•This means that in the event of a disaster at their premises, the records may not be recovered as they have not set up backup sites.
•Business Registration Services handles sensitive information about the registration of companies.
Image: CHARLENE MALWA
Sensitive data held by seven strategic state agencies are at the risk of loss due to a lack of post-disaster backup and recovery systems, a report by the Auditor General has revealed.
The Office of the Director of Public Prosecutions, the State Law Office, the Business Registration Service, and the Energy Ministry are among the affected state agencies.
Others operating without a recovery system are the State Department of Social Protection, Crop Development, and a facility run by Kenya Wildlife Service in Northern Kenya.
This means that in the event of a disaster at their premises, records - which should be stored in offsite backup systems- may not be recovered.
The ODPP handles sensitive data on prosecutions while the State Law Office has records of marriages, among other key statute laws.
The Business Registration Office stores data about businesses, including the details of ownership and directorships of various companies.
The Social Protection department has data on cash transfers to elderly persons, orphans and vulnerable persons, which guide the disbursement of billions of shillings.
Auditor General Nancy Gathungu has raised concerns that the agencies are operating without a data backup and disaster recovery system.
In her review of national government ministries’ books of accounts as of June 30, 2021, the auditor pointed out that some of the agencies have been warned of the dangers before but are yet to act.
For instance, Gathungu says the situation at the ODPP was flagged in the reviews for the year ending June 30, 2020.
The review, she added, revealed that the ODPP IT Steering Committee did not hold any meeting during the 2020-21 financial year.
“In the absence of a disaster recovery plan and an active IT Steering Committee, the adequacy of the IT governance and the ability of the ODPP to resume operations effectively after an emergency or disaster could not be confirmed,” the auditor said.
At the Social Protection department, the audit revealed there were no policies in place to cover physical access to IT environments, worsened by the lack of an IT continuity plan and disaster recovery plan.
“There are no backups stored in a secure off-site storage facility,” Gathungu said, citing the risk of losses of the data, hence the potential for wastage.
The audit further established that the Management Information System used by the State Department doesn’t weed out duplication.
“Consequently, the risk of wastage and loss of public resources was high for the year ended June 30, 2021,” Gathungu said.
The State Law Office and Department of Justice is operating without an IT Strategic Committee or IT Strategic Plan that supports business requirements.
Gathungu has warned that the existing system doesn’t assure of data integrity, confidentiality and accessibility.
“The formally approved IT Security Policy was lacking to ensure data confidentiality, integrity and availability, documented and tested emergency procedures, and IT continuity and disaster recovery plan,” she said.
The Business Registration Service also does not have an approved Disaster Recovery Plan and IT Business Continuity Plan for the year under review.
“This posed a significant threat to the resumption of operations quickly and effectively in case of an emergency or a disaster. Lack of the plans may affect the operations of the entity,” Gathungu said.
She said the situation further poses "a significant threat to the core functions of the Business Registration Services, especially due to the fact that it handles sensitive information about registration of companies.”
Gathungu said the Energy ministry was also in breach of Regulation 165(1) of the Public Finance Management Regulations, 2015.
The law provides that it develops strategies for fraud prevention, disaster recovery, risk management, and internal control.
It was the second time the auditor flagged the attendant risk.
“In the absence of an approved risk management framework, managements’ ability to identify, measure, and mitigate operational and other risks faced by the ministry may have been constrained,” the audit report tabled in Parliament shows.
KWS operates a project in Northern Kenya whose records the auditor said may not be recovered in the event of a disaster.
When SRC was called out over the same last year, officials told MPs that workers carry home flash disks with state officers’ salaries data.