The Energy Department’s (DoE) Office of the Inspector General (OIG) found in a new audit that the agency needs to take action to improve planning for the restoration of information systems in the case of system disruptions.
The audit from the OIG’s Office of Technology, Financial, and Analytics found that three of the four reviewed sites had not implemented a contingency plan related to developing a Business Impact Analysis (BIA) – a Federal requirement. Further, 10 of 17 systems reviewed did not have fully developed Information System Contingency Plans (ISCP) in accordance with Federal guidance.
“Contingency planning is designed to mitigate the risk of system and service unavailability by providing effective and efficient solutions to enhance system availability,” the OIG said. “Essential to the development of organization contingency planning is to conduct a BIA for each information system. This facilitates prioritizing the systems and processes based on impact level and develops priority recovery strategies for minimizing loss.”
The OIG made a pair of recommendations for DoE, which management concurred with and indicated that corrective actions were planned. The recommendations include:
- Ensuring that BIAs are completed at the Pacific Northwest National Laboratory (PNNL), Oak Ridge National Laboratory (ORNL), and the Hanford Site; and
- Ensuring that ISCPs for all systems at PNNL, ORNL, and the Hanford Sire are thoroughly completed in accordance with Federal requirements.
“Because contingency planning is not an optional part of the business model and should be factored into the day-to-day operations within the Department, we believe that additional emphasis should be placed on ensuring that Federal requirements are met related to this area,” the OIG said.