The Cabinet Office spends more than £7m a year maintaining and remediating the risks posed by four legacy systems rated as posing the highest level of risk, a minister has revealed.
Recent parliamentary disclosures revealed that the central department currently has in operation four IT systems rated as red on the Legacy IT Risk Assessment Framework created by the Central Digital and Data Office – which is based within the Cabinet Office.
Red is the most severe rating and indicates that a technology platform is operating “at a critical level of risk, where the likelihood of encountering issues or failures is significant, and the potential impact of these issues could be severe”, according to the text of the framework.
Alex Burghart, a minister at the Cabinet Office with responsibility for tech and data issues, has now revealed that, during the past three years the department has “budgeted £21.4m” to “develop, sustain or migrate” the four red-rated systems.
“Spending within that timeframe has been consistent with the budget,” he said, in answer to a written parliamentary question from Labour MP Matt Rodda.
This equates to more than £7m being spent by the central department each year on maintaining or fixing its four riskiest legacy IT platforms.
The minister added: “In addition, the Cabinet Office is currently refining its approach to the definition and management of legacy systems.”
The risk assessment framework created by CDDO has already identified scores of systems across government that are operating at the highest level of risk.
The guidance was updated four months ago and now includes, as part of its definition of legacy risk, consideration of the issues that can be caused by waning knowledge of the technology’s operation, as well as covering issues with downtime in the recent past.
The expanded definition now contains seven “indicators” that a hardware or software platform is likely to be considered legacy: software out of support; expired vendor contracts; too few people with required knowledge and skills; inability to meet current or future business needs; unsuitable hardware; known security vulnerabilities, recent problems or downtime.
The framework also takes into account six areas of “impact” that be affected by the use of legacy IT: national security; government’s reputation; finances and budgets; external stakeholders; operations; other technology systems.
To arrive at an overall risk rating for a legacy system, the assessment guidance sets out a calculation that takes into account the respective scores across all seven indicators and six impacts.
In his parliamentary response, Burghart added: “The Cabinet Office employs the Legacy IT Assessment Risk Framework, a standardised methodology designed by the Central Digital and Data Office, to assess the risks associated with legacy digital technology assets across His Majesty’s Government. The highest category of risk within the framework is known as ‘red-rated’. This approach enables the Cabinet Office to generate a prioritised overview of our legacy technology, clearly highlighting assets that necessitate remediation plans and the allocation of suitable funding for implementation.”
Figures recently release by ministers revealed that there are at least 43 red-rated systems in use throughout government, with 11 of those implemented at the Ministry of Defence, more than any other department. HM Courts and Tribunals Service came in second with nine, followed by the Department for Work and Pensions with six, the Ministry of Justice with five, and the Cabinet Office and HM Revenue and Customs with four each.