Shared responsibility for the email disruption
Last autumn, several of the university’s servers crashed. This led to around half of employees losing access to their email and calendars. The reasons behind the outage have previously been investigated in a technical report. The internal audit has now also submitted a report on the issue of responsibility, which notes that the responsibility lies with both the university and the email service provider.
In January, the internal audit presented a report to the University Board on the circumstances regarding the email outage. Find out more here: Technical investigation of the e-mail crash presented to the University Board.
The internal audit has now also submitted a report on the issue of responsibility, and has informed Vice-Chancellor Eva Wiberg and Chair of the University Board Peter Larsson of its conclusions.
Five key areas relating to responsibility
The internal audit is of the opinion that five areas are critical in terms of the issue of responsibility.
- Lack of a traditional back-up
If the university had maintained a traditional back-up, the damage caused by the outage would have been marginal. Since GU introduced the current email solution in 2015, there have been plans and initiatives aiming to introduce a back-up system. This planning resulted in a decision that the email process should be migrated to the cloud (Exchange on Cloud), but this had not yet happened at the time of the crash.
The university’s solution complied with Microsoft’s best practice, and the internal audit is therefore of the opinion that the decision not to have a traditional back-up cannot be described as incorrect.
- Lack of a support agreement
The IT unit is responsible for signing and administering support agreements for the operation of email services. Atea was commissioned by the IT unit to inventory these agreements in 2019. Based on the results, the IT unit requested a quotation from Atea and placed an order in accordance with this. However, the report from the internal investigation shows that the information contained in this quotation did not correspond with the inventory, resulting in no support agreement being signed for the disks used for storage. This may have contributed towards GU not receiving information about the so-called 40k bug.
According to the internal audit, the parties have shared responsibility for the lack of a support agreement. One the one hand, it could be said that the IT unit should have checked the documentation carefully. On the other hand, the IT unit can justifiably have expected Atea to supply accurate documentation.
- Actions in connection with the crash
Back in August, a large number of the hard disks in one of the university’s two server rooms (server room A) crashed. However, this crash did not affect the use of email since the other server room (server room B) then took over operation. An email dated 21 August from Atea to GU, before the major crash of 18 September, stated that the problem was a serious one and that intensive work was taking place in which Atea was receiving assistance from both Dell and Microsoft. The email also stated that this involved the so-called 40k bug, but that the disks in server room B (which subsequently crashed) were “not in danger”. As a result, the necessary action was not taken.
According to the internal audit, it could be claimed that the IT unit should have questioned this information, but this should be viewed in the light of Atea having operational responsibility for email and having established contact with Dell.
- The information flow
The internal audit is of the opinion that the IT unit should have communicated the information about the risks relating to email operation upwards within the organisation no later than the end of August, when the circumstances became known. As it was, this information remained within the IT unit.
- The service agreement
The internal audit is of the opinion that Atea had significant and far-reaching responsibility based on the service agreement signed with GU, not least from the perspective of external monitoring in relation to the bug in question.
“We share the conclusions about responsibility lying with both parties,” says Eva Wiberg. “We now need to analyse our share of the responsibility carefully and see which additional measures can be taken, for example regarding internal procedures, to avoid similar events occurring in the future.”
The University Director has already been tasked with ensuring the security of the IT environment based on the internal audit’s recommendations in the technical investigation into the course of events.
BY: Ulrika Lundin