Wanted to dedicate this piece of work to SaaS & IT Services Capital of India, Chennai
FixNix Year III Anniversary Celebrations- Part 2
Nov’22 2012 to Nov’22’2015
Member,Cyber Security Task Force of India.
if the recent flood is taking down Chennai from its BAU and it is still aspirant about being a global thought leader in Information Technology and Software Products industry, it need to learn from it’s american counterparts how they handled the 9/11 successfully and recouped back.
not writing anything specific, don’t want to reinvent the wheel.
quoting the important parts of the SEC analysis about their experience handling 9/11.
Business Continuity Models
The events of September 11 may lead to changes in the way that institutions plan for emergencies, as well as changes in their ongoing operations. It is helpful to review the basic models for business continuity planning and how these fared during the recent crisis.
A. Traditional Active/Backup Model
In its simplest form, the traditional model of business continuity is based on an “active” operating site with a corresponding backup site, both for data processing and for operations. This strategy generally relies on relocating staff from the active site to the backup site, and on maintaining backup copies of technology and data. There is an inherent dependency on the staff at the active site and their ability to move to the backup site. An adequate “desktop” recovery strategy – one that contemplates the movement of, at a minimum, core employees to fully functional backup office space – is a critical element of this model. This approach tends to limit geographic separation to reduce relocation time. Common approaches for the backup of technology infrastructure and data processing also rely on keeping data, hardware, and software current at the backup site and on resilient and diverse services (including telecommunications and electric power) at each site.
B. Split Operations Model
An emerging business model, which is used by some firms with nationwide or global operations, is to operate with two or more widely separated active sites (“active/active”) for critical operations that provide inherent backup for one another. For banking organizations with nationwide operations, for example, such sites are often hundreds of miles apart. For international firms, routine workloads can be shared among sites in different countries. Each site has the capacity to absorb some or all of the work of another for an extended period of time. This strategy can provide close-to-immediate resumption capacity, depending on the systems used to support the operations and the operating capacity at each site. This strategy addresses many of the key vulnerabilities noted above, eliminating dependency on availability and relocation of staff at any single location, reducing likelihood of telecommunications single points of failure, supporting maximum geographic separation, and assuring business continuity through actual use, rather than infrequent and less than complete testing.
C. Other Models
There may be other business continuity models that can provide a high degree of resiliency. For example, some institutions employ a variation on the above models in which a backup site periodically functions as the primary site for some period of time (“alternate site” model).
Developing Sound Practices for Business Continuity
In the face of revised assessments of the types, severity, and probability of potential threats, the cost-benefit balance of enhancing resilience to these threats has clearly shifted post-September 11. There are a number of steps, described below, that may help achieve a common view of sound practices for business continuity.
A. Define the Scope of Scenarios
A core question is the range of scenarios that financial institutions realistically need to address in their business continuity planning. There are a number of scenarios that would affect particular geographic areas, such as explosive devices, biohazards, and natural disasters. Such scenarios could render a large area inaccessible and could harm or disperse an organization’s critical employees.
B. Establish Business Continuity Objectives
Business continuity objectives or principles need to be articulated that are consistent with cost-effective, sound business operations and that take into account the impact that one critical institution’s operations can have on another. These objectives could cover issues such as:
- Recovery time expectations for critical operations.
- Recovery capacity or volume expectations.
- Sound business continuity practices to support these objectives.
Although in practice, recovery time expectations may differ depending on the scenario (e.g., the expected times for institutions to recover from a localized power outage may differ from that of a regional disaster with loss of life), there are critical functions, including those relating to safeguarding and transferring of funds and financial assets that are so vital to the U.S. and global financial system that they arguably should continue with minimal, if any, disruption even in the event of a major regional disaster. The near-immediate “fail-over” capabilities provided by current technologies can support this objective.
C. Identify Key Elements of the Financial System
A coordinated industry-wide approach to business continuity planning requires identification of the critical operational components of the financial system that must achieve a high level of business continuity preparedness.A primary question is whether and how business continuity objectives should differ for institutions or infrastructure components with different levels of systemic importance. In particular, expectations may be highest for institutions whose activity has the potential to significantly affect other institutions, such as major clearing and settlement entities, as well as institutions that essentially act as financial “utilities” in some of their functions. Other institutions may be collectively critical to the daily operations of financial system, but individually of less systemic significance.
D. Testing and Crisis Management
Finally, the effectiveness of common business continuity strategies needs to be assured, whether through planning and testing or through regular use. Some institutions found that their routine testing of their business continuity plans as frequently as monthly or quarterly helped considerably in dealing with the crisis, relative to annual or less frequent testing. While testing and planning absorbs resources, institutions have found ways to integrate business continuity tests into their routine operations, such as by actively switching live operations to alternate sites periodically.
In addition, many institutions have noted the need for the industry to consider whether a more coordinated approach to crisis management and communication needs to be developed. Since September 11, several public and private-sector initiatives have begun to address the issue of coordinated crisis management communication within the industry and with regulators.