DHS Disaster Recovery Plans Lacking, Report Finds

Eight of the Department of Homeland Security's 27 critical systems don't have an identified alternate processing site.
Four years ago, the inspector general of the Department of Homeland Security found the agency's IT disaster recovery plans were below par. While the DHS's situation has improved somewhat with the addition of two new data centers, a new inspector general report finds the department's disaster recovery plans still aren't up to snuff.

For example, those new data centers still don't have the interconnecting networks and hardware necessary to have both data centers online in a redundant active-active capacity or even to back up and restore critical systems in due time. Eight of the DHS's 27 critical systems don't even have an identified alternate processing site -- including the Coast Guard's shipboard command and control systems.

The DHS has consolidated Internet gateways from multiple locations into one gateway in Mississippi, but didn't put a redundant gateway in place in the other data center, so if the Mississippi data center goes offline, some DHS employees might not even be able to connect to the Internet. That's an especially important point because the Mississippi data center doesn't have redundant power supplies or telecom circuits. In fact, it doesn't even have a perimeter fence to keep out intruders.

The DHS also is relying on outdated or incomplete risk assessments of the data centers. For example, the risk assessment of the Mississippi data center didn't take into consideration a nearby rocket-engine test facility or the risks of damaging winds from a hurricane.

In order to fix these problems, the inspector general has recommended the department makes sure it has the right redundant equipment both across the data centers and in the Mississippi data center. As the Mississippi data center is running out of room, the inspector general also implies that DHS may need to expand it. The inspector general also said that the DHS needed to update its risk assessments more regularly and bulk up its contingency planning.

Acting DHS CIO Margaret Graves agreed with the inspector general's findings, though it's unclear how long it will take for the agency to comply with recommendations. Though Graves noted in a reply to the inspector general's findings that hardware and processes are in place to facilitate some replication across the data centers, the DHS is still in the midst of procuring additional equipment.

She also said the DHS has a plan in place to provide redundant power to the Mississippi data center, and that the DHS has ordered redundant telecom circuits. New risk assessments are due by the end of this year.

The two DHS data centers are managed by different managed services companies. Computer Sciences Corp. manages one in Mississippi and EDS the other in Clarksville, Va. It's not clear whether management by separate companies is a cause for compliance concerns.

Attend a Webcast on protecting your company and customer data. It happens May 20. Find out more and register.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading