Feature story from Slovenia: Efficiency of managing business continuity of public drinking water supply, short audit resume

25.05.2022

The Court of Audit of the Republic of Slovenia (hereinafter referred to as: Court of Audit) audited the efficiency of VODOVOD KANALIZACIJA SNAGA d.o.o., public utility company (hereinafter referred to as: VOKA SNAGA) on managing business continuity in the field of public drinking water supply.

It was the second audit by the Court of Audit reviewing the issue of business continuity management. It was started one year after the Republic of Slovenia adopted Information Security Act, which transposed into Slovenian legislation Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union and required from member states to define essential service providers. VOKA SNAGA has been designated as essential service provider because it supplies drinking water to more than 330,000 users in the Municipality of Ljubljana (Capital of Slovenia) and several neighbouring municipalities. The audit focused on the efficiency of VOKA SNAGA business continuity management in the field of public drinking water supply since water is the source of life and public water supply is very important service in every developed country.

 SAI Slovenia VOKA pic1

 

Compliance with ISO 22301:2019 was selected as audit criteria for business part and COBIT for IT part of VOKA SNAGA operations. The Court of Audit has found out that VOKA SNAGA did not explicitly define business continuity within its internal documentation, it did, however, manage secure and reliable drinking water supply in accordance with the requirements of ISO 22301:2019 standard regarding business continuity and other organisational policies, including a common risk management strategy. VOKA SNAGA management was committed to the provision of secure and reliable drinking water supply and, together with its employees, appropriately managed risks connected to drinking water supply as well as carried out continuous process improvement related to the respective field. VOKA SNAGA set up an incident management and monitoring system, including a very well devised events notification system and well managed documentation system. VOKA SNAGA had no explicitly prepared and adopted business continuity strategy, policy and plan, but the company's risk management system, processes and related activities for managing secure and reliable drinking water supply did enable an uninterrupted drinking water supply. Although VOKA SNAGA failed to include business continuity testing into a pre-prepared business continuity plan (as it did not have one), it did test, monitor and check all the crucial elements of acquiring and supplying drinking water. In accordance with quality assurance organisational guidelines, it conducted internal assessments to ensure an integrated management system operation, the performance of which was ensured also through individual systems where the organization's requirements regarding drinking water supply procedures were checked.

SAI SLovenia VOKA pic2

 

VOKA SNAGA prepared a formal document Information Security Policy and Policy on Continuous IT Support to Essential Water Supply. This document respectively the information security policy was aligned with the requirements of the Information Security Act but was not appropriately integrated into the company's management and quality system. The Information System Recovery Plan was too general and not detailed enough to be used in the case of actual emergency or disaster since it lacked precise response plans. General response actions were defined, they were, however, not integrated with other processes within VOKA SNAGA. Additionally, VOKA SNAGA had no complete information system disaster recovery plans which it could test in practice. Information system support provider for VOKA SNAGA had no detailed internal instructions for data restoration. It did, however, occasionally conduct partial data restoration and virtual servers' restoration from backups. VOKA SNAGA also did not prepare instructions for post-restoration information system analysis of water supply services.

Court of Audit expressed an opinion that VOKA SNAGA was partially efficient in managing business continuity in the field of public drinking water supply. It did not demand from VOKA SNAGA to submit a response report, however, it proposed several recommendations for further improvements. VOKA SNAGA implemented several of them even before the publication of the audit report.

Audit infographic is available at
 
Full report (in Slovene language)