GPO Has No Disaster Recovery Plan for Its Tech, Watchdog Says


If its IT infrastructure is taken offline, the agency could lose access to critical data.

The Government Publishing Office doesn’t have a policy to bring its IT infrastructure back online if disaster strikes, according to an internal watchdog.

Without a contingency plan for its general support system, the agency risks losing access to critical data and IT systems if its operations are disrupted, the GPO Inspector General said in a report published Thursday. The lack of emergency planning was one of several IT shortcomings auditors highlighted in their annual review of the agency’s financial statements.

Under current policy, the chief information officer is responsible for developing a strategy to “ensure minimal impact upon data processing operations in the event the IT system or facility is damaged or destroyed.” The plan must account for both backup operations and post-disaster response, and be tested in advance to ensure it would up in an emergency situation.

Though auditors first drew attention to GPO’s unpreparedness in 2011, the agency has yet to finalize a contingency strategy. Officials blamed the holdup on ongoing systems testing, the IG said.

Auditors also stressed the need for officials to carefully document the results of contingency plan testing to guarantee an airtight strategy. Without that information, they said, “management may be unaware of weaknesses in the disaster recovery capabilities.”

The IG also found GPO was slow to revoke security credentials for employees who left the agency, which leaves the door open for disgruntled former workers to potentially tamper with IT systems. Current policies mandate the agency block separated employees’ access to IT systems within 45 days, but auditors recommended officials cut that timeframe down to two weeks.

Furthermore, they found GPO officials have a difficult time determining when employees have “conflicting roles and responsibilities,” meaning some workers might have access to IT systems and data resources that have nothing to do with their current job. As such, people could improperly interfere with agency programs and processes, they said.

Auditors first highlighted GPO’s issues with access control and separation of duties in 2011, but seven years later, it has yet to fully amend its practices.