All of the UK’s major city councils have disaster recovery (DR) plans in place, but as of November 2015 almost 40 per cent of those will not have not tested their plans within the past 12 months.
A Freedom of Information (FOI) request was issued on behalf of disaster recovery specialist Databarracks to the UK’s major cities, including Birmingham, Liverpool, Manchester, Leeds, Newcastle, Sheffield and Bristol to determine their plans in the event of an IT disaster. The results showed that all responding councils had DR plans in place to restore essential functionality, including revenue, benefits and welfare services. While these findings are encouraging, it was also revealed that as we approach the end of the year almost 40 (38) per cent of those surveyed have not been regularly tested, despite their absolute necessity in the event of a disaster.
The figure seems especially high when compared to large organisations in the private sector. In Databarracks’ 2015 Data Health Check, they found that only 21 per cent of large private organisations have failed to test their DR plans in the last 12 months – significantly less than the public sector.
Peter Groucutt, managing director of Databarracks explained the findings: “City councils’ attitudes towards DR are excellent. Many councils are prioritising council tax and other business-critical functions in a DR scenario, which serves to protect critical sources of income for the public sector.
“All of the councils that responded to our FOI showed excellent best practice when it came to prioritising the most critical IT systems in a disaster and they all had structured plans in place that outlined their priorities for recovery. This is particularly difficult for the public sector, as not only do they need to protect revenue-generating systems such as council tax, but they also need to protect their care systems such as Children’s Services, for example. To see councils putting so much consideration into disaster recovery planning is very encouraging. There were one or two questionable answers though, with “car parking” being listed as a top priority by one council.
“However, just having a DR plan in place is not enough – plans need to be regularly maintained, updated, revised and tested to guarantee their effectiveness. The results of our FOI request exposed that a significant proportion of city councils had not tested plans for over a year, meaning that they cannot be confident in their effectiveness in the event of a genuine crisis. With services to constituents, such as childcare or benefits, as well as management of income being affected by IT disasters, city councils have a duty to ensure that their DR plan is up to date, tested and verified.
“The best advice we can give is to update your DR plan every time something in your organisation changes. Your plan should give a true and current picture of your entire organisation, and your DR test is what helps find the gaps. If you don’t test your DR plan, these things won’t get picked up until your time of crisis – at which point the damage they could cause is huge.”
The findings also revealed large variances between councils when it came to Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). In some cases the RTO for a council could be as long as four days, with others able to recover within a few hours. Groucutt commented :
“Earlier in the year we conducted a similar survey across the London Borough councils and it revealed that RTOs could vary from 24 hours to two weeks. This time we looked at how long it would take to retrieve council tax data and the figures showed that this could be as little as two hours for some councils and as long as four days for others.
Groucutt concluded: “It is encouraging to see that all city councils have thorough DR plans in place, but that’s only half the job. To guarantee effectiveness, regular DR testing must be performed and plans must be constantly updated.”
About Databarracks :
Databarracks provides ultra-secure, award winning Disaster Recovery, Backup and Infrastructure services from UK-based, ex-military data centres.
Databarracks is certified by the Cloud Industry Forum, ISO 27001 certified for Information Security and has been named as a “Niche Player” in Gartner’s 2015 Magic Quadrant for DRaaS.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.