Audit Finds Security Dept. Is Lacking Disaster Backups By ERIC LIPTON http://www.nytimes.com/2005/06/09/politics/09home.html?ei=5090&en=ff1d0214d8 463ff0&ex=1275969600&partner=techdirt&emc=rss&pagewanted=print
WASHINGTON, June 8 - In a nationwide advertising blitz, the Homeland Security Department has urged businesses and families to "Get Ready Now" for potential terror attacks or other disasters. But an internal audit released on Wednesday concluded that the department had fundamentally failed to follow its own advice. Computer systems at 19 department sites that served agencies like the Transportation Security Administration, Customs and Border Protection and the Coast Guard had no functioning backups or relied on obviously deficient or incomplete backups, the report by the inspector general of the department said. Even the Federal Emergency Management Agency, which is in charge of disaster recovery, was unprepared, the report said. The department "must be able to provide mission-essential services with minimal disruption following a disaster," the report said. "Without adequate disaster recovery capability, a minor disruption or major disaster may affect D.H.S.'s ability to perform essential services," the study added. Adequate backups were lacking for networks that screen airline passengers, that inspect goods moving across borders and that communicate with department employees and outside officials. Those same agencies, the auditors found, have in most cases failed to prepare sufficiently written disaster recovery plans that would guide operations if a main office or computer system was knocked out. Companies or organizations that are properly prepared generally have arrangements at alternative sites that would let them operate if their computer systems were inaccessible or destroyed. Top officials at the department did not dispute the conclusions of the report. "We recognize that information-technology continuity is important to lead an effective recovery, which is why we are developing a plan to ensure critical systems continuity," a spokesman, Brian Roehrkasse, said. The problems, the audit said, are insufficient money and insufficient management attention. At one division - the audit removed its name on security grounds - two sites with a total of 228 computer servers and 9 mainframe computers had no alternate backup sites. In other cases, where backup systems had been arranged, the systems had not been adequately tested. The department "has not implemented a D.H.S.-wide program to coordinate or upgrade the disaster-recovery capability for its critical" computer systems, the report said. The former inspector general of the department, Clark Kent Ervin, said the conclusions were not surprising. The department, created in 2003 through the merger of 22 agencies, inherited a number of antiquated computer systems that it is trying to integrate or in some cases replace. "We are two years into the department's existence and nearly four years after 9/11," Mr. Ervin said. "Much more progress should have been made now." Mr. Ervin and others said the poor state of disaster preparedness at the department sent the wrong signal to the public and to businesses, one that is directly contrary to its heralded Ready.gov advertisement campaign, which uses slogans like "Don't be afraid. Be Ready." A spokeswoman for the Senate Homeland Security and Governmental Affairs Committee, Leslie Phillips, said: "Management 101 tells you that any organization that relies on critical computer systems should have the ability to recover from natural or man-made disruptions. This was a lesson learned after the 9/11 attacks, when financial institutions with information-technology backup systems were able to quickly resume their business, while those without backup were not. The department should be leading by example." You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
