It Audit

Pranay Bhardwaj

Disaster Recovery Planning

Introduction Hurricane Sandy is regarded as one of the most devastating natural disasters to strike the city of New York. People have different recollections of that time period, with some who recall the catastrophic damage done to their home, while others remember the 4 hours of wait just to fill up their cars with gas. For financial institutions, such as Citi bank, it was a time for the management team to pat themselves on the back and breathe a sigh of relief for being able to secure important data centers and keep bank operations running. All this was a result of successful implementation of Citi’s “Disaster Recovery Plan”.

What is a Disaster Recovery Plan? Just like the disaster discussed above, every week, month, and year, companies are exposed to risks of potential disasters that can affect the continuation of vital business processes. When critical processes and applications are lost, the company can incur damages ranging anywhere from $5,000- $5,000,000 per minute, depending on the size and function of the company. Some companies never recover from the excessive damage they incur during the time of the disaster, and may be forced out of business. To avoid such a situation, companies, particularly banking institutions, are heavily encouraged to have a disaster recovery plan in place. A disaster recovery plan is a powerful tool that allows companies to shield itself from any calamity that occurs, be it natural or man made. The focal point of a disaster recovery plan is business continuity. Business continuity is an activity performed by a company to ensure that critical business functions will be available to customers, clients, and regulators. Disaster recovery is a process that allows for business continuity, particularly in operations and technology infrastructure, during a time of disaster. The plan provides an effective solution that can be used to recover all important business processes within a reasonable time frame using records that are stored off site. To create a disaster recovery plan, the company must have a disaster recovery management system in place, which serves as an ongoing process of planning, developing, testing and implementing disaster recovery procedures and processes.

What is the problem? Despite the level of protection a disaster recovery plan provides, according to a survey performed by benchmark in 2014, a majority of companies are not prepared to recover critical IT systems in the event of a disaster. Having a stable IT system is an absolute requirement for almost all companies. It is almost impossible for companies and financial institutions to function without information systems for data processing, storage and communication. Therefore, the risk of losing/deleting critical files within the information system can prove to be detrimental to a company. Aside from natural disasters, a company’s information system faces significant risks from hackers, who attempt to steal confidential information such as trade secrets. As a result, these losses of critical systems cost businesses a substantial amount of money and damage their reputation. The root cause of such negative statistics is that many companies are faced with the problem of having inconsistent, or complicated IT disaster recovery planning guides, that eventually the company decides that it lacks sufficient resources for the completion of the plan. However, to ignore these risks is not a feasible solution, particularly for banks that are responsible for driving the global economy. With that being said, it is essential for banks not only to have a disaster recovery plan in place, but to perform disaster recovery planning on an ongoing basis. This is further stressed by federal agencies, which provide IT disaster recovery planning guidelines that banks must follow. However, even with guidelines in place, IT disaster recovery is a very difficult task. The difficulty mainly stems from the rapid pace at which technology changes on a yearly basis. The change makes it very difficult to ensure that the proper steps and controls to mitigate risks are in place.

Scope and Objectives of the plan
When designing a disaster recovery plan, it is important to highlight key steps and measures that need to be taken during the time of a disaster. This means, should an emergency situation occur, employees and management should be able to rely on this plan to provide an effective method to deal with the crisis situation, as well as lessen the potential negative impact it may have with shareholders and stakeholders.
Therefore the plan should provide information on how to handle crisis events and provide procedures for the following: * Executives * Legal * Investor Relations * Corporate Communications * Corporate Administration * Marketing and Sales * Human Resources * Technology Management

In addition the plan should clearly indicate the responsibilities of various staff, as well as procedures and checklists that will be used to manage the situation post the disaster occurrence.

Components of Disaster recovery planning

1) Risk Assessment: This component involves procedures geared towards detecting, communicating, and for warning recovery team members and stakeholders. The process of detection is straightforward for the most part, as it involves detecting IT disasters. The process of warning involves alerting key team members involved with recovery that a disaster has occurred, and for them to jumpstart the recovery process. In order to create an effective plan, management needs to maintain an open mind when assessing all types of disasters that the firm can encounter, and how they would affect it’s business continuity. This requires taking every single potential risk in account from power failures to terrorist attacks. Therefore, what management is essentially doing, is taking all predetermined risks and contemplating a response to these risks. 2) Preparing employees: This component first and foremost deals with disaster recovery team training. The team consists of those who are responsible for recovering IT service. During this training, the team is familiarized with their individual responsibilities. Non-team members, specifically stakeholders, are also given training during this time. The reason for this is that during times of disaster, stakeholders must be aware of the implications of IT disasters and what to do when IT services are down. Training also touches on decision making authority in cases where employees are missing, disabled, or unable to establish authority. 3) IT services analysis: This component can be further broken down into 3 subsections which include, identifying IT services, prioritizing IT services in terms of reactivation, and identifying potential threats. When identifying IT services, management must conduct a review of all services that an IT department offers to other departments within an organization. The focus would be on services such as email communications. The second section, prioritizing services, involves procedures meant to determine the order in which IT services should be restored. This requires determination of the specific business units that are dependent on the service and the importance of the service to business continuity. The third section involves identification of risks to the IT services. 4) Business Impact Analysis: The main task in performing this analysis is to acquire an understanding of which processes in the business are absolutely essential, and what the impact would be of a disruption due to a potential disaster identified during risk assessment. It is during this time that RTO and RPO are established. RTO of recovery time objective, is the duration of time within which a company must restore its business processes after a disaster, before incurring excessive losses. In other words, how much time did the business take to restore its processes after a disaster has occurred. The RPO or recovery point objective, can be viewed as a marked period of time. This means that when disaster strikes and the recovery process is in effect, all data leading up to that marked point need to be restored. Both RTO and RPO are established when performing the business impact analysis. The business impact analysis is where research is conducted to determine the likely impact of a disruption to the company in terms of loss of business, effects on reputation, loss of staff and loss of data.
.
5) Recovery process: This component focuses on restoring IT service inputs and switching IT operations to alternative facilities. The restoring process involves the restoration of 6 processes: human resources, facilities, communications technologies, servers, application systems, and data. The human resource function is made up of individuals who provide the labor needed for IT services. The facilities category involves restoring IT inputs that are physical in nature such as, buildings, utilities, and heating/cooling. The communications category involves restoring inputs needed to communicate via video, voice, or data. The means of communication can include anything from cell phones to local area networks. The server category includes physical hardware responsible for managing networks. The application systems category is a combination of both hardware and software which support computing needs. The data category is essentially a compilation of raw facts and figures. Finally, this component also deals with securing alternative facilities for IT services in case of the primary location going offline. 6) Backup Procedures: This component is strictly concerned with creating backup copies of data, software, configuration files, and the disaster recovery plan itself. 7) Offsite storage: Offsite storage involves procedures which ensure that all systems, software, and data going out of the primary location are made as portable as possible. This means that the firm must organize everything to be easy to transport. As far as the offsite storage facility is concerned, management must make sure that the location of the facility allows for easy transport and storage of materials. 8) Maintenance: The maintenance component can be regarded as one of the most essential components of recovery planning. Maintenance involves testing and updating the IT disaster recovery plan, and making sure that the plan fits within the scope of it’s business continuity plan. When testing the plan, the key focus is to ensure that the IT disaster recovery plan will work in the event of a disaster. The plan is then updated to reflect changes in IT services and inputs, and to correct any shortcomings that were identified during the testing stage. In addition to updating the plan, there is also a responsibility to update documentation such as configuration manuals, network schematics, and logs on a regular basis. This documentation may not be included in the actual plan, but may prove to be useful in the event of emergency. Even with testing and updates, it is impossible for management to predict every threat that is relevant to IT services, and therefore the recovery process should not be considered completely comprehensive. This means that there will be cases, where it may be necessary to create new plans from scratch.
Essentials of a disaster recovery plan in the banking industry The importance of a disaster recovery plan is evident. For the most part the basic requirements of a disaster recovery plan for all companies remain consistent, however for institutions such as banks that are so heavily regulated by the federal government, the task of planning may be a little more daunting. In some ways it is fitting for banks to be at the forefront of disaster recovery planning, as they were in fact one of the first entities to embrace information technology in the business world. This has led to the birth of the automated clearinghouse association, formed by seven banks based in Philadelphia in the mid 1970’s. The purpose of this association was to address the issues of how banks should implement data recovery if their computer systems go down. In 1983, the US government officially mandated all banks to have a disaster recovery plan. With the passing of this law, it became apparent that banks face certain challenges in the planning process such as the following: * Detailed Planning: In the banking industry, being obsessive towards planning is a must when constricting a recovery plan. The importance of this became apparent during the time of the 1993 world trade center bombings. Nearly two thirds of the companies located within the building, failed to construct well thought out disaster recovery plans. This led to millions of dollars in losses both due to operations and fines. * Greater exposure: Disaster recovery holds significant weight in the banking industry, maybe even over other types of businesses, because their services produce great demand during times of disaster. What causes tremendous amount of pressure in this case, is that a particular bank has multiple locations with varied operations and computer applications. Furthermore, mergers and acquisitions have further complicated matters by causing banks to inherit more varied applications. This makes planning for one particular branch very difficult. * People still use paper: At the branch level, most bank employees continue to heavily rely on paper. So the question is what happens when none of the paper transactions have been entered into the computer system, and there is a fire? This can have a significant impact on operations as loss of records, particularly those pertaining to money, can be detrimental. * Employees first: Banks have an obligation to employees when developing their disaster plans. They must ensure that they have the ability to house their employees in a time of crisis, and provide all the necessary essentials such as food, water, clothing. * Outsourced functions: Disaster recovery plans should take into account any outsourced functions. Many banks outsource data processing such as credit card operations, automated teller machine applications, etc. This must be clearly addressed in the disaster recovery plan. * Testing is critical: A bank’s recovery plan must be heavily tested in order to ensure good results in a real life event. This testing provides confirmation that the bank will be ready in a time of crisis.
Conclusion
IT disaster recovery planning certainly requires a lot of grunt work, and may not appeal to those looking for more glamorous professions. Furthermore, the value in such a task is not immediately noticeable as it is not everyday a company is struck with a major catastrophe. However, it is important to remember that through this process, members of the IT department develop a better understanding of the business use of their systems, and will display a better level of preparedness for change when initiated by disaster. IT departments need to be a source of revenue and not cost, and therefore it is essential that they stay on top of management to allocate sufficient resources towards recovery planning. Ultimately, emphasis should be placed on long term continuity of the business as opposed to short term savings.

Work Cited * http://drbenchmark.org/wp-content/uploads/2014/02/ANNUAL_REPORT-DRPBenchmark_Survey_Results_2014_report.pdf * http://www.banktech.com/sandy-highlights-the-importance-of-bank-disaster-recovery-plans/d/d-id/1295917?page_number=1 * https://www.sans.org/reading-room/whitepapers/recovery/disaster-recovery-plan-strategies-processes-564 * http://www.arraydev.com/commerce/JIBC/2010-04/KadlecShropshireITDRP.pdf *

Similar Documents

Audit

Audit

Audit

Audit

Is Audit

Audit

Audit

Audit

Audit

Audit

Audit

Audit

Audit

Audit

Audit

Popular Essays