Business Continuity Plan

CorrTec is the only global software solutions provider to the correspondent banking and financial institutions sector of international banking. The corporate mission is to constantly advance CorrTec as a global leader in correspondent banking solution that maximize value to our customers through innovative utilization of technology comprehensive functionality and aggressive pricing. [1]

1.1 Services

CorrTec provides a variety of consulting services that compliment our software products for a comprehensive business solution to our clients. Based on our experience software in general only constitutes a portion of the overall solution, and consulting services form an integral part of a successful and value driven implementation. The implementation services from CorrTec assure an effective and timely implementation of our correspondent banking software. Our consultants can provide assistance to the bank’s internal project team, or alternatively they can assume primary responsibility for any phase of the implementation from initial needs analysis to project management and global roll-out of the final solution. [2]

1.2 Products

1.2.1 FALCON
Falcon achieves straight-through-processing rates of well over 90 percent. FALCON is designed to increase the productivity, management information and accuracy of the reconciliation department of any bank. [3]
1.2.2 TRADEX
Tradex is a global Correspondent and Country Risk Management Solution which allows a network bank to book, monitor and analyze correspondent bank and country trade risk and income on a real-time basis throughout their entire branch network. The design of TRADEX offers the following unique benefits to our clients, based our innovative use of technology. [3]
1.2.3 RCS

RCS is the first commercially available fully integrated Reimbursement Claim Solution primarily designed for large network banks that offer a collection service to downstream correspondents for all export collection items, reimbursement authorizations, and check collections. RCS is a fully scalable solution, which offers comprehensive functionality for the collection item transaction flow from the branch network of the downstream correspondent to the clearing center of the correspondent service provider. [3]

2. Overview of Business Continuity Plan

The term BCP covering both disaster recoveries planning and business planning. This umbrella term also refers to the other aspects of disaster recovery, such as emergency management, human resources, media or press relations, etc. This plan addresses the business processes and is Information Technology based only in its support for the business processes. [4]

2.1 Purpose

The Plan identifies the functions of company and the resources required to support them. The Plan provides guidelines for ensuring that needed personnel and resources are available for both disaster preparation and response and that the proper steps will be carried out to permit the timely restoration of services.

This Business Continuity Plan specifies the responsibilities of the Business Continuity Management Team, whose mission is to establish company level procedures to ensure the continuity of CorrTec business functions.

2.2 Assumption

The Plan is predicated on the validity of the following of following assumptions:

  • The situation that causes the disaster is localized to the data processing facility of Operations and Systems in company.
  • The Plan is based on the availability of the hot sites or the back-up resources. The accessibility of these, or equivalent back-up resources, is a critical requirement.

2.3 Development

CorrTec’s Information Security Officer, with assistance from key Institute support areas, is responsible for developing the company Business Continuity Plan. Development and support of individual Team Plans are the responsibility of the functional area planning for recovery.

2.4 Maintenance

Ensuring that the Plan reflects ongoing changes to resources is crucial. This task includes updating the Plan and revising this document to reflect updates; testing the updated Plan; and training personnel. The Business Continuity Management Team Coordinators are responsible for this comprehensive maintenance task.

2.5 Testing

Testing the Business Continuity Plan is an essential element of preparedness. Partial tests of individual components and recovery plans of specific Teams will be carried out on a regular basis. BCMT is a defined number of roles and responsibilities for implementing the Business Continuity Management Plan. [5]

3. Business Continuity Management Team

For the business continuity of CorrTec systems, there will be a primary team: The Business Continuity Management Team. In the event of a disaster, the BCMT provides general support.

This section provides general information about the organization of recovery efforts and the role of the Business Continuity Management Team.

Business Continuity Management Team:

  • The Business Continuity Management Team is composed of upper-level managers in company administration. The following is a list of each position on the Business Continuity Management Team, and a brief overview of each member’s responsibilities:
  • Information Security Officer. As Co-Coordinator of the Business Continuity Management Team, with the Coordinator of the O&S team, provides liaison between the company operational and management teams in affected areas. Also responsible for ongoing maintenance, training and testing of the company’s Business Continuity Plan. Coordinates the Institute Support Teams under the auspices of the Business Continuity Management Team.
  • Director, Operations and Systems. Coordinates support for data processing resources at the main data center and the designated recovery sites.
  • Director, Telecommunications Systems. Provides alternate voice and data communications capability in the event normal telecommunication lines and equipment are disrupted by the disaster. Evaluates the requirements and selects appropriate means of backing up the CorrTec telecommunications network.
  • Safety Office – Coordinates risk reduction and avoidance activities and emergency response with the BCMT

4. Business Aspects

4.1 IT Security Management

As the requirement for information technology grows, the complexity of people’s requirements has grown continuously. Increasingly, implementation and maintenance of a reasonable level of IT security is requiring planned and organized action on the part of all those involved. The efficient implementation of IT security measures and review of their efficacy therefore necessitates a well thought out, controlled IT security process. This planning and control task is referred to as IT security management. It is imperative that functional IT security management is established at the start of the IT security process.

However, functional IT security management must be integrated into the existing management structures of a given organization. It is therefore virtually impossible to specify a single IT security management structure will be directly usable within every organization. Instead, modifications to organization-specific circumstances will frequently be necessary.

4.2 Organization

This Topic lists general and generic measures in the organizational field which, as standard organizational measures, are required to achieve a minimum protection standard. Specific measures of an organizational nature which relate directly to other measures (e.g. LAN administration) are listed in the relevant Topic s.

4.3 Computer Virus Protection

In order to protect an entire organization effectively against computer viruses, this Topic describes the steps that have to be taken to create and implement a concept of computer virus protection.

4.4 Hardware and Software Protection

The main focus of this module is on procedures which refer specifically to IT hardware or software components, with the aim of ensuring that the management and organizational aspects of IT operations are as they should be. Security should be an integrated element of the overall life cycle of an IT system or product.

4.5 Infrastructure

4.5.1 Server Room

The server room primarily serves to accommodate a server, e.g. a LAN server, a UNIX host computer or a server for a private branch exchange. In addition, server-specific documentation, small quantities of data media, additional hardware (star coupler, log printer, air conditioning system) may also be kept in the room.

4.5.2 Cabling

Cabling of IT systems covers all cables and passive components (jumper distributors/splice distributors) of networks, from any existing delivery point of an extraneous network (telephone, ISDN) to the terminal points of network subscribers.

4.5.3 Buildings

The building surrounds the IT and thus guarantees external protection. Furthermore, infrastructure installations of the building allow IT operation in the first place.

4.6 IT Systems

4.6.1 Server Supported Network

Here, we deal with a local network with at least one server

4.6.2 Routers and Switches

We should make a backup plan for maintaining and controlling all the switches and routers within the network.

4.7 E-Mail

Electronic mail (e-mail for short) enables the rapid world-wide transmission and reception of electronic messages. An e-mail usually consists of an address (From/To), title or reference (Subject), text body and, possibly, one or more attachments. E-mail not only allows information to be exchanged quickly, conveniently and informally, but also makes it possible to forward business transactions to other parties for the purpose of further processing.

4.8 Databases

Database systems (DBS) are commonly accepted computer-aided techniques of organising, generating, manipulating and managing large amounts of data. A database system consists of the database management system (DBMS) and a certain number of databases. A database is a collection of data representing facts on a specific application in the real world.

5. Risk Assesment (Threat Description)

Risk assessment is a common first step in a risk management process. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat. [6]

Threat may refer to behavior that emphasizes one’s aggressive potential. [7]

This section of the manual contains descriptions of the threats which are included in the threat scenarios for the individual modules. The threats are grouped into five catalogues:

· T1: Force Majeure

· T2: Organizational Shortcomings

· T3: Human Failure

· T4: Technical Failure

· T5: Deliberate Acts

5.1 IT Security Management

  • Lack of, or inadequate, IT security management

5.2 Organization

  • Insufficient knowledge of rules and procedures
  • A lack of compatible, or unsuitable, resources
  • Unauthorized admission to rooms requiring protection
  • Unauthorized use of rights
  • Uncontrolled use of resources

5.3 Computer Virus Protection

Organizational Shortcomings

  • Insufficient monitoring of IT security measures
  • Uncontrolled use of resources

Human Error

  • Non-compliance with IT security measures

Deliberate Acts

  • Manipulation of data or software
  • Trojan horses
  • Computer viruses
  • Macro viruses

5.4 Hardware and Software Protection

Organizational Shortcomings

  • Poor adjustment to changes in the use of IT
  • Data media are not available when required
  • Inappropriate administration of access rights

Human Error

  • Loss of data confidentiality/integrity as a result of IT user error
  • Carelessness in handling information

Technical Failures

  • Vulnerabilities or errors in standard software
  • Undocumented functions

Deliberate Acts

  • Manipulation or destruction of IT equipment or accessories
  • Theft
  • Trojan horses

5.5 Infrastructure

5.5.1 Building

Force Majeure

  • Fire
  • Water

Organizational Shortcomings

  • Lack of, or insufficient, rules
  • Unauthorized admission to rooms requiring protection

Technical Failures

  • Disruption of power supply
  • Failure of internal supply networks
  • Failure of existing safety devices

Deliberate Acts

  • Unauthorized entry into a building
  • Attack
5.5.2 Cabling

Force Majeure

  • Burning cables

Organizational Shortcomings

  • Insufficient route dimensioning
  • Insufficient documentation on cabling
  • Inadequately protected distributors
  • Inadequate line bandwidth

Human Error

  • Inadmissible connection of cables
  • Inadvertent damaging of cables

Deliberate Acts

  • Line tapping
  • Manipulation of lines
5.5.3 Server Rooms

Force Majeure

  • Fire
  • Water
  • Inadmissible temperature and humidity

Organizational Shortcomings

  • Lack of, or insufficient, rules
  • Unauthorized admission to rooms requiring protection

Technical Failures

  • Disruption of power supply
  • Failure of internal supply networks
  • Voltage variations / overvoltage / under voltage

Deliberate Acts

  • Manipulation or destruction of IT equipment or accessories
  • Manipulation of data or software
  • Unauthorized entry into a building
  • Theft
  • Vandalism

5.6 IT Systems

5.6.1 Server Supported Network

Force Majeure

  • Loss of personnel
  • Failure of the IT system

Organizational Shortcomings

  • Unauthorized use of rights
  • Poor adjustment to changes in the use of IT

Human Error

  • Non-compliance with IT security measures
  • Inadvertent damaging of cables
  • Hazards posed by cleaning staff or outside staff

Technical Failures

  • Disruption of power supply
  • Voltage variations / overvoltage / under voltage
  • Complexity of access possibilities to networked IT systems

Deliberate Acts

  • Unauthorized use of IT systems
  • Systematic trying-out of passwords
  • Abuse of user rights
  • Abuse of administrator rights
  • Repudiation of a message
  • Denial of services
5.6.2 Routers and Switches

Organizational Shortcomings

  • Incorrect planning and design of the use of routers and switches

Human Error

  • Incorrect configuration of routers and switches
  • Incorrect administration of routers and switches

Technical Failure

  • Insecure default settings on routers and switches

5.7 E-Mail

Organizational Shortcomings

  • Lack of, or insufficient, rules
  • Unauthorized use of rights
  • Poor adjustment to changes in the use of IT
  • Uncontrolled use of electronic mail
  • Inadequate description of files

Human Error

  • Loss of data confidentiality/integrity as a result of IT user error
  • Non-compliance with IT security measures
  • Improper use of the IT system

Technical Failures

  • Data loss due to the exhausting of storage medium capacity
  • Lack of authenticity and confidentiality of e-mail

Deliberate Acts

  • Computer viruses
  • Denial of services
  • Misuse of e-mail services
  • Overload due to incoming e-mails
  • Unauthorized monitoring of e-mails
  • Misuse of active content in e-mails

5.8 Databases

Force Majeure:

  • Loss of personnel

Organizational Shortcomings:

  • Lack of, or inadequate, test and release procedures
  • Lack of, or inadequate, implementation of database security mechanisms
  • Complexity of a DBMS
  • Complexity of database access

Human Failure:

  • Hazards posed by cleaning staff or outside staff
  • Incorrect administration of site and data access rights
  • Improper administration of a DBMS

Technical Failure:

  • Failure of a database
  • Circumvention of access control via ODBC
  • Loss of data in a database caused by a lack of storage space
  • Loss of database integrity/consistency

Deliberate Acts:

  • Systematic trying-out of passwords
  • Manipulation of data or software in database systems
  • Denial of services in a database system

6. Risk Mitigation Plan

Risk mitigation is the application of systems to reduce the amount of loss from the potential future occurrence of an event. [9]

This section provides descriptions of the IT security Risk Mitigation mentioned in the various modules of the manual. The measures are grouped into six catalogues of Risk Mitigation:

  • RM 1: Infrastructural Risk Mitigation
  • RM 2: Organizational Risk Mitigation
  • RM 3: Personnel Risk Mitigation
  • RM 4: Risk Mitigation relating to hardware and software
  • RM 5: Risk Mitigation in communications
  • RM 6: Contingency Planning

6.1 IT Security Management

  • Establishment of the IT security process

6.2 Organization

The package of measures which fall under the heading “Organization” is set out below:

  • Specification of responsibilities and of requirements documents for IT uses
  • Division of responsibilities and separation of functions
  • Granting of site access authorizations
  • Granting of (system/network) access rights
  • Response to violations of security policies
  • Timely involvement of the staff/factory council

6.3 Computer Virus Protection

Organization

  • Creation of a computer virus protection concept
  • Identification of IT systems potentially threatened by computer viruses
  • Selection of a suitable computer virus scanning program
  • Reporting computer virus infections
  • Updating the computer virus scanning programs used
  • Documentation of changes made to an existing IT system
  • Obtaining information on security weaknesses of the system

Personnel

  • Training before actual use of a program
  • Education on IT security measures

Hardware and Software

  • Periodic runs of a virus detection program
  • Use of a virus scanning program when exchanging of data media and data transmission
  • Checking of incoming files for macro viruses

Contingency Planning

  • Procedures in the event of computer virus infection
  • PC emergency floppy disk
  • Regular data backup

6.4 Hardware and Software Protection

Infrastructure

  • Use of anti-theft devices (optional)

Organization

  • Ban on using non-approved software
  • Establishing standard workstations
  • Data privacy guidelines for logging procedures
  • Keeping manuals at hand
  • Structured data storage
  • Regular checking of organizational IT security measures
  • Prevention of insecure network access
  • Continuous documentation of information processing (especially administration)

Personnel

  • Briefing of staff in the secure handling of IT equipment

Hardware and Software

  • Implementation of security functions in the IT application (optional)
  • Testing of new hardware and software
  • Careful modifications of configurations
  • Software reinstallation on workstations
  • Appropriate choice of authentication mechanisms (optional)
  • Choice of suitable data formats
  • Restrictive granting of access rights to system files

Communication

  • Use of encryption procedures for network communications (optional)
  • Establishment of sub networks (optional)
  • Agreement regarding connection to third party networks
  • Agreement regarding the exchange of data with third parties

Contingency Planning

  • Redundant communication links (optional)

6.5 Infrastructure

6.5.1 Building

Power supply

  • Adapted segmentation of circuits
  • Lightning protection devices (optional)

Fire Protection

  • Hand-held fire extinguishers
  • Fire sealing of cable routes
  • Use of safety doors (optional)

Building Protection

  • Automatic drainage
  • Selection of a suitable site (optional, if and where alternatives exist)
  • Entrance control service (optional)
  • Intruder and fire detection devices (optional)

Organization

  • Fire safety inspections
  • Entry regulations and controls

Contingency Planning

  • Alert plan and fire drills
6.5.2 Cabling

Infrastructure

  • Fire sealing of cable routes
  • Physical protection of lines and distributors (optional)
  • Prevention of transient currents on shielding

Organization

  • Neutral documentation in distributors
  • Monitoring of existing lines (optional)

Communication

  • Removal, or short-circuiting and grounding, of unneeded lines
  • Selection of appropriate network topography (when providing new networks with cables)
  • Documentation on, and marking of, cabling
  • Damage-minimizing routing of cables (when providing new networks with cables)

Contingency Planning

  • Provision of redundant lines (optional)
6.5.3 Server Rooms

Infrastructure

  • Hand-held fire extinguishers
  • Intruder and fire detection devices (optional)
  • Locked doors
  • Avoidance of water pipes (optional)
  • Overvoltage protection (optional)
  • Emergency circuit-breakers (optional)
  • Air conditioning (optional)
  • Local uninterruptible power supply [ups] (optional)

6.6 IT Systems

6.6.1 Server Supported Network

Infrastructure

  • Local Uninterruptible Power Supply (UPS)
  • Adequate Sitting of an IT System (optional)

Organization

  • Maintenance/repair regulations
  • Documentation of the system configuration
  • Appointment of an administrator and his deputy
  • Documentation of changes made to an existing IT system
  • Obtaining information on security weaknesses of the system

Personnel

  • Training before actual use of a program
  • Education on IT security measures
  • Selection of a trustworthy administrator and his substitute
  • Training of maintenance and administration staff

Hardware and Software

  • Password protection for IT systems
  • Restrictions on access to accounts and/or terminals
  • Blocking and deletion of unnecessary accounts and terminals
  • Testing of new hardware and software

Communication

  • Mandatory use of a network password
  • Restrictive granting of access rights
  • Appropriate use of equipment for network coupling

Contingency Planning

  • Appropriate storage of backup data media
  • Backup copy of the software used
  • Regular data backup
6.6.2 Routers and Switches

Infrastructure

  • Secure installation of active network components
Organization
  • Functional description of a router
  • Functional description of a switch
  • Typical operational scenarios in which routers and switches are used
  • Drawing up a security policy for routers and switches
  • Documentation of the system configuration of routers and switches

Personnel

  • Administrator training on routers and switches

Hardware and Software

  • Secure basic local configuration of routers and switches
  • Secure basic network configuration of routers and switches
  • Configuration checklist for routers and switches

6.7 E-Mail

Organization

  • Concept for the secure use of e-mail
  • Regulations concerning the use of e-mail services
  • Configuration of a mail centre
  • Standard e-mail addresses

Personnel

  • Training before actual use of a program
  • Education on IT security measures

Hardware and Software

  • Use of a virus scanning program when exchanging of data media and data transmission
  • Testing of new hardware and software

Communication

  • Secure operation of a mail server
  • Secure configuration of mail clients
  • Use of an e-mail scanner on the mail server (optional)

Contingency Planning

  • Procedures in the event of computer virus infection
  • Backup copies of transferred data (optional)
  • Data backup and archiving of e-mails

6.8 Databases

Organization:

  • Documentation on the system configuration
  • Documentation on changes made to an existing IT system
  • Drawing up a requirements catalogue for standard software
  • Save transfer of data to a database

Personnel:

  • Training before actual use of a program
  • Education on IT security measures

Hardware/Software:

  • Password protection for IT systems
  • Regular checks of database security
  • Monitoring a database

Contingency Planning:

  • Regular data backup
  • Restoring a database

7. Disaster Recovery Strategy

(DR) is a coordinated activity to enable the recovery of IT/business systems due to a disruption. DR can be achieved by restoring IT/business operations at an alternate location, recovering IT/business operations using alternate equipment, and/or performing some or all of the affected business processes using manual methods. [10]

7.1 Activation of Designated Hot Site

The responsibility for activating any of the designated hot sites or back-up resources is delegated to the IS officer. Within 2 hours of the occurrence, the IS officer determines the recovery of the damaged functional area through consultation with the director of Operations and Systems, Telecommunications Systems.

If the estimated recovery of the damaged functional area cannot be accomplished within 2 hours, the designated back-up site is notified of the intention to occupy their facility.

Storage Location:

Primary: Near Korangi Creek, (Head office)

Alternate: At Shahra-e-Faisal

7.2 Disaster Recovery Strategy

The disaster recovery strategy explained below specifies a disaster disabling the main data center. This functional area provides mainframe computer and major server support to CorrTec’s administrative applications. The O&S Team Plan provides for recovering the capacity to support these critical applications within 2 hours. The Business Continuity Plan complements the strategies for restoring the data processing capabilities normally provided by Operations & Systems.

There are three phases of disaster recovery:

7.2.1 Emergency

The emergency phase begins with the initial response to a disaster. During this phase, the existing emergency plans direct efforts to protect property, the primary goal of initial response. Security over the area is established as local support services such as Fire Departments are enlisted through existing mechanisms. The BCMT Duty Person is alerted by pager and begins to monitor the situation.

If the emergency situation appears to affect the main data center (or other critical facility or service), either through damage to data processing or support facilities, or if access to the facility is prohibited, the Duty Person will closely monitor the event, notifying BCMT personnel as required to assist in damage assessment.

The Business Continuity Management Team remains active until recovery is complete to ensure that the company will be ready in the event the situation changes.

7.2.2 Backup

The back-up phase begins with the initiation of the appropriate Team Plan(s) for outages enduring longer than 2 hours. In the initial stage of the back-up phase, the goal is to resume processing critical applications. Processing will resume either at the main data center or at the designated hot site, depending on the results of the assessment of damage to equipment and the physical structure of the building.

7.2.3 Recovery

The time required for recovery of the functional area and the eventual restoration of normal processing depends on the damage caused by the disaster. The time frame for recovery can vary from several days to several months. In either case, the recovery process begins immediately after the disaster and takes place in parallel with back-up operations at the designated hot site. The primary goal is to restore normal operations as soon as possible.

8. Conclusion

This report provides a review of only some of the elements and challenges that make business continuity plan. It underlines the importance of informed and balanced judgments that need to be taken in the planning and execution of the many related activities within an organization.

We would come to know about the CorrTec, a solution provider firm for financial organization. The functions that implemented within the company related to infrastructure, its hardware and software equipments and supports and also how they overcome and survive themselves from disaster situations.

Finally it has been concluded that it’s important for any organization to make a business continuity plan to survive from certain disasters. For such purpose, it is necessary to analyze the risk factors deeply, identify them and apply techniques to overcome these factors. It has also been seen during the study that for making a successful business continuity plan we should make a team and work as a team.

References

[1] http://www.corrtec.com/company.html

[2] http://www.corrtec.com/services.html

[3] http://www.corrtec.com/product.html

[4] http://www.michigan.gov/cybersecurity/0,1607,7-217-34415—,00.html

[5] http://staff.uow.edu.au/audit/termsandconcepts/index.html

[6] http://en.wikipedia.org/wiki/Risk_assessment

[8] http://en.wikipedia.org/wiki/Threat

[9] http://www.hoopp.ca/about/report/english/mda/glossary.htm

[10] http://www.michigan.gov/cybersecurity/0,1607,7-217-34415—,00.html

Be Sociable, Share!

Leave a Reply