P&R reprimanded over failures that resulted in IT meltdown
The latest repercussion from the IT meltdown at the States in winter 2022 is a reprimand from the Data Protection Authority.
The authority initiated an inquiry in October 2023 into the several incidents that took down some of the States’ IT systems between November 2022 and January 2023.
It has concluded that the Policy & Resources Committee failed to take reasonable steps to maintain the air conditioning system within a data room, leading to its failure. This failure was one of multiple failures involving other technical and monitoring controls, resulting in the loss of IT services. The inquiry also found that prior to the incidents, P&R had failed to implement an IT disaster recovery plan, which was needed to effectively respond to critical incidents.
‘This incident demonstrates the importance of organisations identifying and addressing potential risks posed to the security of personal data,’ the authority said.
‘Organisations that do not regularly assess and mitigate their vulnerabilities are more likely to face system failures. When a risk area is identified that warning should be heeded. Too often incidents occur in areas of known risks that could have been mitigated if swift action had been taken.
‘Investing in preventive measures is crucial to avoid such disruptions.’
The Data Protection Law requires that organisations take reasonable steps to ensure they have the ability to secure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. The authority noted that the data room services outages would not have occurred had P&R heeded previous warnings regarding the vulnerability of the air conditioning unit at Sir Charles Frossard House.
During the inquiry it was also discovered that there was no IT disaster recovery plan in place at the time of the data room service outages.
‘The purpose of an IT disaster recovery plan is to reduce the downtime, costs, and business impact of incidents by putting effective, standardised processes in place for when those incidents do occur,’ the authority said.
‘It ensures the resilience and continuity of IT services, and that if systems go down unexpectedly that they are brought back up again promptly. The lack of an IT disaster recovery plan during the data room service outages limited the ability to maintain and restore the availability of servers, and therefore the personal data stored thereon.’
A major incident review carried out by PwC has already been published and included recommendations aimed at reducing the risks to mission-critical IT services provided by the States.
The authority noted that P&R had confirmed that all the recommendations in the proposed action plan had now been completed and was committed to ensuring adequate safeguards were in place going forward basis. It said that based on this confirmation and commitment, its sanction took the form of a reprimand.
‘Had the action plan not been completed, the authority would have issued P&R with an order requiring them to take the actions identified in that action plan, holding P&R accountable for putting right the problems identified.
‘As P&R has already provided confirmation that it has implemented all recommendations, the reprimand issued recognises those actions, and accountability for their successful implementation rests with P&R.’
