Source · Select Committees · Public Accounts Committee
Recommendation 26
26
Accepted
Department received specific funding to upgrade high-risk legacy IT systems over three years
Conclusion
We asked the Department if it had been given extra resources to deal with some of its legacy IT and what its plans were. The Department confirmed it did get specific funding in the Spending Review for both its increase in cyber security and its ‘legacy tech debt’ programme. It explained that it had aggregated the risk scores for every single system it had categorised– scoring each system against a number of dimensions. Over the next three years, it was planning to upgrade its high-risk legacy systems with the aim of reducing its overall risk score from legacy IT by 58%. The Department said that it planned to tackle the larger systems used by more staff and customers first, with the 36 highest-risk systems being addressed this year. It told us that it was not that its legacy systems could not be protected from cyber attack, but it had to put layers of protection in place so that specific threats relevant to one bit of the overall system were lessened.39
Government Response Summary
The government is already upgrading its high-risk legacy systems, aiming to reduce overall risk by 58% over the next three years and plans to tackle the largest systems first.
Government Response
Accepted
HM Government
Accepted
5.1 The government agrees with the Committee’s recommendation. Recommendation implemented 5.2 By 2030-31 the department’s legacy systems will become outdated. This could affect the department’s ability to deliver services efficiently and may lead to higher long-term operating costs. Recognising the significant risk, the department analysed 250 systems in scope and developed an accelerated plan to address the 36 most critical systems which account for around 65% of the caseload, within the coming Spending Review. 5.3 The plan has three main steps: • full transformation of some services, this is ongoing and includes migration from old systems; • agreed treatment plans, such as refactoring, for the remaining systems; and • Code fixes where required. 5.4 This was estimated to take the next five years, however with acceleration to resolve earlier, this will be delivered over the next three years. 5.5 Where systems are being transformed, customers will experience an improved level of service enabling them to take advantage of online features, such as being able to report a