BOT_BCP

Document Sample
BOT_BCP Powered By Docstoc
					              BOT
Business Continuity Planning (BCP)


         Bank Indonesia
          Nov 20, 2007
                      Business Continuity Planning
    BCP Framework
    Business Impact Analysis
    BCP Structure Command
    Crisis Management Preparedness
    Testing and Maintenance
    Cooperation with Banks and Financial
    Institutions
    ITD BCP
2
           Business Continuity Planning (BCP) for Disaster Risk
      Objectives
         Disaster Risk Events                     During Event                              Post Event

    Natural Disaster                        Potential Loss Incidents              Potential Loss Incidents
     Fire / Flood /Extreme weather   • Damage to BOT’s assets, including   • Restricted access to workstation
    Infrastructure failure              premises and equipment              • Damage or loss of key information
     Power outage                    • Peril to employees
     Telecoms
     IT system
    Unsafe crisis events
                                             Operating Objectives                    Operating Objectives
     Terrorist attack
     Riots                           1. Minimize immediate loss            3.     Maximize loss recovery
     Protests                        2. Ensure employee safety             4.     Minimize business interruption
     Political unrest
                                                   Examples                               Examples
     Bomb/Bomb threats
                                      • Evacuation plans                    •      Insurance
    Avian flu pandemic (work in                                             •      Back-up facilities
     progress)


                                                              Overriding Objective

                                          To prevent systemic risk that may be caused by
                                                BOT when impacted by disaster risk


3
                                                                                  BCP: Framework
      Framework
                                                   Preparation
                                               (Normal Operations)
                                         • Ensure implementation of
                                           effective BCP
                                         • Clear and effective testing
                                           procedures
                                         • Continuous communication
                                         • Training on risk awareness
                                         • Appropriate disaster risk
            Loss Recovery                  prevention measures                        Damage Control
      (Resume Normal Operations)                                                  (Emergency Situation)
    • Ensure maximum recovery of loss                Effective              • Ensure effective emergency
      and resume normal operations                  Contingenc                response
    • Damage assessment,                              y Plans               • Effective evacuation plan
      reconstruction and key personnel                                      • Effective fire extinguishing plan
      succession plan
                                                 Business Continuity
                                             (Post-emergency Situation)
                                         • Ensure business continuity for
                                           critical operations
                                         • Ensure back-up systems help
                                           minimize disruptions

4
                      Business Continuity Planning
    BCP Framework
    Business Impact Analysis
    BCP Structure Command
    Crisis Management Preparedness
    Testing and Maintenance
    Cooperation with Banks and Financial
    Institutions
    ITD BCP
5
                                  BCP: Business Impact Analysis
    What is BIA?


           BIA is a detailed analysis of business processes
           to determine the impact of business disruption
                         on the organization



6
                                                     BCP: Business Impact Analysis
         Purpose
     Identify a list of business process recovery priorities, including service level
     agreement and recovery time objective
     Identify minimum resources to support the processes

    The result of BIA is also used for developing contingency plan including facilities/ infrastructure

                         BOT            The priority of business              Resource Allocation
      Business process 1                        process                         at Backup site

                                             Level 1 : 1 day                  - Working area
              others
                                             Level 2 : 3 days                 - IT equipment

         The externals                       Level 3 : 7 days                 - Office equipment
7
                              BCP: Business Impact Analysis
    Overview of BIA assessment
    Classify business processes into 2 groups as followed:

    (1) Financial Market Transaction and Payment System
         (FinT & Pays) : business processes that are critical to the stability of
    financial institutions, monetary system and economy e.g. Current Account
    System, Electronic Cheque Clearing System

    (2) Non - Financial Market Transaction and Payment System
         (Non - FinT & Pays): business processes that their disruption may
    affect BOT’s internal operations
8
                                                BCP: Business Impact Analysis
      Assessment Assumptions
    • Scope of damage:
        • (Worst case) Disaster affects only BOT, there is no other damages to external
            parties and other infrastructures
         • Main working areas are totally damaged, cannot be resumed
         • The premises for backup site is not damaged, but IT system cannot be
            recovered.
    • Period of Disaster: Peak Time for each business process
    • Method to assess impact: evaluate each business process separately, e.g.,
       Electronic Cheque Clearing System is damaged, while other systems can still be
       operated
9
                                       BCP: Business Impact Analysis
     Business Process Priority
         Level 1: RTO < 1 day    Financial Market and Reserve Management
                                  / Financial Risk Management & Operations
                                 Payment Systems
                                 Deposit & Debt Instrument
                                 Banknote Management
        Level 2: RTO < 3 days    Data Management System
                                 Enterprise Resource Planning System
        Level 3: RTO < 7 days    Others




     Reflects in Service Level
     Agreement between IT & BU
10
                       Business Continuity Planning
     BCP Framework
     Business Impact Analysis
     BCP Structure Command
     Crisis Management Preparedness
     Testing and Maintenance
     Cooperation with Banks and Financial
     Institutions
     ITD BCP
11
                                       BCP: Structure Command
      Business Continuity Plan Steering Committee
               Court of Directors


                                              Business Continuity Plan
           Top Management Committee
                                                Steering Committee

              Assistant Governor
          Strategic Capabilities Group


         Strategic Services Department              Departments
     (Operational Risk Management Division)

12
                                                       BCP: Structure Command
      BCP Steering Committee
     Members                                       Roles and Responsibilities
      Deputy governor of corporate support           Set up policies and strategies for
       services as a chairman                          bank-wide and departmental BCP
      Assistant governor of operations group
                                                      Set up framework for establishing /
       and strategic capabilities group
                                                       reviewing / testing and updating
      Senior directors and directors of related
                                                       BCP
       departments such as
                                                      Consider the consistent linkage of
        IT Department
                                                       critical operation systems
        General Administration Department
        Management Assistance Department
        Security Department
        Strategic Services Department
13
                                    BCP: Structure Command
     BCP Steering Committee Roles and Responsibilities
          Set up policies and strategies for bank-wide and
           departmental BCP
          Set up framework for establishing / reviewing /
           testing and updating BCP
          Consider the consistent linkage of critical
           operation systems



14
                                    BCP: Structure Command
       Crisis Management Center (CMC)
                                                                          Top management
     Line of Command                           Crisis Command             committee and secretariat
                                                    Center
                                                                              Senior management representatives
                                                                              from critical depts. and related
                                              Crisis Coordination             supporting depts.
     Selected staff for
     critical functions.
                                                     Center
                                                                         Operating Command Centers
                    Fin mkt. &            Payment            Deposit & Debt
                                                                                      Banknote
                  reserve mgnt./           system             Instrument
                  Fin Risk Mgnt.         Department           Department             Management


               IT                                   Healthcare       Engineering
                                   Security                                                  Hotline
           Department                                Service         and premise
15
                       Business Continuity Planning
     BCP Framework
     Business Impact Analysis
     BCP Structure Command
     Crisis Management Preparedness
     Testing and Maintenance
     Cooperation with Banks and Financial
     Institutions
     ITD BCP
16
                      BCP: Crisis Management Preparedness
     BCP Development & Revision
                                         BOT BCP


                 IT Department                 Other Departments
                              System Z
                         System B                             System K
                      System A                                 NON-IT
               Infrastructure                         System H
             NON-IT                                System G IT
                                                       NON-IT
           (Evacuation,                             NON-IT
                                                         IT
          Meeting location,
          Transportation,                             IT
           call-tree, etc)
17
                        BCP: Crisis Management Preparedness
      IT Backup Data Center

                          Primary Data Center




     Backup Data Center
                               Electricity supplies and telecommunication
                              systems are separated from HQ’s
                               24 hour CCTV & access control

                               Electric fence along the perimeter


18
                     BCP: Crisis Management Preparedness
     CMC & BU Backup Workspace




                   Working space for critical business units equipped with
                   necessary computer systems & equipment
19
                       BCP: Crisis Management Preparedness
     Awareness and Training
     Education / awareness for       Training for key personnel
     all or selected staff
                                    Regular BCP test
                                       Bank-wide (Annually)
                                       Departmental level (as necessary)
                                    Key persons are required to
                                     participate
                                    Key persons would be aware of
                                     their roles and responsibilities
20
                       Business Continuity Planning
     BCP Framework
     Business Impact Analysis
     BCP Structure Command
     Crisis Management Preparedness
     Testing and Maintenance
     Cooperation with Banks and Financial
     Institutions
     ITD BCP
21
                               BCP: Testing and Maintenance
     Annual BCP Test: Worst Case Scenario
      Scenario
        Main buildings at headquarter and data center cannot be accessible
        Assume 10% of core function staff were injured and could not work
        Disaster takes place at the critical time of the day
      Scope
         IT and non-IT
         All critical functions
         FIs were involved in testing
      Testing time
         Weekend (2 days)
      External Participants
         FI’s
22
                                   BCP: Testing and Maintenance
     Annual BCP Test: Goals
         The evacuation plan and journey to back-up side
         Control and limit the damage by Security Department
         Establish and operate of Healthcare Center
         Establish and prepare for the Crisis Management Center
          (CMC)
         Recovery of critical operation systems
         Ensure key personnel succession plan
         Communicate / broadcast / clarify message to public
         Response to financial market
23
                                   BCP: Testing and Maintenance
     Maintenance

     Review and update BCP review in the case of :
      Changes in organizational structure
      Changes in business process/employees
      Business unit finds that present BCP is not appropriate or
     practical


24
                       Business Continuity Planning
     BCP Framework
     Business Impact Analysis
     BCP Structure Command
     Crisis Management Preparedness
     Testing and Maintenance
     Cooperation with Banks and Financial
     Institutions
     ITD BCP
25
                             BCP: Cooperation with Banks and FIs
     BOT Policies
        A guideline for IT contingency plan (OCT 2005)
        A Policy statement on BCM&BCP of FI (Jan 2007)


     Note:
        BCM&BCP of FIs shall be in writing by Jan 2008
        FI’s need to conduct BCM&BCP test at least once a year

26
                       Business Continuity Planning
     BCP Framework
     Business Impact Analysis
     BCP Structure Command
     Crisis Management Preparedness
     Testing and Maintenance
     Cooperation with Banks and Financial
     Institutions
     ITD BCP
27
                                                                        BCP: ITD BCP
     IT BCP
                                        BOT BCP


                IT Department                 Other Departments
                             System Z
                        System B                             System K
                     System A                                 NON-IT
              Infrastructure                         System H
            NON-IT                                System G IT
                                                      NON-IT
          (Evacuation,                             NON-IT
                                                        IT
         Meeting location,
         Transportation,                             IT
          call-tree, etc)
28
                                                                                                                                BCP: ITD BCP
       Non IT
     Fire Equipment and Evacuation Map   Meeting Location


                                                       Meeting Point




        Emergency Response Procedure     IT Call Tree                                             สิบพร                                         Alternative Contacts
                                                                                ทิพาวัลย์, จินตนา, เพิ่มสุข, ผุสดี

                                          ผุสดี                    ทิพาวัลย์                                เพิ่มสุข                                                  จินตนา
                                         บังอรศรี               ปติ, ศิริวรรณ                           ภรวดี, ธีระ                                                กรจรัส, ปัญญา

                                                  บังอรศรี   ปติ            ศิริวรรณ                ภรวดี                ธีระ               ปัญญา                กรจรัส          วัลลภ    ทรงยศ
                                               นิปกรณ์ชัย    นงนุช              รัชนี             จิราพรรณ             ร.อ. ธีระ             สุวัฒน์             ตรีทิพย์        สถิตย์   สุบุญ

                                               ศิริพรรณ              นงนุช                รัชนี         จิราพรรณ                ดวงแก้ว                สุวัฒน์          ตรีทิพย์
                                                    สมภพ             อัครเดช              สินธุ              สิริกุล               ตวงพร                ยุพดี           อภินันทน์

                                                    วาสนา            กนกพร              เลิศสรรพ์                ์ ั
                                                                                                            ศักดิชย             ร.อ. ธีระ          คนึงนิตย์                บุญยืน
                                                    จิตชญา           สมจิตร               รัชนี              ลาวัลย์               อารีย์              ถนอม                 สุนทร

                                                    ประไพ            มณฑา                เพ็ญศิริ            นรสีห์          อนรรฆมณี                                   นวลศิริ
                                               ปัทมวรรณ              สิริมนต์            ชัชวลัย            ฤดีรัตน์            พงษ์ศักดิ์                              คมกฤช

                                                                      เอธ                                                                                               พรทิพย์
29                                                                   สมบัติ                                                                                            ธีระวรรธน์

                                                                                                                                                                                          21 ต.ค. 48
                                                         BCP: ITD BCP
       Communication Channels
     Status report by phone     Email notification of system recovery status




30
                                                                        BCP: ITD BCP
     Redundant Network Connectivity

                                                      Braches / BMC
                                                                      Internet

                              Headquarter
      Backup Data Center
                           Primary Data Center




                                    Surawong Office
                                                                       Members
31
                                                                  BCP: ITD BCP
     IT Disaster Recovery Plan

                  BOTCHQ                            RP   SMART
                   BN          RG               ECS      B/C-3D
                   CA          BE        EFS
                                      Application

                         DB   DB                DB       DB
                    CA        CAPro      EFS    BNPro     …..
                               System + Database
                               Infrastructure Systems
                                       Network
                                      Data Center

32
                                                                                  BCP: ITD BCP
     IT Activities for BCP Tests
       BCP Test Preparation (Before disaster occurrence)
           Planning
           Equipment preparation
           Prepare Test data
           Backup data for normal operations after the test
           Infrastructure preparation, e.g., changing weekend date to business day
       BCP Test (From disaster occurrence until BCP test completion)
           Simulate wide-area system failure
           Evacuation
           Disaster Recovery at backup sites
           Support during business operations
       Post-test (System recovery)
           Recover all systems and applications for normal business operations
                 Restore actual data
33               Data and system verification
                                                                 BCP: ITD BCP
         IT Activities for BCP Tests
        Communication Problems
              BOT Internal
                   Within department
                        BCP understanding of involved parties
                   Between business units
              External Entities
                   Financial Institutes
                   Publics, Journalists
                   Government
        Readiness of involved parties in terms of equipments,
         personnel and BCP sequences
              Need awareness training
34
Wireless Access at BOT
                                 BOT WLAN Requirements
     Meeting rooms
         Be able to access Internet and BOTNET during
          meetings especially during Steering Committee
          Meetings
         Modern meeting room environment
     Mobile office concept




36
                           Wireless LAN (WLAN)
                                  Wireless LAN
                                   No physical boundary
                                   Require strong security


                                               • Unauthorized
                                                 resource access
                                     Malicious • Eavesdrop traffic
                                      Hacker • War driving
                                               • Impersonation



     LAN
      Physical Security
      Firewall



37
                                                            BOT WLAN Security
       Internet                                              User
                                                             DB

                                            Radius Server
                                            Network Policy




                                                                          BOTNET
1. Authentication
    • Mutual Authentication
    • IEEE 802.1x :
        • PKI Certificate-based (EAP-TLS)         Wireless Zone
        • Password-based (PEAP)
2. Encryption (WPA2) : AES
3. Network Segregation
    • Internal : same as wired
    • External : Internet only
38
                                                          Mobile Office
     Objective: an office environment where employees
     can have network access from anywhere they work
     Pilot Project
         Pilot group: IT department
              representatives from all IT divisions
         An employer is assigned a notebook instead of PC
              Equipped with BOT PKI certificate for WLAN authentication
         Measure effectiveness/efficiency after 6 months

39
                             Mobile Office Areas
     Meeting Rooms         ITD Office Area




     Library Coffee Shop     Cafeteria




40
     Q&A




41

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:1/3/2012
language:
pages:41