Business Continuity

and
Disaster Recovery Management in EBanking
Md. Mahbubur Rahman Alam
Assistant Professor, BIBM.
E-mail: alam_mr@yahoo.com
Cell: 01556323244
Web: www.bibm-bd.org

Introduction
What is a Disaster?
Any
Anyunplanned
unplannedevent
eventthat
thatrequires
requiresimmediate
immediate
redeployment
redeploymentof
oflimited
limitedresources
resources
Sample Disasters
Natural Forces
Fire
Environmental
Hazards
Flood / Water
Damage
Extreme Weather

Technical Failure
Power Outage
Equipment Failure
Network Failure
Software Failure

Human Interference
Criminal Act
Human Error
Loss of Users
Explosions

Disasters Natural, Man-made

Fire, flood, hurricane, tornado,

earthquake, volcanoes
Plane crashes, vandalism, terrorism,
riots, sabotage, loss of personnel, etc.
Anything that diminishes or destroys
normal data processing capabilities

Historical Evidence on Impact

of High Duration IT Outage
The WTC bombing of 1993
450 companies
147 non-recoverable
Majority out of business by 1994

The WTC disaster of 2001

800 companies
250 disaster declarations
~150 out of business by 2002

Natural Disasters
2004: four hurricanes in Florida
2005: Katrina, Rita, Wilma
Those who plan tend to fare better than those who dont

The September 11th Effect

Terrorist attacks cause more than $50 billion in
infrastructure damage
Dramatically raised awareness

*Source: AP or Reuters

Physical and cyber security

Business leaders closely examining internal

security, continuity, and recovery plans
90% of CEOs have reviewed DR plans*

Many discover inadequate investments

In Reality, Most Downtime is

Caused by Human Error

Source: Gartner Group

Causes of Data Loss

40% of all
SMBs will go
out of
business, if
they cannot
get their data
in the first 24
hours after a
crisis.
-- Gartner

Source: Wall Street Journal

Lost Data is Todays News!!

Bank of America looses a million

customer records

Tapes stolen in transit to offsite data center

Ameritrade Loses 200,000 Client Files

Tapes lost in transit to offsite data center

What is Disaster Recovery?

Disaster recovery describes how an organization

is to deal with potential disasters. A disaster
recovery plan (DRP) consists of the precautions
taken so that the effects of a disaster will be
minimized, and the organization will be able to
either maintain or quickly resume mission-critical
functions.

Introduction
What is a Disaster Recovery Plan?
AAmanagement
managementdocument
documentfor
forhow
howand
andwhen
whento
toutilize
utilize
resources
resourcesneeded
neededto
tomaintain
maintainselected
selectedfunctions
functions
when
whendisrupted
disruptedby
byagreed
agreedupon
uponincidents
incidents
Other names commonly used:

Business Continuity Plan

Contingency Plans
Continuity Plans
Emergency Response Plans
Business Recovery Plans
Recovery Plans

Introduction
What is the magnitude of an incident?

Regional Area
Local Area
Within 3 Blocks
To The Building
Within 3 Floors
On The Floor
Within The Room

Depending upon the magnitude of an incident,

possible alternative sites include:

Within The Room

Within the Building
Within the Region
Outside the Region

Introduction
Types of Strategies
Avoidance Strategy
Redundant
configuration to
avoid incidents
Site harden
facilities to resist
incidents
Redundant utilities
and hardware
Automated
operation recovery
plan

Mitigation Strategy
Recovery Strategy
Early warning
High level recovery
detection
plan
Contractual
Off-site data storage
Very responsive
agreements with
vendors
vendor relationships
Mirrored data and
Very knowledgeable
documents
employees
Detailed migration
recovery
plan
Types
of Strategy
Options
Hot site
Cold site
Worm Site

Computer Hardware
Alternatives
Hot Sites
Ready to Operate Within Several Hours
Not for long term extended use
Network Component
Warm Sites
Partially Configured with network connections
Without Main Computer
Cold Sites
Site with only basic environment

Planning
Scoping &
Risk
Assessment

Disaster Recovery
Approach
Implementation

Recovery
Disaster
Training
Strategy
Recovery
&
Development Plan
Testing

Approval

Planning
The primary objective for the Planning Phase is to gain
management consensus on the focus areas and scope of a
Disaster Recovery Plan that will address major business risks
Implementation
The primary objective for the Implementation Phase is to
develop, test, and rollout a Disaster Recovery plan. The
implementation phase could be longer or shorter, depending
upon scope, approach, and staffing defined during the Scoping
and Risk Assessment phase

What is Business Continuity?

Business continuity describes the processes

and procedures an organization puts in
place to ensure that essential functions can
continue during and after a disaster.
Business continuance planning seeks to
prevent interruption of mission-critical
services, and to reestablish full functioning
as swiftly and smoothly as possible.

BCP objective

Create, document, test, and update a

plan that will:
Allow timely recovery of critical
business operations
Minimize loss
Meet legal and regulatory
requirements

Good Practices

Reduce Frequency of Failures & attacks

Mitigate Severity of Failures & attacks
Increase Predictability of Failures & attacks
Optimize Recovery Time from Failures and attacks

A Better Approach: Remote

Backup and Restore
Secure, bandwidth efficient, network-based data
protection service
Automatic daily backups for servers/PCs using
existing network to a remote location
Disaster Recovery Center

Customer
server(s)

WAN
Customer
Firewall

Offsite Data Backup

ViaRemote
Platform

Recovery process

Manage

RPO Recovery point objectives

RTO Recovery time objectives
ETTR Elapsed time to recover

Crisis
Time Zero

Status
Restored
Capture actual ETTR

Emergency

Mobilize

Restore

Restore

Roll Forward

Response

Resources

Backups

Applications

& ReSync

Compliance?
Self/Own
Central Bank
ISO 17799
BS 7799
BS 15000