Technical standards for disaster recovery in New Zealand government departments appear to be non-existent and no body appears overly keen to take responsibility for the issue.
Various government agencies approach parts of the problem but nothing appears to have been prescribed as a minimum at a technical level.
Expected Y2K problems at the dawn of 2000 led, however, to much work on IT disaster recovery and business continuity within government agencies, and the principles established then are still valid, says Iona Holsted, deputy commissioner at the State Services Commission.
The range of threats to computer systems would not have changed sufficiently to affect the fundamental nature of sensible recovery procedures, she suggests.
More recent work on IT at her level, directed at avoiding another kind of IT disaster for which “Incis” is a by-word, concentrates on governance rather than detailed technical matters.
She, and others in government, referred Computerworld to the commission’s e-government unit, which comes under the auspices of the SSC, on the assumption that they may have done similar work on standards for disaster recovery as they have on interoperability among departments, but spokesman Brendan Kelly says it has not been one of the unit’s areas of priority.
Jay Garden, head of the Centre for Critical Infrastructure Protection, says general advice on disaster recovery procedures “is not our game”. The centre concentrates on awareness of threats and specific help in response to disasters.
He referred Computerworld to Mike Spring of the Government Communications Security Bureau, under which the CCIP runs.
Spring says GCSB “gives a little advice” on a general basis, but most of its role would be in response to specific threats. If an agency asked for advice on disaster recovery “we would steer them to publications at NIST [the US National Institute of Standards and Technology], particularly Special Publication 800-34,” the “Contingency Planning Guide for Information Technology Systems” here.
The GCSB and CCIP provide some training in business continuity, and it’s an area they are considering for expansion.
While new threats may have developed in the recent past, with an increase in denial of service attacks and the threat of “cyber-terrorism”, recovery measures still come down to similar basic principles and processes, he says.