LANSING – The Department of Technology, Management and Budget did not ensure that it had identified the state’s most critical technology systems and, for those it had identified, it did not ensure that they could be restored within deadlines, a report released Thursday by Auditor General Doug Ringler said.

The state designates certain systems as Red Card, meaning they are essential to state operations, and must be able to restore those within 24 hours. The performance audit of Disaster Recovery and Business Continuity of IT Systems, for the period October 1, 2013, through January 1, 2016, found the department was not effective in ensuring the state could recover from an IT disaster.

Among the findings, auditors said the department had no plan to recover the state’s overall network. While auditors acknowledged redundancies meant total failure was not likely, they said the network was essential to access all other systems.

They also said, in the same finding, the plans in place did not appropriately prioritize recovery tasks. The plans called for recovery of some software systems before recovery of the underlying systems they need to operate.

The department said it would develop more complete plans, as well as improved testing to ensure the backup plans would work.

Where the department does have plans, it has not always coordinated those plans with the state agencies that use them, the report said. Auditors found the department had not developed business continuity plans for the processes that run on 10 of its 24 key systems and had not documented requested recovery times for six of 16 application recovery plans and 8 of 19 hardware recovery plans.

Auditors said the department also had not reviewed its disaster recovery and business continuity plans to be sure they had all the needed elements. It also had not reviewed the list of Red Card systems to ensure it was complete and did not include any lower priority systems.

Department officials said they had begun a process in 2016 to correct those deficiencies and had completed plans for 80 percent of their own Red Card systems and for 75 percent of Red Card systems for other departments. They also said they were working with other departments to ensure the list of Red Card systems was accurate.

In lesser findings, auditors said the department did not have sufficient disaster recovery servers to ensure Red Card systems could be restored should there be a server center disaster and did not ensure that necessary people had sufficient access to the recovery plans and systems to begin the process should a disaster occur.

The department also agreed with those findings and said it was working with the affected agencies to be sure needed resources were in place and accessible.

This story was published by Gongwer News Service. To subscribe, click on www.gongwer.com