Agenda item

The ICT Strategy Lead presented a report to the Committee, The Council historically had a disaster recovery contract for key IT infrastructure with a 3^rd party organisation. He advised that a new Disaster Recovery Plan would be in place in January 2019 with a service based on the Council’s ICT architecture. This new plan would be without Agylisis and address risk with a 24-hour period in order to get the Council’s ICT back up and running. He stated that the existing disaster recovery arrangement did not deliver a meaningful level of protection to the Council with an Infrastructure As a Service (IAAS). As a result, the existing disaster recovery contract had ceased. He covered the following points in the report:

·  In February 2018, Cabinet had approved a budget to deal with historic under investment in ICT within the Council. Part of this budget was specifically intended to implement and deliver a fit for purpose IT disaster recovery arrangement that meet’s the Council’s current and emerging needs and risks.

·  In March 2018, an internal audit report around IT security gave limited assurance with the main finding being the lack of an ICT Disaster recovery capability.

·  In April 2018, a paper was presented to the Council’s Assurance Group highlighting the key risks and a proposed approach to delivering a suitable ICT DR service.

·  In June 2018 the Committee reviewed the findings of the security audit and requested an update on the work being carried out to meet the Council’s IT Disaster Recovery need.

Members enquired about details of alterations to the scheme. The IT Strategy Lead advised that officers had looked at a wide range of options and suppliers and the one that would be in place was the best price and best fit for the Council.

The IT strategy lead advised that by 2020 the Council will in any case need to change its ICT provision and that the work for disaster recovery will offset an element of that re-provision that would otherwise result in additional cost. He added that in providing the new disaster recovery service, officers had identified areas of risk and for example Citrix would not be able to function from January 2019 and that a further phase of work would deal with this issue. In the event of a disaster, the IT service would be able to be fully recovered from the end of the implementation project scheduled for January2019 but that further half yearly tests of recovering specific business areas over a two year period would improve assurance to a higher level. He added that as a result of possible currency fluctuation, Microsoft tended to re-price annually and there was the risk of cost escalation. He advised on three options in the report, namely: no action, normal disaster recovery contract, and creating additional resilience within Agylisis. All of these options had been rejected.

The Independent Adviser (Audit) welcomed the report and noted that the focus in the report had been on managing the Council’s business risks rather than technical issues. He requested, which was agreed by Members, that future reports might show how risks are mitigated and he understood by the report that at the first stage, residual risk had been reduced but that further work was needed to reduce risk. The IT Strategy Lead advised that in terms of technical risk, testing was taking place in a planned way. The Council did not have a life and death critical system, that to 24-hour recovery matches the current agreed service level. He added that in answer to a question that the IT work was not sub-contracted and fitted in with the existing IT contracting arrangements.