C.

Production Support
Purpose: used to ensure daily operational processes of information technology can be met and
monitored well.

C.1 Activity
The following activities are conducted to support the production process.

C.1.1 Release Management

Activity on the management of this release include:

1. Installation of servers and networks as well as the implementation of Core Banking

System application. COMPANY ensure all the configurations and settings that are applied are in
accordance with a predetermined configuration management.

2. Upgrade the Core Banking System application (Patch Release). The process of
updating the patch includes the following provisions:

a. COMPANY will be testing the latest patch application together with the bank on
the testing machine by using production data that is agreed upon by the bank.

b. Schedule patch upgrades will be done after the process is completed batch or
in accordance with an agreement with the bank.

c. The upgrade process will follow the application of a Change Management

procedures will be described in the next chapter.

C.1.2 Batch Processing

Batch process at Core Banking System service is performed automatically each end of the day.
For service Core Banking System, no process end of the month or the end of the year. Batch
processing activities include:

1. The process of data backup. Hours: 00:00. COMPANY ensure the backup process is running
successfully and file backups can be saved to the backup media that have been agreed.

2. Process scheduled transactions. Hours: 22:00 or suitable setup in Admin Web application.
COMPANY ensure configuration of scheduled transactions run in accordance with the agreed
execution time and execution process run successfully.

3. The process of data deletion (housekeeping). Hours: 00:00. COMPANY ensure data retention
processes run successfully and in accordance with the retention period determined.
4. Data transfer via FTP / SFTP. Hours: 00:00. COMPANY ensure permissions configuration FTP
/ SFTP Server is used to receive a copy of the information is correct so that FTP Server can
receive data mutation of Core Banking System and monitor that the file copy process is already
running successfully.
5. If there is any change in hours of automatic batch processing, the bank shall submit a change
request no later than two hours before the batch processing is done automatically.

C.1.3 Backup Process

The backup process is done automatically at the end of the day run. The provisions of the backup
process will be described in the chapter Data Management.
C.1.4 Process Monitoring
COMPANY shall conduct monitoring of all services provided to the bank every day.
1. The monitoring process includes the following components:
a. Monitoring of all applications supporting Core Banking System.
b. Monitoring system hardware.
c. Network monitoring LAN, WAN internal Core Banking System, including internet
connection.
2. Monitoring System hardware and networking is done automatically through the monitoring
system used by COMPANY, while monitoring application is done through Web Admin application.
The monitoring system will check:
• CPU Usage
• Use of Memory
• The use of hard drive
• Network Status and bandwidth usage.
3. If the problem is detected on one of the components, the monitoring system will send a
notification via voice (alarm) and e-mail to the Support Center / officers / authorities COMPANY.
4. Based on the information from the monitoring system, officers will carry out the handling issues
in accordance with the procedures which are described in Chapter Helpdesk COMPANY.
5. The results of this monitoring will be included in Service Level Reporting to be submitted each
month to the BANK, including the handling to be taken if one of the components being monitored
impaired.
6. COMPANY will give you access to the monitoring application to the BANK to monitor Core
Banking System services provided by COMPANY.
C.2 Implementation
IT Operation COMPANY: Day-to-Day Operations, Technical Support, Helpdesk.
C.3 Application Support
Zabbix monitoring system using the application.

D System Management
Objective: ensure application and system software updated with the required patch or patches
latest version.
Activity D.1
The following activities conducted at the System Management.
D.1.1 Patch Management
COMPANY ascertain whether the system hardware and software used are already using the
latest patch or patches that must be installed according to the recommendations of Principle. The
process of updating the patch includes the following provisions:
1. The COMPANY will do a patch test on the testing machine by using production data that is
agreed upon by the bank.
2. Schedule the patch upgrades will be done after the process is completed batch or in
accordance with an agreement with the bank.
3. The upgrade process patch following the procedure of Change Management will be discussed
in the next chapter.
D.1.2 Process Monitoring
COMPANY shall conduct monitoring of all system hardware and software. The monitoring
process in accordance with the chapter Process Monitoring Production Support.
D.2 Implementation
IT Operation COMPANY: Data Center Operations, Technical Support.
D.3 Application Support
Zabbix monitoring system using the application.

F Environment Management
Objective: to ensure the availability and stability of the environment to support the Core Banking
System services.
F.1 Activity
The following activities conducted at the Network Management.

F.1.1 Physical Access Control

Here are the rules of entry into the COMPANY data center:
a. BANK parties can enter the data center if it has clear goals and have obtained
permission from the IT Operation Head. Entry permit forms for data center OPS / 001: Entering
License Data Center that contains information about the name, agency, purpose, time, and the
agreement entered data center. The application form is sent to the COMPANY at the latest H-1,
one day before the date of application for access to the data center.
b. All operational personnel other than officers who entered the data center data center
must fill out and sign the guest book (form OPS / 002: Guest Book Data Center) as they enter
and leave the data center, and should be accompanied by data center personnel while in the data
center.
Information recorded in the guest book are:
- Name
- Agencies and Task Force
- Purposes
- Approving Officer
- Assisting Officer
- Hours Sign
- Jam Out
- Signature Guest
- Signature of Officer Accompanying
c. All personnel must enter and exit through the door that has been determined.
d. All personnel while in the COMPANY data center should continue to use the identity
card and follow all applicable regulations.

F.1.2 Facility Monitoring

Data Center operator, in this case is Vendor, shall monitor the production environment. The
monitoring process following the standards given by Vendor as a provider of data center
infrastructure with the following parameters:
Parameter Value
UPS N+1
 3 x 250 kVA
Battery Standby 30 minute
Air-Cooled System 17 – 24 degrees Celsius
40 – 60 % RH
Generator N+1

Implementing F.2
Data Center Operator
V.3 Application Support
Process monitoring using monitoring applications.

G Backup Management
Objective: ensure Core Banking System data is stored in a secure location.
Activity G.1
The following activities conducted in the Data Management.
G.1.1 Backup Process
In general the entire database and its contents are the property of bank, making database
administration functions are fully carried out by the bank. COMPANY only authorized to manage
and ensure the availability and stability of the database.
1. Core Banking System application database backup process is done automatically every
day via scheduling the operating system.
2. The backup process executes commands from the system database and run a full
backup.
3. Material backup includes the following components:
a. Database applications Core Banking System
b. Database applications Token
c. Database Middleware applications
d. System and application logs.
4. The retention time of backup data consists of:
 a. Daily data backups Core Banking System application used for recovery
(recovery) data during emergencies and saved to other media by the bank.
b. Monthly backup of data processed beginning of each month for the historical
data and transactions, saved on other media by the bank.
5. The results of the backup database will be automatically placed on a directory server to
then encrypted and sent to the bank system via FTP / SFTP.
G.1.2 Restore Process
The restore process is conducted in accordance with an agreement with the bank, with the
following conditions:
1. Testing the backup data regularly every six months to make sure and to verify the
contents of the data in the backup media, if no data is broken / missing / corrupt or not.
2. Requests activities incidental restore data on approval of the bank
for the purposes of system testing or auditing purposes either internally, externally, or from
regulators.

G.2 Implementing
IT Operation COMPANY: Technical Support
G.3 Application Support
Application backup and restore databases.

H Online Processing
Objective: ensure Core Banking System can process transactions with a high load.
H.1 Activity
The following activities conducted in Capacity Management process.
H.1.1 Capacity Planning
COMPANY shall perform capacity planning once every year, or according to the agreement,
which includes:
1. The capacity of the server and its components such as hard drives, memory, processors,
including the capacity of the operating system that covers all production and backup servers.
2. Capacity database.
3. The caCOMPANYity of the network.
4. The caCOMPANYity of the data center.
5. CaCOMPANYity other environments such as power systems, cooling systems, fire suppression
systems, access control panel.

H.1.2 Monitoring Capacity

COMPANY shall exercise supervision over the capacity, with the following conditions:
1. Process monitoring using monitoring applications that support the delivery of notifications in
the event of a system error.
2. Each notification will be handled in accordance with the procedure of COMPANY Helpdesk.
3. The report monitoring results submitted every month through Service Level Reporting.
4. COMPANY will increase the capacity of the work if the user has reached 70%.

H.1.3 Maintenance Capacity

As a precaution, the COMPANY did log file deletion application and transaction data in the
database with the following conditions:
1. Retention of the transaction data in the Core Banking System application (online) will be
stored for 360
days back.
2. Retention of logs will be saved on the server application Core Banking System for 30 days
back.
3. Change the value of retention can be made by the bank mutual consent through Change
Management procedures.
Implementing H.2
IT Operation COMPANY: Day-to-Day Operations, Technical Support.
H.3 Application Support
Process monitoring using Zabbix application.

I Service Desk
Objective: to make sure every problem is handled and followed up by COMPANY through the
delivery of solutions to these problems to the BANK.
I.1 Activity
Procedures or measures that apply in the COMPANY report in case of problems.
1. Reporting convey problems to the Helpdesk via various communication media such as
telephone, fax, or e-mail the information listed in the Contact Person.
2. Reporting shall provide a clear identity, namely: bank name, the name of the complainant, the
work unit, and a phone number that can be reached following the details of the problem to the
Helpdesk, as 1st level support, so that it can be noted clearly in the application problem handling
(ticketing tool ).
3. Helpdesk follow up complaints by providing solutions based on knowledge and database
knowledge is in Helpdesk.
4. The Helpdesk will provide a response to the complainant based on the following criteria:

Response Meanwhile
Rankings Business imCOMPANYt
time Solutions
1 complete failure 15 minute 4 jam
Critical • total failure that causes the entire business
impact transaction and / or functions and / or critical
business operations may not work.
• The failure is caused by faulty applications
and data, interference with the machine or the
severed communications.
 • This failure can result in loss of data
or limited availability of data and / or
has a financial impact for users /
customers.
2 the failure of most 30 minute 5 working days
Large  • The failure of the majority that affect
impact or limit the main function but does not
stop the user / customer to resume
production and does not pose a risk to
critical business operations.
3 failure minor 60 minutes 10 working
Medium • minor issue that was not significantly affect days
impact the operations.
 • Included in this group are questions
or requests for information about the
functions / features of the application.

5. Escalation of handling the problem using the call tree with the following details:

notifications Response Customer

15 first minute 15 second minute time Update
 Critical 1st Level Support, 2nd BOD 15 minutes Every 30
impact Level Support, IT Opr. minutes
Head, IT Dev. Head
Large 1st Level Support, 2nd IT Opr. Head, IT 30 minutes 2 times a
impact Level Support, Dev. Head day
Medium The first 30 minutes 30 minutes of the 60 mins 2 times a
impact second day
1st Level Support 2nd Level Support

6. Duties and powers of each level of support:

a. 1st Level Support (24 hours)
i. Receive and record the problems occurred.
ii. Follow up and provide solutions to problems that occur based on information from the
database of knowledge.
iii. Reported problems cannot be resolved to the Head of Operations to be forwarded to
the Management Party and make the notification of critical events (for problems with level 1) to
the complainant.
iv. Monitor the status of solving problems and noted the solution or status.
b. 2nd Level Support (office hours)
i. Analyze and seek solutions to problems. During the analysis process, 2nd Level Support
can communicate directly to the complainant to clarify the problem.
ii. Delivering solutions and handling solutions to problems 1st Level Support.
iii. Provide a report to the 1st Level Support on issues that cannot be solved in order to
process the escalation to the next level.

I.2 Implementing
IT Operation COMPANY: Helpdesk.
I.3 Application Support
Using Ticketing and Knowledge Management applications.
I.4 Contacts
BANK can report problems via the following media:
1. Web Ticketing
a. https://support.COMPANYtindo.com (Contact banks listed)
2. Email:
a. ticket@COMPANYtindo.com (hours)
b. support@COMPANYtindo.com (hours)
c. support@Vendor.com (24 hours)
3. Phone:
a. 255/22 27 555 021 Ext. 127 (office hours)
b. 021 27555222 (24 hours)

M Service Level Monitoring

Objective: monitor the performance and level of service Core Banking System COMPANY in
accordance with applicable agreements.

M.1 Activity
COMPANY will send a report monitoring results and achieving target levels of service to BANK
not later than the 10th of every month.
Service Level Monitoring monthly report that is sent to BANK contain the following information:

Element Description

A. Availability
Application Availability Application uptime
Network Availability Network uptime
System Maintenance System under maintenance

B. System Management Request

Configuration Request BANK request on (re-) configuration

C. Daily Operation Readiness

Batch Processing EOD finish
Response Time Average server processing request
Backup process Backup process finish

D. Security Log
Access Log Number of success login and logout
Failed Attempts Number of failed usernames, failed passwords, and failed
activations
 Data Changes Number of critical data updates
Attack Log Number of intruders and suspect activities from firewall

E. Disaster Recovery Center

RTO Recovery Time Objective: elapsed time between backup is
data ready installed to DR system is up
DR Drill Number DR drill per year
DR on activation Maximum time on DR activation

F. Audit Support
Audit Support Request on audit support

G. Change Management
Request on change management Processing of change request which is approved

H. Helpdesk
Helpdesk window time Window time of helpdesk
Incident processing Window time of incident processing base on level

I. Client Request
Client Request Processing Processing of client request such as request for back up data,
restore data and any other request
Maximum client (bank) request in Maximum request allowed for a client (bank) in a year
a year

Grades or points on each item above in accordance with the information stated in the agreement
between the COMPANY and the BANK.
Implementing M.2
IT Operation COMPANY: Day-to-Day Operation.
M.3 Application Support
Using the application Monitoring, Ticketing, and Bugzilla.
N Disaster Recovery
Disaster Recovery (DR) is the process, policies and procedures relating to the preparation for
recovery or continuation of technology infrastructure after disasters (disaster).
N.1 Classification
Disasters can be classified into two broad categories. The first is natural disasters such as floods,
hurricanes or earthquakes. The second category is a disaster due to human activities, including
fire, riots, terrorist attack, failure of infrastructure, hazardous material spills, as well as cyber
attacks. All of these categories can cause disruptions in the operational activities of the
COMPANY, therefore, necessary precautions and preparations to reduce or avoid losses from
the incident.
N.2 Preventive Measures
As a precaution in case of disasters (disaster) put up one environment to a separate location from
the main environment in the data center (DC) COMPANY. Environment is a Disaster Recovery
Center (DRC) is set in the stand-by condition and can be activated in the event of disaster
conditions.
In addition to infrastructure preparation, transaction data stored in the system database
COMPANY will be replicated from environment to environment DC DRC and backed up using
FTP media from environment to environment BANK DC.
Details of infrastructure at each location listed in the document chapter Technical Guideline on
Network Architecture for DC Site and Disaster Recovery Site for DR Site.
N.2.2 Replication and Backup
The technical details of the process of replication and backup databases listed in the Technical
Guideline on chapter Replication and Backup.
N.3 Disaster Process
Here is the process, policies, and procedures to enable the DRC environment as a replacement
for the primary environment in case of disaster conditions, so that the operational activities
remained normal during disaster conditions until the primary environment in the reconstruction
process is completed and the DC locations reusable.

Scope: The process of moving from the main environment that is in DC to the environment
that are in the DRC. Environment stand-by will operate until the primary environment in
DC can operate again.
Policy: Making changes to the communication from environment to environment DC DRC.
Moving the engine to the operational support activities DRC.
 Actor: BANK (Contact Person listed in List):
- IT Contact
- Emergency Contact
- Helpdesk Contact

COMPANY (listed in Organization Structure):

- IT Operation Head
- IT Development Head
- System Analyst
- Day to Day Operation
- TS & Network
- Helpdesk
Steps: Here is the procedure to activate the DRC environment:
1) 1) COMPANY sent a notification letter to the BANK that there has been a
disaster condition, using the form BCP 08B: Notice of Disaster. COMPANY
verifies data backup DRC to ensure infrastructure DRC run smoothly.
2) 2) COMPANY enable DRC environment and divert operational support to the
DRC.
3) 3) COMPANY sends the minutes of the activation of the DRC to the BANK,
using the form BCP 10c: Minutes Activation DRC, signed by COMPANY and
BANK.
4) 4) BANK verify the data and transaction processing in the DRC environment.
5) 5) BANK submit an affidavit to the COMPANY that the transition to the DRC
environment goes well, using the form BCP 10d: Statement of Use DRC.
Forms: a) a) BCP 08B: Notice
b) b) BCP 10c: Minutes Activation DRC
c) c) BCP 10d: Statement of Use DRC

N.4 Recovery Process

Here is the process, policies, and procedures to carry out the relocation and diversion from
environment to environment DC DRC after the reconstruction of the main environment in DC
location is completed and can be reused.
Scope: The process of moving from the environment to the environmental DRC DC. The main
environment can operate again.
Policy: The main environment in DC can operate and run well in accordance with the
condition before the disaster.
Environment DRC is disabled and the cut-off transaction using the data after the non-
active DRC do.
Doing switchover communications from environment to environment DC DRC.
Moving operational support activities to DC machine.
Actor: BANK (Contact Person listed in List):
- IT Contact
- Emergency Contact
- Helpdesk Contact

COMPANY (listed in Organization Structure):

- IT Operation Head
- IT Development Head
- System Analyst
- Day to Day Operation
- TS & Network
- Helpdesk
Steps: Here is the procedure to activate the DC environment:
1) 1) COMPANY sent a notification letter to the BANK that environment DC has
been reconstructed and ready to be activated, using the form BCP 08c: Notice
of Results of Reconstruction.
2) BANK verifying the results of the reconstruction of the DC environment.
3) BANK send a letter stating that the reconstructed DC are in accordance
with the conditions before the disaster and ready to operate, using the form
BCP 10e: Termination Statement DRC.
4) COMPANY disable DRC environment and reconstruct the database system
DC using backup data from DRC environment.
5) COMPANY activate and switch environment DC to DC operational support.
6) COMPANY sends the minutes of the activation of the DC to the BANK,
using the form BCP 10f: Termination Minutes DRC, signed by COMPANY and
BANK.
7) BANK verify the data and transaction processing in a DC environment.
Forms: a) a) BCP 08B: Notice
b) b) BCP 10e: Termination Statement DRC
 c) c) BCP 10f: Termination Minutes DRC

N.5 Testing
Tests on the environment DRC carried out at least 1 (one) year to ensure that the environment
DRC can be operated either in the event of disaster conditions. Things are done in testing the
BCP include:
1. Disaster Process Procedure
2. Procedure Recovery Process
Tests carried out using test scenarios (test plan) and is documented in an orderly manner and
evaluated to ensure the effectiveness and efficacy testing.
Implementation of DR testing must go through the approval of the COMPANY and the BANK.