Michigan Audit Finds the State Is Not Fully Prepared for Tech Disaster

The Michigan state technology department is working to fill gaps in its recovery plan after a state auditor’s report found the government may not be adequately prepared for a technology emergency. With states in the midst of transition to digital infrastructures, many are using creative ways to protect and maintain access to IT infrastructure in the face of natural disasters, including Hawaii, which has partnered with the University of Hawaii to use its data center as a backup in case of emergency .

Michigan will also likely need to find more robust ways to shore up its disaster plans, as a new report released in December by the Michigan Office of the Auditor General notes that the state’s Department of Technology, Management and Budget (DTMB) needs more complete IT disaster planning, as well as more thorough plans to restore the state’s critical IT systems, as it works to transition to a digital infrastructure.

In an interview with Government Technology, DTMB Public Information Officer Caleb Buhs said the state was working to address the issues with key technologies outlined in the report.

“We have 30-year-old systems, for whatever reason," he said. "Bringing those up to current standards is something that does take some time.”

In the roster of eight challenges set out by the auditor general, highlights emphasize the state’s shortfalls in plans to restore critical infrastructure and a lagging discovery coordination plan among businesses.

Lacking Plans to Restore Infrastructure

The 40-page report found that the state had not adequately planned to restore critical infrastructure services and enterprise systems necessary to restore so-called Red Card systems —the state’s most critical systems and infrastructure — in the event of a statewide IT disaster. As a result, the report found that the state would likely not be able to restore all critical infrastructure services and systems within 24 hours, the maximum recovery time allotted for Red Card systems.

“DTMB did not fully plan for the restoration of the network,” the report stated, explaining that the network is the underlying infrastructure for the state’s IT environment, consisting of multiple computer systems and hardware that allow for information sharing. “The network is redundant, which reduces the likelihood of it becoming completely inaccessible; however, if the network is unavailable, users will be unable to access the majority of the state’s IT systems.”

While the DTMB had a “partial” recovery plan for the network, the plan itself was stored on the network, “making it inaccessible if the network is down.”

Plans for Restoring Intranet Were Outdated

According to the report, the state had not identified its internal intranet as a critical infrastructure service, meaning the plan had not arranged for its restoration, despite the fact that many of the state’s critical systems and services, such as its Living Disaster Recovery Planning System (LDRPS), were stored on the server.

It also noted that the DTMB’s Disaster Recovery Plan for the intranet had not been updated or tested since 2011. As a recommendation, the report suggested that the state update and test this plan at least once a year.

Businesses and the State Lack Recovery Coordination

According to the report, critical elements were omitted from the state’s Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP). This means the state is likely unable to implement a review process that would ensure the DRP and BCP are robust enough to provide effective recovery in the event of a disaster, leading to a delay in the recovery of critical systems and business processes.

To remedy this, the auditor general suggests that the state’s plan be updated “at least annually,” and that plans be maintained by a designated business continuity coordinator who can periodically review and distribute the materials to ensure they are up to date and effective.