REPORT DIGEST

DEPARTMENT OF
CENTRAL MANAGEMENT
SERVICES
BUREAU OF COMMUNICATION AND COMPUTER SERVICES

THIRD PARTY REVIEW
For the Year Ended:
June 30, 1997


Summary of Findings:

Total this audit 1
Total last audit 1
Repeated from last audit 1



Release Date:
July 1, 1997





State of Illinois
Office of the Auditor General

WILLIAM G. HOLLAND
AUDITOR GENERAL

Iles Park Plaza
740 E. Ash Street
Springfield, IL 62703
(217) 782-6046

INTRODUCTION

The Department of Central Management Services' (Department) Bureau of Communication and Computer Services carries out statutory responsibilities relating to data processing and telecommunication services (20 ILCS 405/35.3; 20 ILCS 405/35.7; 20 ILCS 405/35.7a; 20 ILCS 405/35.7c; and 20 ILCS 405/35.8). To fulfill its responsibilities, the Department operates the Central Computer Facility (CCF), the Communications Center, and two branch facilities - one each in Springfield and Chicago. The Springfield branch facility also serves as the primary backup site should a disaster prevent processing at the Central Computer Facility. Through its facilities, the Department provides data processing services to approximately 86 user entities.

The CCF functions as a data processing service center, providing computing and telecommunication resources for State agencies' use. The Department and the agencies that use the Department's computer resources share the responsibility for maintaining the integrity and security of computerized data and functions.

We reviewed data processing general controls at the Department during the period from February 6 to April 25, 1997. We performed tests to determine compliance with policies and procedures, conducted interviews, performed observations, and identified specific control objectives and procedures we considered necessary in the circumstances to evaluate the controls.

We also reviewed application controls for systems maintained by the Department for State agencies' use. The systems reviewed were the Generalized Accounting, Central Payroll, Central Inventory, Central Time and Attendance, and Accounting Information Systems.

The Department's control procedures and the degree of compliance with the procedures were sufficient to provide reasonable, but not absolute, assurance that relevant control objectives were achieved. However, the Department could enhance the State's ability to process critical data without significant interruption by improving its disaster contingency plan.

 

ILLINOIS DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
BUREAU OF COMMUNICATION AND COMPUTER SERVICES

STATISTICS

1997
Mainframes


6 Units Configured as 13 Systems
Services/Workload


44,000 Nodes Statewide (Terminals, Printers, etc.)
34 Million IMS Transactions per Month
3 Million Feet of Laser Printing per Month
222,000 Reel/Cartridge Tape Mounts per Month
State Agencu Users


86
CCF Employees


1995 -- 127
1996 -- 128
1997 -- 126
Historical Growth Trend*

1975 --

 400 -- Base CPU Hours Billed

1980 --

1,700 -- Base CPU Hours Billed

1986 --

 5,200 -- Base CPU Hours Billed

1990 --

 14,143 -- Base CPU Hours Billed

1994 --

 27,823 -- Base CPU Hours Billed

1995 --

 34,977 -- Base CPU Hours Billed

1996 --

 44,201 -- Base CPU Hours Billed

1997 --

47,618 -- Base CPU Hours Billed

* In the month of January for each year listed

Information provided by the Department

AGENCY DIRECTOR AND BUREAU MANAGER

During Audit period: Director: Michael Schwartz -- Bureau Manager: William Vetter
Currently: Director: Michael Schwartz -- Bureau Manager: William Vetter

 












Statewide Critical Application List












Comprehensive test of DRP has not been conducted




























Department concurs with recommendation

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

DISASTER CONTINGENCY PLAN WEAKNESSES

The Department has a written disaster contingency plan, the CMS/BCCS/CCF Disaster Recovery Plan (DRP), dated August 1996. The DRP is currently being updated and is expected to be distributed during July 1997. Although the Department has made great progress in addressing the disaster recovery needs of the State's Central Computer Facility, the plan and operational provisions still need to be enhanced.

The primary backup site is the Harris facility in Springfield; a secondary backup facility is located in Chicago. The primary site was upgraded during the audit period and has significantly more processing and data storage capacity.

The Department worked with user agencies and developed a prioritized Statewide Critical Application Priority List. The Department asked agencies to place their applications in one of five categories.

The Department concluded that Category 1 (Human Safety) applications would constitute the critical applications that would be recovered in the event of a disaster. There were only 4 agencies who reported Category 1 critical applications; 11 such applications were identified.

The Department plans to perform individual and consolidated tests of Category 1 applications to evaluate the primary backup site. The Department plans to perform the tests in the first half of Fiscal Year 1998 and intends to restore only the applications in Category 1.

A comprehensive test of the DRP has never been conducted. A comprehensive test helps verify that the plan is viable, determines that the processing and storage capacity at the alternative site is appropriate, and educates staff on disaster recovery procedures.

The State is placing great reliance on the Department's ability to deliver data processing services in the event of a disaster. The development of a comprehensive and tested Disaster Recovery Plan reduces the risks and helps ensure that all critical computer processing needs are adequately addressed. A comprehensive and thoroughly tested disaster recovery plan and adequate backup facilities are essential components of recovery efforts. (revised Finding first reported in 1986)

Recommendation
The Department should continue its efforts in disaster contingency planning and testing. In particular the Department should:

  • Continue to evaluate and update the Statewide Critical Applications Priority List and obtain executive and agency approval of the Priority List;
  • Continue to review the primary and secondary backup sites and determine if the sites adequately address the recovery requirements as specified in the Priority List;
  • Work with user agencies to identify the applications that are most critical to the State and test the recovery capabilities for those applications. To adequately assess the State's critical recovery needs, user agencies must communicate their needs to the Department to ensure that the recovery priority accurately reflects the State's needs; and,
  • Conduct an annual comprehensive test to evaluate the functionality of the disaster recovery procedures and adequacy of the primary backup site to process all critical applications.

Department Response
The Department concurs with the recommendation. Over the past several years, the Harris facility, the primary backup site for disaster recovery for the mainframe, has been upgraded to increase the processing capability. During the past year, critical applications were categorized, prioritized by the agencies, and approved by the Director of CMS.

In a disaster, the first applications to be recovered will be Category 1, but recovery will continue through Category 2 and further through all applications, as resources will allow. It is estimated that at least Categories 1-3 will be recovered, while additional resources are identified to reposition the State after a disaster, to handle all processing.

AUDITORS' OPINION

Procedures were generally sufficient to provide reasonable, but not absolute, assurance that relevant general and application control objectives were achieved.




____________________________________
WILLIAM G. HOLLAND, Auditor General

WGH:WJS:ag