The Australian Taxation Office is embarking on a refresh of IT hardware and software systems after major outages crippled the department’s online systems just over a year ago.
The announcement of upgrades to its client-facing systems follows the release of an Australian National Audit Office into the ATO outages.
In December 2016, a problem with the ATO’s storage area network (SAN) took the office’s online services down for three days. This was followed by a second five-day outage in February 2017 as a result of the ATO's efforts to stabilise the faulty SAN.
The tax office later shut down online tax services over several weekends in April and May as it replaced old hardware. The initial outage followed the ATO replacing legacy Dell EMC storage hardware with HPE SAN units, which were later sent to the US to be analysed.
In setting out to assess whether the ATO had responded effectively to the system failures, the ANAO reported that the tax office's responses were largely effective but highlighted inadequacies in critical infrastructure business continuity planning.
"The December 2016 and February 2017 incidents highlight that the ATO did not have a sufficient level of understanding of system failure risks," the ANAO report read.
"The ATO’s risk management and BCM processes did not include an assessment of risks associated with storage area networks, which were a potential single point of failure. Moreover, BCM processes were limited in planning for critical infrastructure and ICT system failure to the data centres."
The ANAO’s report noted that the post-incident reviews conducted by the ATO had been effective in setting out recommendations and informing on strategies to improve its practices around governance, business continuity, and addressing system vulnerabilities.
As of November, the ATO had implemented four of 14 recommendations set out in its post-incident report, which mostly related directly to the particular system failures experienced, while the remaining 10 recommendations, concerning broader processes, were in progress.
The ANAO listed three of its own recommendations for the ATO:
- Update business continuity management, IT service continuity management and risk management frameworks.
- Determine the level of availability of IT-dependent services for subsequent reports.
- Include tolerances in its ICT service contracts that align with expected service standards.
Regarding ICT services contracts, the ANAO report said with major ICT contracts up for renegotiation in 2018, the ATO had an opportunity to "align service measures across its ICT contracts and also align service standards with the outage tolerances in its ICT service contracts".
The ATO's centralised computing contract fell to DXC Technology in 2017 following the merger of CSC Australia and HPE Enterprise Services. The contract was renewed late last year, as reported by iTNews.
The ATO agreed to each of the ANAO's recommendations and said it was committed to improving its services.
"We have learnt from our experiences and have made many improvements to strengthen our systems. We have also improved our governance and business continuity management processes, as well as implemented improved monitoring. We will continue to work with our vendors and digital service providers to develop joint continuity plans," the ATO's official response read.
In a separate statement, ATO chief information officer Ramez Katf said system improvements were already well underway.
“We will focus on improving our IT design and governance, further strengthening our cybersecurity posture and improving the technology used by ATO staff to ensure they have the right tools to do their job,” he said.
Katf said in addition to new hardware, software and policy implementations, the ATO would be rolling out a new approach to IT sourcing as the department builds its offering.
“Our new approach will also focus on increasing our capability to take advantage of new and emerging technologies to deliver better systems and tools for the community, our key stakeholders and staff, and, importantly, delivering value for money,” he said.
The lengthy audit review can be read online here.