The Court of Audit implemented the audit of efficiency of the public utility company VODOVOD KANALIZACIJA SNAGA d.o.o. (hereinafter referred to as: VOKA SNAGA) in managing business continuity in the field of public drinking water supply in the period from 1 January 2019 to 31 December 2020. According to the opinion of the Court of Audit, VOKA SNAGA was partially efficient in managing business continuity in the field of public drinking water supply.
VOKA SNAGA as essential service provider supplies drinking water to more than 330,000 users in the Municipality of Ljubljana and several neighbouring municipalities. Although it did not explicitly define business continuity within its internal documentation, it did, however, manage secure and reliable drinking water supply in accordance with the requirements of ISO 22301:2019 standard regarding business continuity and other organisational policies, including a common risk management strategy. The VOKA SNAGA management was committed to the provision of secure and reliable drinking water supply and, together with its employees, appropriately managed risks connected to drinking water supply as well as carried out continuous process improvement related to the respective field. VOKA SNAGA set up an incident management and monitoring system, including a very well devised events notification system and well managed documentation system. VOKA SNAGA had no explicitly prepared and adopted business continuity strategy, policy and plan, but the company's risk management system, processes and related activities for managing secure and reliable drinking water supply did enable an uninterrupted drinking water supply. Although VOKA SNAGA failed to include business continuity testing into a pre-prepared business continuity plan (as it did not have one), it did test, monitor and check all the crucial elements of acquiring and supplying drinking water. In accordance with quality assurance organisational guidelines, it conducted internal assessments to ensure an integrated management system operation, the performance of which was ensured also through individual systems where the organization's requirements regarding drinking water supply procedures were checked.
VOKA SNAGA prepared a formal document Information Security Policy and Policy on Continuous IT Support to Essential Water Supply. This document respectively the information security policy was aligned with the requirements of the Information Security Act but was not appropriately integrated into the company's management and quality system. The Information System Recovery Plan was too general and not detailed enough to be used in the case of actual emergency or disaster since it lacked precise response plans. General response actions were defined, they were, however, not integrated with other processes within VOKA SNAGA. Additionally, VOKA SNAGA had no complete information system disaster recovery plans which it could test in practice and which would aid in recovering specific components and systems after a disaster. Information system support provider for VOKA SNAGA had no detailed internal instructions for data restoration. It did, however, occasionally conduct partial data restoration and virtual servers' restoration from backups. VOKA SNAGA also did not prepare instructions for post-restoration information system analysis of water supply services.
The Court of Audit did not demand from VOKA SNAGA to submit a response report, but it proposed several recommendations to further improve existing situation. VOKA SNAGA implemented several recommendations even before the publication of the audit report.
