Agenda item
ICT Business Continuity Assurance Report
- Meeting of Audit, Compliance and Governance Committee, Wednesday, 26th March, 2014 6.00 pm (Item 6.)
Report of Customer Services Group Manager, Forest of Dean, Andy Barge,
Minutes:
Giles Rothwell, ICT Shared Services Operations Manager, was introduced to the Committee.
The Chair reminded Members that at the last meeting of the Audit Committee on 15 January 2014 they had received a mid-year review of progress against the Significant Issues Action Plan. This report was in response to their request for further assurance with regard to ICT business continuity arrangements and testing.
In response to a question the ICT Operations Manager confirmed that there were referencing environments for all of the council’s virtualised services. He explained that it was now necessary for business users to undertake the testing themselves.
In response to a question on the four tiers of recovery in terms of the large gap between tier 1 and tier 2, the Corporate Governance, Risk and Compliance Officer explained that these had been established in May 2012. He referred to the power outages in February 2014 whereby users had experienced no disruption. Should there be a major incident such as a power outage for a five day period there would be a redeployment of staff to the Forest of Dean and priority systems would be run on a skeleton basis as determined by the business continuity team. Other systems would come in over a period of time and this was a documented process.
When asked whether a service level agreement existed between CBC and ICT Shared Services the Corporate Governance, Risk and Compliance Officer stated that a business continuity protocol had been established for all GOSS partners and the JMLG had been involved in the decision making process for this. The Director Resources added that a service catalogue had been created when Cheltenham had originally hosted the Agresso system on behalf of GOSS. All councils in GOSS were required to sign a new general disaster recovery plan and there was now an action for this to be renewed.
Members felt that an annual review of ICT Business Continuity should be programmed in to provide Audit Committee with an assurance. In response the Director Resources made reference to the SWAP discussion in the JMLG whereby Cheltenham was looking at the service continuity plan in terms of the tiering system and the critical people involved. In addition Ubico and the forthcoming Leisure and Culture Trust had to be included. It was agreed by JMLG that these plans should be refreshed so that assurance could be given that disaster recovery arrangements were satisfactory for all clients.
In response to a comment that there should be a faster acceleration process particularly in terms of systems relating to benefits and council tax, the ICT Operations Manager said that this depended on the level of investment. It was possible to have duplicate environments in geographically separate locations but it was a question of the business defining the need to continue operating weighed against the cost of delivering this.
Members were reminded that the major investment in ICT was being rolled out and there had also been staffing issues within the service so it had been a period of upheaval. An action plan would be put in place.
Members agreed that they should keep a watching brief on the situation and receive information from the JMLG.
When asked whether the backup located in the Forest of Dean would be automatic or manual, the Operations Manager explained that there was an element of both. There was very little physically located at CBC and the duplication process was automatic. There was no truly automatic recovery process as bringing the servers back up was manual but very quick.
When asked whether there could be a threat to the ICT systems from a malicious insider, the Corporate Governance, Risk and Compliance Officer stated that a threat assessment had been undertaken as part of the PSN work and was deemed to be of low to medium risk. For information he added that in terms of air conditioning in the server room more equipment had been transferred to the Forest of Dean and as a result the server room was now only at 30 % capacity. Should there be a failure there were spare air conditioning units available. The Director Resources also made reference to the fact that ICT Shared Services had the budget for the purchase of a generator and were currently in the process of testing in order to determine the load.
When asked what would happen should there be a major power outage the Corporate Governance, Risk and Compliance Officer explained that the vast majority of live services were now hosted by the Forest of Dean. With the installation of a generator there would be no loss of service and 2 days fuel for the generator would be kept as a minimum. He also explained that in terms of employees in this scenario they would be deployed home and asked to access the systems remotely.
The Chair thanked those officers present for the concise and informative report.
RESOLVED
To note the report.
Supporting documents:
- 2014_03_26_AUD_ICT_Business_Continuity_Report, item 6. PDF 42 KB
- 2014_03_26_AUD_ICT_Business_Continuity_ App1, item 6. PDF 26 KB