Florida law[1] establishes that the Division of Emergency Management (Division) within the Department of Community Affairs (Department) has the responsibility for maintaining a comprehensive Statewide program of emergency management[2] to ensure that Florida will be sufficiently prepared to manage all hazards.  In addition, after the unprecedented attacks on the United States of America on September 11, 2001, the Florida Legislature amended Florida law[3] to change State agency disaster preparedness from an individual agency responsibility primarily in response to an emergency within its own agency to a coordinated requirement for disaster preparedness.  The 2004 hurricane season renewed concerns about how prepared State of Florida Executive Branch agencies were in the event a hurricane occurred in the Tallahassee, Florida area. 

The disaster preparedness plans, otherwise referred to as Continuity of Operations (COOP) plans, establish policy and guidance to ensure the execution of Florida’s Executive Branch agencies’ mission essential functions in the event that any State agency or facility is threatened, incapacitated, or required to relocate its personnel or functions.  The amendments to Florida law[4] assigned the Division specific duties to provide guidelines for developing and implementing COOP plans and to approve State agencies’ COOP plans.  The head of each Executive agency covered by this amendment and the appointed State agency emergency coordination officer are assigned specific duties related to the State agency’s COOP plan preparation and implementation. 

Our audit focused on COOP plan and information technology (IT) disaster recovery plan preparation, approval, and implementation for the period March 2005 through June 2005, including selected actions through August 2005, at the following Executive Branch agencies: the Department of Community Affairs (DCA), State Technology Office (STO), Department of Management Services (DMS), Department of Transportation (DOT), Department of Health (DOH), Department of Agriculture and Consumer Services (DACS), Department of Business and Professional Regulation (DBPR), Department of State (DOS), and Department of Citrus (Citrus).  We also evaluated the Division’s progress with providing State agencies guidance for preparing and implementing their COOP and IT disaster recovery plans and the process used by the Division to approve the State agency COOP plans as required by Florida law[5]. 

The results of our audit are summarized below:

Finding No. 1:    COOP plans prepared by Executive Branch agencies and submitted to the Division for approval did not in all instances meet the requirements outlined in Florida law or the Division’s COOP Implementation Guidance and not all plans had been approved as of August 2005.

Finding No. 2:    Division procedures to ensure that State agency IT disaster recovery plans are complete and viable needed improvement.  Not all agency plan testing had been completed or performed annually as of June 2005, and some agency plans lacked evidence of being updated since the original version was prepared.

Finding No. 3:    Division procedures for providing guidance and approval of State agency COOP and IT disaster recovery plans needed improvement. 

Finding No. 4:    Division COOP Implementation Guidance concerning the Division’s periodic review of the State agency COOP plans needed clarification, and the periodic review was not addressed in existing Florida law. 

Finding No. 5:    Distribution controls protecting the nonpublic contents of COOP and IT disaster recovery plans needed improvement.