Baltimore, Md. - Baltimore City’s Office of Information & Technology (BCIT) has made significant strides in enhancing its disaster recovery program, but further efforts are necessary to ensure robust protection against infrastructure disruptions. These conclusions come from a biennial report for 2022-2021 presented by the Department of Audits (DOA) to the Board of Estimates on July 24th. 

Findings  

BCIT provides information technology services to both City agencies and the community. Part of BCIT’s mission is to prepare for vulnerability risks of its IT infrastructure, hardware, and applications in the event of a disaster or disruptive event and the need to have appropriate disaster recovery plan in place to enable the City to quickly recover its mission-critical functions. 

In 2020, a third-party consultant drafted a new recovery plan for BCIT. Despite progress in implementing the recommendations, the biennial audit identified several areas needing improvement:  

• Incomplete Recovery Plan: The recovery plan does not fully reflect the current hybrid computing environment, including on-premise and off-premise applications and data backup infrastructure. 

• Critical Applications List: BCIT does not have a complete list of critical applications consistent with recovery plan expectations, including targeted recovery objectives for all critical applications.   

• Testing Plans and Schedules: BCIT Does not have test plans and schedules to fully comply with the recovery plan restoration testing requirements for all critical applications.   

Next Steps 

According to the audit BCIT has noted that limited staffing has impacted their ability to complete the disaster recovery plan. DOA has made recommendations to improve the implementation of a disaster recovery process, including:  

• Recovery Plan Reevaluation: Reevaluate and implement the recovery plan to reflect the current and future City computing environment; 

• Inter-Agency Collaboration: Conduct meetings with the respective City agencies and Mayoral offices to revise and update key elements of the recovery plan; 

• Critical Applications Compilation: Compile a complete list of critical applications across the City;   

• Governance and Oversight: Establish governance and oversight for disaster recovery and update Administrative Manual guidelines. 

• Test Plan Development: Develop a cost-effective, coordinated test plan for all critical City applications.  

• Testing Coordination: Coordinate and validate testing restorations performed by outside vendors or managed by agency IT units on behalf of the City and  

• Document Retentions: Retain documentation, including test plans and evidence of completion.    

BCIT has agreed to the audit’s findings and recommendations. A full list of follow up actions can be found in the report, published on the Comptroller’s website.  

“Following the 2019 cyberattack on City IT services, we know how important it is to make sure our systems are secure and properly backed up,” Comptroller Bill Henry said. “BCIT has done well within the operational parameters they’ve been given, but now it’s time to take the next crucial steps. Our cyber security is paramount.”