London’s Borough Councils questioned on their backup and DR policies for electoral data
Although all London councils have disaster recovery procedures in place, nearly half of them (40%) have not tested them in the last 12 months, according to an FOI request from disaster recovery specialists Databarracks.
The FOI requests were sent to all London Boroughs, the majority of which obliged with details on their business continuity practices, specifically in relation to electoral data. Managing Director of Databarracks, Peter Groucutt, says that 40% is an alarmingly high number to have forgone testing, especially considering the election later this week:
“It’s worrying that with the general election just days away, many local councils have not tested that their procedures actually work in the event of a disaster. As expected, all councils to respond to our request had thorough backup and DR plans in place – which is excellent – but without testing, they could be proved useless at their time of need.
“We always recommend performing a DR test at least once a year. At any time in the year councils are under scrutiny to keep sensitive data secure and systems running smoothly. So the run-up to a general election, when the electoral roll is most important, it is vital to ensure your procedures are water-tight.”
Another concerning finding from the FOI requests is the current RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives) of many of the boroughs:
“Most of the councils that did respond to us told us that their Recovery Time Objective for electoral data was 24 hours, with some even as long as 7 days or in one case up to 2 weeks. It was also interesting to see that different councils have very different classifications for how critical the electoral register is. For some it is a ‘Priority 1’ system and requires the fastest recovery possible but for others there is no prioritisation, and for some the register is not included on their continuity list or would only be recovered on a ‘best-effort basis’.
“We put a lot of faith in IT infrastructure to just work. Imagine if a council thought its RPO was 30 minutes but when it came down to it, it was actually 48 hours? If they haven’t tested their DR capabilities, they really have no idea of how they’d cope should disaster strike at the very time that would cause most damage.”
It may be too late to test before the election, but Databarracks’ advice to councils would be to remember how important testing is to the overall effectiveness of your DR strategy, Groucutt concludes:
“With just a couple of days before the election, realistically there isn’t time to test systems now. For government bodies dealing with such vast amounts of sensitive data, it really is paramount to ensure they’re ready in future. All of the boroughs we spoke to have good backup and disaster recovery policies in place, but now it’s time to put them to the test and make sure they really work.”
Details:
FOI requests sent to 32 councils. 3 did not respond. 2 refused to answer on the basis that it is outside the FOI requirements and owned by the Electoral Register Officer.
About Databarracks:
Databarracks provides secure Disaster Recovery as a Service, Backup as a Service and Infrastructure as a Service from UK-based, ex-military data centres. Databarracks is certified by the Cloud Industry Forum, ISO 27001 certified for Information Security and has been selected as a provider to the G-Cloud framework.For more information, please visit here www.databarracks.com
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.