THE computer servers which process almost every pound of Scottish Government spending are at risk of being deluged because they were installed directly under a water tank in a building with a history of leaks, an internal audit has revealed.
The Scottish Executive Accounting System (SEAS) processes more than £32 billion of public expenditure a year, with 2500 people in 40 public bodies using it to handle 1m transactions.
But despite leaks elsewhere in the building where it is housed, and repeated warnings about equipment damage and lost financial data, civil servants have left the SEAS servers at risk for years by postponing their relocation.
Being under a water tank was one of the "main concerns" over the security and management of SEAS raised by an internal audit released to the Herald under Freedom of Information (FoI) law.
SNP ministers initially tried to withhold the document, claiming it was too sensitive for public consumption, but were finally forced to disclose it by the Scottish Information Commissioner.
The report said managers had been aware of the water tank problem for some time, but put off relocating the SEAS computers until an "impending" upgrade made it cost-effective.
Although the report dates from 2010, the computer servers remain in place, and the relocation has now been put back to late 2012.
Back-up servers exist off-site, but the internal audit revealed there was no documented policy on data backup and the reserve computers were only tested once a year.
The audit concluded there was only "reasonable assurance" that the risk, control and governance arrangements for SEAS were adequate, the half-way point on a scale of three levels of assurance.
It said a key factor preventing SEAS earning the highest level of substantial assurance was its base at Victoria Quay (VQ) in Edinburgh.
|Victoria Quay: gets the odd leak|
It said: "SEAS servers are mainly sited in four secure areas within VQ. The risk posed by the server rooms’ location underneath a water tank on the roof of the building was once again noted. "The risk, although mitigated to some extent by the resilience afforded by off-site back up servers, has been raised in previous reviews (and the impact has been highlighted by recent leaks from water tanks located elsewhere in the building).
Relocating these servers, however, is deemed impracticable and the risk is being borne by SEAS management knowingly."
The report identified a risk that "inadequate physical and environmental controls over hardware and software leads to data corruption or loss".
Although the risk of data loss ought to be low due to resilience arrangements, "primarily real-time copies of the system being made to two stand-by servers (one on-site and one off-site)," the report added the stand-by servers were only tested once a year, and the off-site server, in Saughton House, Edinburgh, was not inspected in the audit.
Labour finance spokesman Ken Macintosh said: "With the summer we’ve had, the Government should count itself lucky it’s still able to function.
"Other governments wrestle with the threat from cyber terrorists and hackers, how Scottish that our problem stems from a leaky loft."
Tory finance spokesman Gavin Brown MSP added: "Almost every small business in Scotland has a more robust approach to risk than the Scottish Government. They should put their hands up, admit they’ve been ignoring a problem for too long, and tell us exactly when they’ll act to resolve it."
A Scottish Government spokeswoman said: "We have separate and robust backup systems off site, and elsewhere in Victoria Quay. We therefore deferred the move until we completed other important system enhancements, and will move the SEAS system into our data centre later this year."