Purpose

To determine whether the Office of Information Technology Services (ITS) has a complete, functional, and tested disaster recovery plan for its agency and the College of Nanoscale Science and Engineering (CNSE) data center. The audit covers the period January 2017 through June 2017.

Background

ITS was established in November 2012 as part of a New York State Information Technology (IT) Transformation to consolidate and merge State agencies’ operations and streamline services. ITS is responsible for providing centralized IT services to 46 executive State agencies, as well as setting statewide technology policy for all executive branch State agencies and monitoring large technology expenditures in the State. ITS also operates a statewide data center at the CNSE.

To ensure continued operation of critical State systems, ITS should have a complete, functional, and tested disaster recovery plan that covers all aspects of its operations, including the CNSE data center and the centralized IT services it provides to the 46 executive agencies. That plan should comply with State laws and ITS policies and should also conform to guidance issued by the National Institute of Standards and Technology (NIST).

Key Findings

• ITS has made some efforts toward disaster recovery planning; however, there is not a complete, functional, and tested disaster recovery plan that covers all aspects of its operations, including the CNSE data center and the centralized IT services it provides to the 46 executive agencies.

• ITS is working on completing a disaster recovery plan for the CNSE data center and anticipates it will be done in late 2018.

Key Recommendations

• Finalize the NYS Disaster Recovery Project: Disaster Recovery Draft Plan in accordance with ITS policies, NIST, and other relevant guidance.

• Ensure the finalized NYS Disaster Recovery Project: Disaster Recovery Draft Plan covers ITS’ own operations, including but not limited to the centralized IT services it provides to the 46 executive agencies.

• Review the disaster recovery plan regularly, documenting changes needed and when those changes were made.

Other Related Audits/Reports of Interest

Office of Information Technology Services: Security and Effectiveness of Division of Criminal Justice Services’ Core Systems (2014-S-24)
Office of Information Technology Services: Effectiveness of the Information Technology Transformation (2015-S-2)
Office of Information Technology Services: Security and Effectiveness of Division of Criminal Justice Services’ Core Systems (Follow-Up) (2016-F-28)