The document outlines the IT Manager's contingency plan presentation to the Executive Board and President of the bank. The plan addresses disaster events, recovery planning, technologies used, contingency operations, costs of recovery, employee awareness, impacts on business operations, and conclusions. It includes a table of contents and sections on prologue, disaster events, recovery planning, technology used, contingency of operations, costs of recovery, employee awareness, impacts on business operations, and conclusion. The plan aims to safeguard the bank's systems and operations in the event of an earthquake, political unrest, or other disruptions through strategies such as data backup, identification of roles and solutions, testing, and employee training.
In the present world of high Risk and unknown threats it is necessary for Security Manager to look for all Risk related to the site. His prime responsibility is to view the threat in all perspective and ensure preventive measure are in place with continual improvement. He should follow the PDCA cycle i.e.Plan ,do ,Check and Act on regular basis. The team should consult and discuss the total risk on regular interval with discussion on all issues related to security.this will ensure proper system in place to cater total security to personnel.
These PowerPoint presentations are intended for use by crime prevention practitioners who bring their experience and expertise to each topic. The presentations are not intended for public use or by individuals with no training or expertise in crime prevention. Each presentation is intended to educate, increase awareness, and teach prevention strategies. Presenters must discern whether their audiences require a more basic or advanced level of information.
NCPC welcomes your input and would like your assistance in tracking the use of these topical presentations. Please email NCPC at trainings@ncpc.org with information about when and how the presentations were used. If you like, we will also place you in a database to receive updates of the PowerPoint presentations and additional training information. We encourage you to visit www.ncpc.org to find additional information on these topics. We also invite you to send in your own trainer notes, handouts, pictures, and anecdotes to share with others on www.ncpc.org.
The term corporate social responsibility (CSR) refers to practices and policies undertaken by corporations that are intended to have a positive influence on the world. The key idea behind CSR is for corporations to pursue other pro-social objectives, in addition to maximizing profits. Examples of common CSR objectives include minimizing environmental externalities, promoting volunteerism among company employees, and donating to charity
In the present world of high Risk and unknown threats it is necessary for Security Manager to look for all Risk related to the site. His prime responsibility is to view the threat in all perspective and ensure preventive measure are in place with continual improvement. He should follow the PDCA cycle i.e.Plan ,do ,Check and Act on regular basis. The team should consult and discuss the total risk on regular interval with discussion on all issues related to security.this will ensure proper system in place to cater total security to personnel.
These PowerPoint presentations are intended for use by crime prevention practitioners who bring their experience and expertise to each topic. The presentations are not intended for public use or by individuals with no training or expertise in crime prevention. Each presentation is intended to educate, increase awareness, and teach prevention strategies. Presenters must discern whether their audiences require a more basic or advanced level of information.
NCPC welcomes your input and would like your assistance in tracking the use of these topical presentations. Please email NCPC at trainings@ncpc.org with information about when and how the presentations were used. If you like, we will also place you in a database to receive updates of the PowerPoint presentations and additional training information. We encourage you to visit www.ncpc.org to find additional information on these topics. We also invite you to send in your own trainer notes, handouts, pictures, and anecdotes to share with others on www.ncpc.org.
The term corporate social responsibility (CSR) refers to practices and policies undertaken by corporations that are intended to have a positive influence on the world. The key idea behind CSR is for corporations to pursue other pro-social objectives, in addition to maximizing profits. Examples of common CSR objectives include minimizing environmental externalities, promoting volunteerism among company employees, and donating to charity
A Lone Worker Policy sets out the aims of the principal officers of a business as part of their employer safety & security strategy, showing how they expect to manage lone working staff and keep them safe. Get a copy of our Lone Worker Policy Checklist to check if your own policy, and ongoing processes of risk identification, assessment and mitigation, training, continuous improvement, and co-operation between all levels of management and staff are helping to keep your lone workers free from harm.
Green shipping refers to the use of resources and energy to transport people and goods by ship and specifically concerns the reduction in such resources and energy in order to preserve the global environment from GHGs and environmental pollutants generated by ships.
This study presentation outlines the role that environmental issues are now playing in business strategy. It looks at the main aspects of environmental legislation also at the role of CSR (corporate social responsibility), with a particular focus on sustainability
This paper discusses the rationale for the nationalization of the MRT and LRT system as a catalyst for the development of a quality national mass transit system in the Philippines.
• Define the concept of culture and its impact on individuals, groups and organizations.
• Describe the various cultures that impact individuals, such as national, professional and organizational culture and explain the difference between them.
• Understand and explain the importance of a positive organizational culture for the success of the safety management system.
• indicate the importance and measures of management commitment.
A Lone Worker Policy sets out the aims of the principal officers of a business as part of their employer safety & security strategy, showing how they expect to manage lone working staff and keep them safe. Get a copy of our Lone Worker Policy Checklist to check if your own policy, and ongoing processes of risk identification, assessment and mitigation, training, continuous improvement, and co-operation between all levels of management and staff are helping to keep your lone workers free from harm.
Green shipping refers to the use of resources and energy to transport people and goods by ship and specifically concerns the reduction in such resources and energy in order to preserve the global environment from GHGs and environmental pollutants generated by ships.
This study presentation outlines the role that environmental issues are now playing in business strategy. It looks at the main aspects of environmental legislation also at the role of CSR (corporate social responsibility), with a particular focus on sustainability
This paper discusses the rationale for the nationalization of the MRT and LRT system as a catalyst for the development of a quality national mass transit system in the Philippines.
• Define the concept of culture and its impact on individuals, groups and organizations.
• Describe the various cultures that impact individuals, such as national, professional and organizational culture and explain the difference between them.
• Understand and explain the importance of a positive organizational culture for the success of the safety management system.
• indicate the importance and measures of management commitment.
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docxanhlodge
RUNNING HEADER: Disaster Recovery Plan: Information and Documentation for IBM Company 1
Disaster Recovery Plan: Information and Documentation for IBM Company 4
Disaster Recovery Plan: Information and Documentation for IBM Company
NAME
American Military University
ISSC490
A Disaster Recovery Plan is a documented process, and structured approach with instructions that details steps a business will take to recover from an unplanned catastrophic event. IBM highly relies on Information Technology to quickly and effectively process information, and most of its operations are computerized. As such, an IT disaster recovery plan for IBM should be well aligned with the business continuity plan. This is mostly known as risk assessment or threat analysis. Below are resources for documenting a disaster recovery plan for IBM Information Technology infrastructure.
Hardware and Peripheral devices
This generally includes any auxiliary device that is connected and works in conjunction with the computer, such as printers and scanners. When evaluating the hardware, one should determine the risk of losing the machine entirely and damage through hardware failure. The company computer systems may also be at risk of contracting viruses if employees are allowed to go home with laptops or consultants and vendors are allowed to plug in their Personal computers into IBM systems.
Email and Data exchanges
IBM uses shared computers and local area network which is generally a network of computers that share a communication line or wireless link to a server. This puts the company at risk of losing shared applications and information such as inventory control and payrolls. Sharing files using LANs may also lead to contraction of computer viruses and a slow down on the entire company network hence business interruptions. Emails shared through computers in the facility must also be evaluated when determining the risk.
Software Applications
IBM uses end-user programs designed to perform a group of coordinated functions for the fast and effective running of operations. These programs include word processors, spreadsheets, database programs and web browsers. All these programs are a source of vital information while developing a disaster management plan. Theft of software from the facility could be detrimental to the company and may even lead to lawsuits.
IP Addresses
The company internet protocol addresses act as a host or network interface identification. Despite the proxies and anonymity that exist to protect IP addresses, careless setups and gaps on the company’s security firewall could invite unwanted guests. Hackers may use the company IP address to send or retrieve information from the IBM computers.
VPN and Server Access
An evaluation on virtual private networks (VPNs) is necessary for ensuring the protection of private and confidential data. However, hackers may be able to spot weaknesses and stea.
Business Continuity and Disaster Recover Week3Part4-ISr.docxhumphrieskalyn
Business Continuity and Disaster Recover
Week3Part4-ISrevisionSu2013
Introduction
Organizations grow by providing needed products and services. Overtime, successful
companies will grow as they continue to fill the need of their customer base. This
includes providing the product and services in a predictable fashion that the client base
has grown to expect. Sometimes disasters occur which are unexpected. These disasters
take various forms and can be caused by various events. Some disasters are manmade and
some are not. Generally, the disasters are not predictable when they happen.
Organizations need to prepare for these disasters. They need to have a plan that protects
their assets, the assets of their clients and provides for continuing business according to
their service level agreements.
The outages that result from a disaster can range from a nuisance to a full blown
catastrophe. Consider an outage that occurs to a computer system that is controlling an
online gaming site, versus an outage to a computer system controlling a nuclear reactor or
hospital intensive care until.
If something interrupts an organizations ability to provide their product and services
clients will quickly seek other alternatives.
Sudden interruptions in the delivery of an organizations product and services can occur in
a variety of ways; consider the following few:
Natural disasters such as earthquakes, fire, floods.
When Japan was hit by an earthquake, tsunami and nuclear plant breach their
infrastructure was devastated. Many dependent businesses thousands of miles
away were affected by the inability of the Japanese manufacturers to deliver on
manufacturing commitments such as automobiles and auto parts. The lack of parts
impacted car dealers and car users the world over. Similarly, when Thailand was
hit by floods their ability to deliver disk drives and other semi-conductor parts to
computer manufacturers forced these manufacturers to seek alternate suppliers.
In both these cases organizations that relied on Japan and Thailand to deliver
products to them had to have contingency plans in place for their supply chain.
Without a business continuity plan that had contingencies for alternate suppliers
customers would turn to other alternatives.
Job actions such as: strikes, slowdowns, walkouts
Airline pilots go on strike; forcing customers to seek alternate means of travel for
personal use and business. In some cases, people were forced to seek alternatives
to travel. In some cases business travel was replaced with technology alternatives
such as video conferencing, messages and email. Personal travel was supplanted
with train travel and trips closer to home that could be done with an automobile.
There isn’t much of a contingency for not having trained pilots. But part of a
disaster recovery plan would be to have some good-will gestures in place to win
back the customer base ...
Key Features of Effective Business Continuity PlanContinuSys
No leader wants to think about all the ways in which their businesses might be disrupted but, as the saying goes, failing to plan is akin to planning to fail. Disasters can strike at any moment and without warning, and long-term disruptions can drag on for much longer than anyone may have anticipated. From natural catastrophes to lasting disruption due to far-reaching changes in the market, the best approach to mitigation is a rock-solid business continuity plan.
Read more: https://continusys.com/7-non-negotiable-features-of-any-effective-business-continuity-plan/
Topic Describe each of the elements of a Business Continuity Plan .docxjuliennehar
Topic Describe each of the elements of a Business Continuity Plan (BCP).
Read and respond to below two student’s discussions. (150 words for each response) reflecting on your own experience, challenging assumptions, pointing out something new you learned, offering suggestions
#1. Posted by Sai Srinivas
Most companies till now doesn't have any backout or disaster plan in their list. It's tough to grow higher and even a cyberattack can damage their information, money, stock price, customers and reputation. All this need to be demolished by having few key elements as part of their business plan called Business Continuity Planning (BCP). We will discuss more about the elements in BCP.
Firstly, create a planning team - depends on the size of the team that includes all the required employees. Next one is perform a analysis on the business products - its key that the we always need to analyze if we need to alter any improvements and also, to calculate the impact for loss, interruption or discretion. Migitate risks and effective testing - testing always helps to find any security flaws and we can migitate the cyber risks.
Crisis communications and employee safety - these are very important because if a company hit by any cyber threat, communication should be fast and everyone must be updated and must be on the same page. At this moment, employee safety also comes into the picture as companies need to train them properly during these disasters operations.
Establishment of the business continuity strategies and access to the business resources - Companies must create certain strategies based on the business impact analysis results, their goals, objectives, maintenance of supplier relationships and with policies and standards. Finally, IT operations at off-site locations, companies which are beware of these ransomware attacks, having storing their data as a backup in the offsite centers. This makes a better plan rather than thinking about the lost data and how to recover it - which cannot be done during the current times.
#2. Posted by Naresh
Business continuity planning (BCP) is the process involved in creating a system of prevention and recovery from potential threats to a business organization. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster due to natural causes or human-made mistakes. The important elements of Business continuity process involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters like fire, flood, or weather-related events, Power outages and cyber-attacks. Once the risks identified, BCP strategic steps must involve how those risks will affect operations, implementing safeguards and procedures to mitigate the risks and reviewing the process to make sure that it is up to date.
There are seven key elements for Business c ...
This study will articulate the need for contingency planning and explore the major components of contingency planning. the reader will learn how to create a simple set of contingency plans using business impact analysis and prepare and execute a test of contingency plans.
A business continuity plan (8CP) is a document that includes the key info a company requires to continue running in the case of a crisis.
A business continuity plan incorporates preparations for business operations, capital, people personnel, and strategic partners - any component
of the firm which could be affected. It describes how well a company will keep running through an unforeseen interruption in operation.
What is the purpose of a business continuity plan?
The business continuity plan outlines the fundamental operations of the company, points out the systems and procedures that should be
maintained, and provides instructions regarding how to do so. It ought to account for any potential turbulence in the organization.
A business continuity plan addresses vulnerabilities such as computer hacking, epidemics, natural calamities, and human negligence. A business
continuity plan is essential for an organization to possess to maintain its viability and credibility given the variety of potential hazards. A sound
business continuity plan reduces the likelihood of expensive IT or brownouts.
The strategy is frequently made by IT professionals. The executive staff, on the other hand, takes a role in the process and contributes to the control
and expertise of the business. They likewise see to it that the business continuity plan is frequently updated.
1. Contingency
Plan
April 29
2012
Due to the recent earthquake and political unrest the Executive Board and President are
worried about the safeguard of their system. They called I.T. Manager of the bank to
present his Contingency Plan. Points included in the plan are Disaster Events, Recovery
Planning, Technology Used, Contingency of Operation, Cost of Recovery, Awareness
among the Employees, Impact on Business Operations and Conclusion.
Bank`s ATM
Business
Continuity
Plan
2. 2 Contingency Plan Final Project: Information System & IT Audit
Table of Contents:
Prologue…………..………………………….……………3
Disaster Events……………………………………………4
Recovery Planning………………………………………..5
Technology Used………………………………...….…….6
Contingency of Operation………………………………..8
Cost of recovery…………………………………………..9
Awareness among the Employees………………..……..10
Impacts on Business Operations………..……………….11
Conclusion…………………………………...……………12
3. 3 Contingency Plan Final Project: Information System & IT Audit
1. Prologue
A Business Continuity Plan is a roadmap for continuing operations under adverse conditions (i.e.
interruption from natural or man-made hazards). BCP is an ongoing state or methodology governing how
business is conducted. Backup plan to run any business event uninterrupted is a part of business
continuity plan. BCP for specified organization is to be implemented for the organizational level in large
scale however backup plan at individual level is to be implemented at small unit scale. BCP’s business
activity focuses on four well-established areas of expertise; Structured Trade Finance, Private Banking,
Treasury services and Correspondent Banking, BCP enjoys a solid reputation as a top quality service
provider in all of these banking fields and serves an ever-growing number of customers and banks with a
wide range of innovative, tailor-made and value-added products and services.
Effective business continuity measures are
critical for any business entity. Our Bank is
committed to protecting its staff and ensuring
the continuity of critical businesses and
functions in order to protect the Bank`s
franchise, mitigate risk, safeguard revenues and
sustain both a stable financial market and
customer confidence. The development,
implementation, testing and maintenance of an
effective global Business Continuity and
Disaster Recovery program are required to
sustain these objectives.
A Contingency Plan is a backup plan, activated in the event of a disaster that disrupts a company's
production and puts employees in danger. The goal of the plan is to safeguard data, minimize disruption
and keep everyone as safe as possible. A company may never have occasion to use a contingency plan,
but it is important to have one, keep it updated and train employees what to do if the need arises.
A Disaster Recovery is the process, policies and procedures related to preparing for recovery or
continuation of technology infrastructure critical to an organization after a natural or human-
induced disaster. Disaster recovery is a subset of business continuity. While business continuity involves
planning for keeping all aspects of a business functioning in the midst of disruptive events, disaster
recovery focuses on the IT or technology systems that support business functions.
4. 4 Contingency Plan Final Project: Information System & IT Audit
2. Disaster Events
A sudden event, such as an accident or a natural catastrophe, that causes great damage or loss of business
reputation, clientages. A disaster is a sudden, calamitous event that seriously disrupts the functioning of a
ATM`s or financial transactions and causes human, I.T. assets, and economic or environmental losses that
exceed the bank`s ability to cope using its own resources. The combination of hazards, vulnerability and
inability to reduce the potential negative consequences of risk results in disaster, as shown in the formula:
(VULNERABILITY + HAZARD ) / CAPACITY = DISASTER
Following are the disasters affecting the Bank:
Political unrest
Earthquake
Cybercrime
Terrorist confrontation
Assets larceny
Political unrest is a disturbance or turmoil; also known as agitation.
Earthquake is an unexpected and rapid shaking of earth due to the breakage and shifting of underneath
layers of Earth. Earthquake strikes all of a sudden at any time of day or night and quite violently. It gives
no prior warning. If it happens in a populated area, the earthquake can cause great loss to human life and
property.
Flood is also one of the most common hazards in the United States and other parts of the world. The
effects of a flood can be local to a neighborhood or community. It can cast a larger impact, the whole
river basin and multiple states could get affected. Every state is at its risk due to this hazard.
Cybercrimes are defined as: "Offences that are committed against individuals or groups of individuals
with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm
to the victim directly or indirectly, using modern telecommunication networks such as Internet There are
also problems of privacy when confidential information is lost or intercepted, lawfully or
otherwise including espionage, financial theft, and other cross-border crimes.
Theft of IT and Database Assets – taking and removing inventory and/or other assets from the company
premises without attempting to conceal the theft in the books and records. Losses resulting from larceny
of company assets can run into the millions of dollars.
5. 5 Contingency Plan Final Project: Information System & IT Audit
3. Recovery Planning
Disaster recovery planning is a subset of a larger process known as business continuity planning and
should include planning for resumption of applications, data, hardware, communications (such as
networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT
related aspects such as key personnel, facilities, crisis communication and reputation protection, and
should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity.
Following are the nine steps we taken for Recovery Planning:
Step-1 Take inventory of IT Assets
What are we trying to protect? Including applications, telephony/fax, phone numbers, support for IM, and
other "unofficial" apps that we claim we don't support. Don't forget outside, outsourced apps as well. We
need to assemble everything we'll need, including installation media, serial numbers, key codes, etc. Then
we have to rank it all as Critical, Vital, Sensitive, Nice to Have, or Should Be Dead Already and attach
recovery time objectives (RTO) and data loss objectives (DLO) to each one. This is a big deal; we can't
do it in a few days. The security of our business assets is on the line.
Step-2 Asses Risk
What does losing this asset really mean? What is the cost of not having it for the short term? Typically,
this is the cost of downtime, in dollars per hour of lost revenue. But it's a little more complicated than
that. We need to include PR and customer relations costs, for example, and data reconstruction costs.
Some data might not be recoverable; what does that cost? And remember, it's not a straight line. The first
minute of loss has a negligible cost. But at 3 months, we're out of business.
Step -3 Assign Roles
This is pretty straightforward: Who does what. Be explicit. "Multiple people being responsible means
nobody is responsible," says Marks. "Individual people get assigned to individual roles so they can be
held responsible."
Step-4 Identify Possible Solutions
We'll need to develop a matrix of solutions for all our company's vulnerabilities. One perfect solution for
everything will probably be too expensive. Then we need to identify vendors for each service we might
need, from server locations to user work area providers. Decisions should be based on the recovery time
goal -- how long until you're up and running again? -- And the recovery point goal, i.e., when we are up
and running again, what state will we be in?
Step-5 Choose Solutions
Finally, it's time to actually start selecting some solutions. Match your RTO/DLO to your various
applications. And remember, we don't have to restore full functionality for everything instantly. We just
need to keep things going while you figure out more permanent solutions.
6. 6 Contingency Plan Final Project: Information System & IT Audit
Step-6 Implement Solution
Next, we need to test your choices. Do our solutions really work? Can your staff handle them? Do we
have enough bandwidth? Then we need to keep adjusting to balance our solutions against our budget.
Hint: Virtualization is our friend.
Step-7 Create a Recovery Manual
If there's no manual, there's no plan. Nothing you didn't write down will be available in a real disaster.
Don't forget to answer all the awkward questions like, who can declare a disaster?
Step-8 Test Recovery Plan
Ninety percent of all disaster recovery plans fail the initial test. If we haven't tested it, we don't have a
plan. We must do a post-mortem on our test, learn from our failures, and try it again.
Step-9 Train, Maintain & Document
No, we're not done. Disaster planning is an ongoing process, not a set it and forget it enterprise. We've got
to keep testing, training, updating, maintaining, improving, etc.
4. Technology Used
As IT systems have become increasingly critical to the smooth operation of a company, and arguably the
economy as a whole, the importance of ensuring the continued operation of those systems, or the rapid
recovery of the systems, has increased.
It is estimated that most large companies spend between 2% and 4% of their IT budget on disaster
recovery planning, with the aim of avoiding larger losses in the event that the business cannot continue to
function due to loss of IT infrastructure and data.
As a result, preparation for continuation or recovery of Bank`s ATM systems needs to be taken very
seriously. This involves a significant investment of time and money with the aim of ensuring minimal
losses in the event of a disruptive event. Following are the list of common Technologies used for Data
protection and Data Recovery:
SAN Network Technology
Disk Replication-Mirroring
Disk Replication-Shadowing
Clustering Symmetric
Clustering Asymmetric
Conventional Backup
RAID
Network Attached Storage (NAS)
Standby Operating System
Storage Visualization
Hot Network Nodes
Virtual Private Networks (VPN)
Cloud computing
Mobile Data Centers
Remote Journaling
Electronic Vaulting
7. 7 Contingency Plan Final Project: Information System & IT Audit
But we prefer the following technologies which are beneficial to us in order to update back-ups and
retrieve them in the shortest possible time, in case of failure of mainframe or in case of disaster, to ensure
proper working of worldwide ATM`s network:
STORAGE AREA NETWORK (SAN):
A storage area network (SAN) is a dedicated network that provides access to consolidated, block level
data storage. SANs are primarily used to make storage devices, such as disk arrays, tape libraries,
and optical jukeboxes, accessible to servers so that the devices appear like locally attached devices to
the operating system. A SAN typically has its own network of storage devices that are generally not
accessible through the local area network by other devices.
BENEFITS
Sharing storage usually simplifies storage administration and adds flexibility since cables and storage
devices do not have to be physically moved to shift storage from one server to another. Other benefits
include the ability to allow servers to boot from the SAN itself. This allows for a quick and easy
replacement of faulty servers since the SAN can be reconfigured so that a replacement server can use
the LUN of the faulty server. While this area of technology is still new many view it as being the future of
the enterprise datacenter.
SANs also tend to enable more effective disaster recovery processes. A SAN could span a distant location
containing a secondary storage array. This enables storage replication either implemented by disk array
controllers, by server software, or by specialized SAN devices. Since IP WANs are often the least costly
method of long-distance transport, the Fiber Channel over IP (FCIP) and iSCSI protocols have been
developed to allow SAN extension over IP networks.
Disk Replication-Mirroring
Active (real-time) storage replication is usually
implemented by distributing updates of a block
device to several physical hard disks. This way,
any file system supported by the operating
system can be replicated without modification,
as the file system code works on a level above
the block device driver layer. It is implemented
either in hardware (in a disk array controller) or
in software (in a device driver).
The most basic method is disk mirroring, typical
for locally-connected disks. The storage industry
narrows the definitions, so mirroring is a local
(short-distance) operation. A replication is
extendable across a computer network, so the
disks can be located in physically distant
locations, and the master-slave database
replication model is usually applied. The
purpose of replication is to prevent damage from
failures or disasters that may occur in one
location, or in case such events do occur,
improve the ability to recover. For replication,
latency is the key factor because it determines
either how far apart the sites can be or the type
of replication that can be employed.
8. 8 Contingency Plan Final Project: Information System & IT Audit
5. Contingency of Operation
Contingency of Operation (COOP) is to ensure that agencies are able to continue performance of essential
functions under a broad range of circumstances. The points for contingency of operations are as follows:
Identify System Recovery Time (SRT)
System Recovery Time (SRT) activity takes place after a disaster is confirmed. The organization must
plan the order of priority that it will use to recover hardware systems and components, in order to meet
business process RTO.
Identify Data Currency for the Applications
Operational activity that supports the application RPO must take place before the business disruption or a
disaster event. After the disaster occurs, applications and data at the affected site are unavailable to
execute the DRP.
Identify Data Backup Strategies
Prior to selecting a data recovery (DR) strategy, a DR planner should refer to their Bank's BCP, which
should indicate key metrics of recovery point objective and recovery time objective for business
processes:
There are three main types of backup sites:
cold sites
warm sites
hot sites
Differences between them are determined by costs and effort required to implement each. Another term
used to describe a backup site is a work area recovery site.
Identify Critical Personnel and Recovery Teams
The applications and host systems are dependent upon personnel with a unique knowledge, skills, and
abilities. Identifying the staff that has the knowledge to recover the infrastructure that supports the
business processes is key to a DRP. Essential support personnel should be identified along with their skill
sets.
Testing the Disaster Recovery Plan
To obtain the most value from a disaster recovery test, explicit test objectives and success criteria are
required. The use of test objectives and success criteria enable the effectiveness of each DRP element and
the overall Business Continuity Plan to be assessed. The two major test criteria are the recovery of the
network within its RTO with data currency within the RPO.
9. 9 Contingency Plan Final Project: Information System & IT Audit
6. Cost of Recovery
Cost considerations related to Disaster Recovery become increasingly important as the numbers of
platforms and servers grow. IT decision makers should strive to ensure that all decisions regarding
technology platforms are based on accurate and complete cost-comparison information.
When choosing the best platform for hosting each business-critical application, it is important to consider
DR and the associated costs and complexities to be able to calculate the total cost of ownership (TCO)
and risk for each application. Ancillary costs should also be evaluated and budgeted. These will include
disaster declaration fees and ongoing usage fees, which for ATM`s operations are generally add-up to
those of comparable mainframe operations.
The key cost elements of DR include:
1. Backup/Restore Cost
Backup
Restore
SAN effort
Effort for Complete Site recovery
Recovery
2. Deployment and Support Cost
System Programming
Middleware
Application
Maintenance
Distribution Licensing
Up gradation
3. Infrastructure Cost
Space
Power
Network Storage
Initial Hardware
Software
Maintenance
4. Human Resource Cost
Personnel Education
Training
5. Operation Effort Cost
Monitoring
Problem Determination
Server Management Tools
Integrated Server Management
6. Cost of Security Measures
Authentication
User Administration
Data Security
Server and OS security
7. Cost of Utilizing Resources
Resource sharing
Resource acquisition
Resource transportation
Resource Peak time handling
Performance management
Load balancing
8. Cost of Integration
Integrated functionality
Handling 3rd Party tools
Integration of standards
9. Availability Cost
High availability
Hours of operation
10. 10 Contingency Plan Final Project: Information System & IT Audit
7. Awareness among the Employees
If a Business Continuity Plan (BCP) is to be executed successfully, all personnel must not only be aware
that the plan exists, but also know its contents, together with the duties and responsibilities of each party.
● A comprehensive training program that reaches every employee.
● All employees need awareness training annually.
● The training must be auditable.
Employee Acknowledgement form –
For audit purposes, every employee, including senior management, will sign an acknowledgement form to
be retained by Human Resources. This same form has been added to the New Employee Orientation
(NEO) program, so new employees will immediately become part of the Business Continuity Plan.
Training-Level I: On an annual basis, Human Resources will send out a BCP Awareness Training form
to all employees. The forms will be retained in the employee’s personnel file. This one page form
accomplishes three major auditable requirements:
It makes every employee aware of the existence of a company wide BCP.
It makes every employee aware of the fact that should a disaster occur, the employee is to look
to their supervisor for direction concerning what to do.
The employee is asked to sign the form acknowledging the above two items.
Training-Level II: This level is geared towards back-office & branch managers & supervisors.
The focus is on Emergency Action Plans for all facilities and departments.
● A brief PowerPoint presentation provides an overview of general Business Continuity Planning
(BCP) and explains the responsibilities & duties of a “First Responder”.
● A brief introduction to the company’s Business Continuity Plan from the distribution CD’s.
● Makes every First Responder aware of their duties & responsibilities during a disaster. Namely:
Get their employees and customers to safety.
Call 1122/15, if necessary.
Escalate the situation to their direct management, if needed.
Deal with the disaster until help arrives.
Training-Level III: This training package is geared toward senior management, including those who will
be responsible for providing strategic guidance through a disaster and the subsequent Business
Resumption.
The training consists of the following elements:
BCP - A brief introduction to the company’s Business Continuity Plan from the distribution CD’s.
ICS - A detailed explanation of our Incident Command System (ICS)
EOC - An explanation of how our Emergency Operations Center (EOC) is set up, how it is activated and
what to do if the primary EOC isn’t usable.
11. 11 Contingency Plan Final Project: Information System & IT Audit
8. Impact on Business Operations
Impact on business operations of business continuity management becomes obvious not because it means
you will survive into the distant future; but because it will make you a better and more competitive
business today. We categorize two types of impacts Pre-disaster and Post-disaster Impacts:
Pre-disaster Impacts
Having a top-quality, tried and tested business continuity management structure in place helps our
Bank stand out from others.
This will become an even stronger competitive advantage over the next few years as business
continuity standards take hold around the world and their associated accreditation schemes
highlight those Banks that have taken business continuity seriously.
The time may come when companies will only be able to do business with the public sector, for
example, if they can show that they are accredited to a business continuity standard. If this
happens companies that are prepared NOW will gain a strong advantage over their competitors
who are trying to play ‘catch up’.
Another non-disaster related impact of business continuity management is that it can help to
create a business which operates its systems to the optimum level.
The company that successfully operates a true business continuity management culture will have
systems that are more effective; more efficient; more fully utilized than their competitors.
Such a company will be able to maximize the return on investment it makes in business
processes.
It will be more productive, more reliable and an excellent partner and supplier.
When it sets a deadline it will meet it. When it undertakes a project, it will deliver on time and on
budget.
Post-disaster Impacts
It is well documented that an effective disaster response can help a company’s share price to
increase and its reputation to become stronger. The definitive study in this area was carried out by
Knight and Pretty (‘The impact of catastrophes on shareholder value’, 2000).
The business that recovers most quickly from a wide-area disaster is the business which is able to
capitalize on the situation.
Disasters create new markets and open up existing ones. This may allow the rapid development
and launch of new banking/ATM services.
Or, if our ATM services are available when a competitor’s aren’t, we can gain temporary market
share, which may become permanent if our ATM services are at least as good as our
competitor’s.
12. 12 Contingency Plan Final Project: Information System & IT Audit
9. Conclusion
Success of a BCP depends on the effective data replication mechanism followed between DC and DR,
which is again directly related to the requirements of the banks. The process implemented for the data
replication requirement has to conform to this with no compromise to data and transaction integrity and
should ensure seamless resumption of operations to the maximum extent possible. This should be
conformed to in the DR simulations and reported accordingly to the Top Management as well. It is true
that the operational aspect involves technology, but knowledge of technology alone is not sufficient for
this exercise. It includes activities in risk management, crisis management, identification of business
processes, impact analysis, cost benefit analysis, storage management, network management, continuity
planning, recovery planning, training, communication and coordination.
…THE END…