The aftermath of a string of severe system outages at Australian Taxation Office highlighted significant flaws in the agency’s business continuity planning. However, an investigation by the Australian National Audit Office (ANAO) has concluded that ATO-commissioned reviews are helping plug gaps in the agency’s IT resilience.
The ATO suffered a string of service outages beginning in late 2016 and stretching well into 2017.
In response to the outages the ATO invoked its business continuity management plan. However, a new ANAO report concludes that the plan “included limited actions to correct ICT system failures associated with critical infrastructure including data centres”. The business continuity processes also did not recognise weaknesses in ICT design.
“Despite limited planning for critical infrastructure failure, the ATO’s responses to the incidents were largely effective, as it worked closely with the contracted ICT service providers to identify the system fault and restore services in line with activation guidelines, but could have better communicated with stakeholders throughout the incidents,” the ANAO report states.
The outages have already been the subject of a number of investigations, including an ATO-commissioned PwC review. The ATO Systems Report released in June last year detailed the causes of the December and February outages, pinning them on a failure of an HP Enterprise 3PAR SAN.
The SAN was operated and maintained by HP Enterprise (later, DXC Technology, after HP Enterprise services arm merged with CSC to create the new business) on behalf of the ATO.
The ATO in December last year extended its centralised computing contract with DXC until 30 June 2019.
The ATO Systems Report contained 14 recommendations, and as of November last year the agency had implemented four recommendations and partly implemented the remaining 10 recommendation, the ANAO report states.
However, the report adds: “The implemented recommendations mainly relate to technical solutions to the particular system failures, while the broader initiatives to strengthen ICT governance and processes are underway. Considerable work is required to implement the recommendations before many of the intended and agreed outcomes are achieved.”
In a response to the audit, the ATO said it has now fully implemented nine of the 14 recommendations of the Systems Report. The remaining five recommendations will be completed throughout 2018, according to the ATO.
ATO CIO Ramez Katf said that the ATO has a program of work focused on boosting the resilience, performance and stability of its key IT systems, including major hardware and software refreshes.
“We will focus on improving our IT design and governance, further strengthening our cyber security posture and improving the technology used by ATO staff to ensure they have the right tools to do their job,” the CIO said.
“We are also engaging with the community to develop digital systems and service availability measures.
“In the past six months we have made strong progress in implementing the recommendations of the ATO Systems Report, with improvements to our governance and business continuity management processes and real-time monitoring of systems availability. This work, combined with overall improvements in the design of our new storage hardware, has improved our ability to detect and resolve issues before they have an impact on services to the community.”
The full ANAO report is available online.