OLA review finds weaknesses in 1 of 4 MNIT disaster recovery plans

A review of Minnesota’s Information Technology Services department (MNIT) found the agency is mostly prepared to quickly restore its systems in the event of a disaster but noted some weaknesses in one priority system.

The Office of the Legislative Auditor (OLA) released its latest report Thursday, saying it reviewed the disaster recovery plans for four priority systems within MNIT. The review looked at how well-equipped the agency is to quickly restore the priority systems in the event of a significant incident, such as a fire, flood, tornado or ransomware attack.

Overall, the audit found that MNIT and its partners are adequately prepared to recover the Medicaid Management Information System, the Minnesota Eligibility Technology System, and the Integrated Tax System. However, the fourth priority system OLA reviewed found weaknesses that led the auditors to believe MNIT isn’t adequately prepared to restore the system within a week, as required.

In an effort to protect the system’s security, OLA didn’t name the priority system that had weaknesses.

MNIT’s centralized disaster recovery team tracks and coordinates testing plans for around 2,800 information systems and applications across the state’s executive branch. More than 200 of those are deemed “Priority 1” services, meaning they need to be restored within 24 hours in the event of a disaster. About 700 are “Priority 2,” needing to be restored within a week. The other more than 1,800 are split between “Priority 3” — needing to be restored within 30 days of a disaster — and “Priority 4” — can be suspended for at least 30 days — services.

OLA determined that MNIT’s method of cataloging and tracking is prone to human error and lacks some functionality given how many systems the agency covers. According to the report, MNIT told OLA that it has already started work to select a new tool that will better meet its needs for managing disaster recovery tasks.

For the one priority system that OLA detected weaknesses in, the audit noted MNIT and its partners have a plan in place but some important details were missing from the plan, such as the procedures for invoking it, the notification process and the potential impact of the system being unavailable. In addition to shoring those issues up, OLA determined that MNIT needs to annually review, change logs and test the system regularly.

In response to the audit, MNIT Commissioner Tarek Tomes and Minnesota Management and Budget Commissioner Jim Schowalter said “significant steps” have already been taken to address each finding. They also noted that the audit period ended in November 2021 and “we wish to make very clear that the report does not reflect the current state of disaster recovery capability for that system” that was found to have weaknesses.

“While ensuring disaster recovery capability is a major focus for MNIT, we feel it is important to note that sustaining and securing IT systems to prevent such disaster scenarios from occurring in the first place must be treated with similar urgency and focus,” the commissioners wrote in their response to OLA, saying some systems currently lack proper funding for proper maintenance and operations activities.

“It is the responsibility of state leaders in both the executive and legislative branches of state government to manage that risk and cost equation to appropriately safeguard against service delivery disruptions that could put public health and safety and the economic vitality of Minnesota at risk,” they added.

To view OLA’s full report, click here.