Information Technology Disaster Recovery

City Hall under a storm.

Objective

To evaluate Technology Services’ information technology disaster recovery program and determine the extent to which critical systems can be restored in a timely manner.

Background

A disaster recovery program focuses on recovering information technology systems and data during an emergency. The program is meant to assure critical city operations continue to function during a disaster.

Technology Services is the lead agency for information technology in the City and County of Denver and provides all information technology-related infrastructure and services to city agencies. Technology Services also conducts the city’s information technology disaster recovery planning.

Why this matters

The importance of safeguarding information technology data in an emergency is critical. Contingency planning helps ensure systems and data are up and running as soon as possible for the continuity of an organization’s operations. Safeguarding data to ensure a swift and complete recovery is known as “disaster recovery planning.”

Findings

Technology Services Disaster Recovery Program Needs Improvement

  • Technology Services has an insufficient disaster recovery strategy and has not prioritized disaster recovery in its strategic planning and operations. This has resulted in inadequate governance, a disaster recovery program that lacks documentation and maintenance, and insufficient communication and training strategies.
  • Technology Services also has not given proper authority to its Disaster Recovery Committee, it has not updated its disaster recovery documentation for a new data center, and it has not ensured employees are aware of the disaster recovery program and can plan for their own roles and responsibilities during an emergency.
  • Technology Services has not provided adequate disaster recovery awareness and training for agency personnel, contractors or contingent workers, or disaster recovery team members.
  • Technology Services does not maintain disaster recovery documentation— including minimal annual tracking of changes to the information system contingency plan — and it lacks disaster recovery metrics from its system of record.

Recommendations

1.1 Represent Other Agencies on the Disaster Recovery Committee – As Technology Services’ Disaster Recovery Committee establishes itself, it should ensure it collaborates with other agency stakeholders who are content owners of systems that connect to the city’s network. This could include making them members of the committee, inviting them to committee meetings, or sending documented committee decisions and action plans to appropriate agencies.

Agency Response: Agree, Implementation Date – December 31, 2021

1.2 Develop Committee Charter  – Technology Services should develop a charter and bylaws for the Disaster Recovery Committee to define the roles and responsibilities of the committee and its members. The charter and bylaws could include:

• Powers and duties of the advisory body.
• Requirements for appointments to committees and terms for the appointments.
• Lists of the requirements for who can be a member.
• A schedule for meetings.
• The requirements for collaborating with agencies.

Agency Response: Agree, Implementation Date – December 31, 2021

1.3 Update Disaster Recovery Documentation for New Data Center  – Technology Services should, as soon as possible, update all disaster recovery documentation to include the new data center before or by the time the center goes live.

Agency Response: Agree, Implementation Date – December 31, 2022

1.4 Improve Strategic Plan  – The Disaster Recovery Committee should develop comprehensive disaster recovery goals and objectives that are timebound, specific, measurable, and actionable and include them in the Technology Services’ strategic plan.

Agency Response: Agree, Implementation Date – December 31, 2022

1.5 Develop Disaster Recovery Training  – Technology Services should create disaster recovery training that can be presented to all relevant personnel responsible for disaster recovery planning and consider automating the training using Workday Learning. This should include, at a minimum, members of the Disaster Recovery Committee.

Agency Response: Agree, Implementation Date – December 31, 2022

1.6 Enhance Backup Metrics  – Technology Services should ensure that backup system failures are tracked, monitored, and include trend statistics to inform management of the time it takes to complete backups, and Technology Services should update the backup system policy based on the trends identified.

Agency Response: Agree, Implementation Date – December 31, 2021

1.7 Periodically Review Information System Contingency Plans  – Technology Services should develop a documented policy and procedure to update, validate, and publish information system contingency plans every year.

Agency Response: Agree, Implementation Date – December 31, 2021

Auditor's Letter

April 15, 2021


The objective of our audit was to evaluate the City and County of Denver’s information technology disaster recovery planning program.

We found the city’s Technology Services agency made progress by creating a disaster recovery policy, but it lacks a comprehensive disaster recovery program because of an insufficient strategy. Technology Services has not prioritized disaster recovery in its strategic planning and operations — which resulted in inadequate governance, a less-than-comprehensive program that lacks documentation and maintenance, and insufficient communication and training strategies. We also identified other risks that we communicated separately because of their sensitive nature.

By implementing recommendations for stronger policies and procedures, Technology Services will be better equipped to recover data and systems during a disaster.

This audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, “General Powers and Duties of Auditor.” We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

We extend our appreciation to the personnel in the city’s Technology Services agency who assisted and cooperated with us during the audit. For any questions, please feel free to contact me at 720-913-5000.
Denver Auditor,

Auditor's Signature
Timothy O'Brien, CPA

Follow-up

A follow-up report is forthcoming.


 


 

Tim_mug.png

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor



Denver Auditor´s Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org 
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter
Read our social media policy

Auditor´s Office Logos for Footer