Planning Recovery System.
Finding No. 7 was that the department wasn’t fully utilizing central repository and backup storage locations for its plans so they’re ready for a disaster, and No. 8 that there wasn’t effective version control to ensure the correct plans are used when needed.
Because the audit was just released, Gov. Rick Snyder, a former executive of computer company Gateway, has yet to review its findings, Anna Heaton, a spokeswoman for the governor, said in an email.
DTMB intends to work more closely with other state agencies moving forward to develop and test its disaster recovery and business continuity plans, and training on their creation is mandatory and monitored, Buhs said.
“With emergency planning, there is always a need for continued strengthening and evolving as technology continues to advance,” he wrote. “The gaps identified by our partners at the Auditor General’s office will help us focus our efforts moving forward.”
The full report can be read here.
Dave Nyczepir is a News Editor at Government Executive’s Route Fifty and is based in Washington D.C.