NB Auditor General finds exposure to risk of computer systems outage ‘not acceptable’

New Brunswick’s Auditor General announced Thursday that a review of a power outage last June found “no evidence of a formal disaster recovery plan” for the province’s information technology systems and that the “current exposure” of those systems to the risk of an outage is “unacceptable.”

Auditor General Kim MacPherson released Thursday her report to the Legislative Assembly in Fredericton. One part included a review of the events surrounding a power outage June 9. After the power outage, “a failure of one of the Province’s electrical backup power systems caused a mainframe and multiple server failure in the Marysville Data Centre,” the Auditor General stated in a release. “This led to a major loss of system access within government for that day and caused rippling effects over the following two weeks. The loss of system access had significant adverse effects on the delivery of government programs and services.”

In the report, MacPherson noted the government response to that failure was “highly reactive.”

“We found no evidence a formal disaster recovery plan, which would provide a planned approach for addressing these failures and prioritizing the restoration of government services, from a corporate perspective, was in place prior to the outage,” she wrote.

The failure disrupted several government departments.

“The current exposure to risks that we observed during our work is not acceptable,” MacPherson stated in the release.

The report “found that risk assessments had identified the vulnerability of the backup power system at the data centre as early as 2009,” the Auditor General stated. “While some progress was made with regard to prior recommendations, efforts by government to mitigate outage risks are still insufficient: there is some business continuity planning in departments, but no consensus on the appropriate strategic direction at the corporate level. Moreover, the Office of the Chief Information Officer (OCIO) does not have authority to direct departments to align with overarching corporate-level strategic goals.”