The service level agreements (SLAs) the Australian Taxation Office (ATO) has with its major external IT providers have come under the spotlight more than a year after the agency’s “unprecedented” failure of storage hardware in late 2016.
The ATO was struck by widespread systems outages after 3PAR storage area network (SAN) hardware supplied by Hewlett Packard Enterprise (HPE) in late 2015 unexpectedly failed in December 2016.
Now, a report into the initial outage – and subsequent associated outages – released by the Australian National Audit Office (ANAO) on 20 February, has recommended that Australia’s tax collector include tolerances in its IT services contracts that “align with service standards associated with [IT] systems, where possible”.
“With the major ICT service contracts scheduled to be renegotiated in 2018, the ATO has an opportunity to align service measures across its ICT contracts and also align service standards with the outage tolerances in its ICT service contracts,” the ANAO said in its report, Unscheduled taxation system outages.
The recommendation echoes some of the findings of earlier investigations into the systems failure, with the ATO’s own internal audit into its contract and relationship with DXC Technology examining whether any aspects of the arrangements exceeded ATO’s risk tolerances.
DXC Technology was the external supplier left holding the ATO’s mammoth centralised computing contract, which covers the provision of certain storage infrastructure, seven years after it was originally awarded to HPE in December 2010.
In April 2017, when HPE’s Enterprise Services business merged with CSC Australia, the contract, worth approximately $160 million per year, came under the auspices of the resulting entity, being DXC Technology.
The internal audit found that while there were no immediate issues apparent in contractual arrangements, there were broader issues surrounding the extent of strategic alignment of the contracted IT service providers’ offerings with ATO business objectives.
That report made several recommendations in this regard, and noted that, “at an entity-level, greater definition is required as to how the ATO engages with key vendors, supported by greater analysis and monitoring of arrangements, including periodic reporting to the ATO Executive”.
“In this way, the ATO will better define and achieve strategic value from vendors, with better visibility and control of the breadth of, and reliance upon, vendor arrangements,” the ATO’s HPE Review Product, Services and Relationships Report from July 2017, stated.
Broadly, the ANAO’s report suggested that the ATO’s responses to the system failures and unscheduled outages were largely effective, “despite inadequacies in business continuity management planning relating to critical infrastructure”.
In addition to calling for the ATO to build aligned systems outage tolerances into its contracted SLAs with external vendors, the ANAO made two other recommendations.
The Audit Office recommended that the ATO update its business continuity management, IT service continuity management and risk management frameworks to improve and better integrate the identification and treatment of risks to critical infrastructure that may lead to system failures.
“The December 2016 and February 2017 incidents highlight that the ATO did not have a sufficient level of understanding of system failure risks,” the ANAO’s report stated. “The ATO’s risk management and BCM [business continuity management] processes did not include an assessment of risks associated with storage area networks, which were a potential single point of failure.
“Moreover, BCM processes were limited in planning for critical infrastructure and ICT system failure to the data centres.
“As a consequence, the ATO – including DXC and Leidos – were not prepared for the possibility of complete system failure caused by storage failure."
Read more on the next page...