540 likes | 621 Views
Business Continuity Management, Business Continuity Plan, and Pervasive Computing in Bank Indonesia. Direktorat Teknologi Informasi Bank Indonesia November 2007. Agenda. 1. Business Continuity Management in BI Policy, Principles, Strategy, and Work Mechanism.
E N D
Business Continuity Management,Business Continuity Plan,and Pervasive Computingin Bank Indonesia Direktorat Teknologi Informasi Bank Indonesia November 2007
Agenda 1. Business Continuity Management in BI Policy, Principles, Strategy, and Work Mechanism 2. Business Continuity Plan in BI BCP, DRC, Disaster Experience and Lesson Learned 3. Pervasive Computing in BI
BCM Policy in Bank Indonesia Ruled in Board of Governoor Decree no 9/ 8/ PDG/ 2007 concerning Manajemen Kelangsungan Kegiatan (MKK) (Business Continuity Management) Bank Indonesia Business Continuity Management (MKK-BI) is a series of well planned activities that includes risk mitigation and fast, Effective, integrated and well coordinated disaster response and recovery activities that are needed to ensure Bank Indonesia can perform its operational activities central bank
Basic Principles fast, effective, integrated, coordinated Minimize disaster impact Continuity of Bank Indonesia’s operational activities
BCM Strategy Continued and consolidated mitigation activities Centralized command system Active participation and cooperation among Directorates Intensification of consolidated and periodic training, awareness, and testing programme Cooperation with related external institution
Work Mechanism Activities Activation Mitigation Work Mechasnism Evaluation And Feedback • Emergency Response • Emergency Cond. • Service and Handling • Recovery
Disaster Recovery & Business Continuity Plan :Case Studies and Real Experiences in Bank Indonesia
Business Continuity Plan (BCP) - Definition Business Continuity Planis a process designed to reduce the organization’s business risk. - Source : ISACA - Business Continuity Plan is a comprehensive policies and procedures to determine strategy, process, and system needed to ensure the continuity of Bank’s operational activity when any incidents happen internally or externally. -Source : BI Policy-
BCP Components Contingency Plan (CP) Disaster Recovery Plan (DRP) Emphasize on action planning for each working unit to watch over business continuity should incident or disaster happen including anticipation act to encounter the worst possibility. Emphasize on technology aspect focused on Data Recovery / Restoration Planand live of Critical IT Application and Infrastructure System and responsibility of the implementation is in each IT Working Unit. BCP Component
Business Continuity Plan - Objective To protect Important Assets. To minimize risks resulting from disaster aftermath such as limiting financial loss, legal risk, and reputation risk. To ensure continuity of service availability to stakeholders. To provide more alternatives in ensuring continuity in operational of critical business function.
BCP Principles Must have flexibility to be able to respond any threats, incidents, and disasters scenario. Compiled based on adequate Business Impact Analysis (BIA) and Risk Assessment. Must be specific to certain conditions and actions needed. BCP Principles BCP and try out results must be researched in certain time period. To be socialized to all business functions and personnel. Try outs and updates must be done in certain time period.
Recovery Time Objective (RTO) • Immediately • Within hours • Today • This week • Never • How long can you work without it ? • How soon do you need it ? Impact < 2 hr < 8 hr < 2 days < 1 weeks • Less than $ 1000 • $ 1001 to $ 10000 • $ 10001 to $ 100000 • $ 100001 to $ 500000 • Over $ 500000 Disaster (Loss Data) Last IT Back up (RPO) Recovery Time Objective (RTO) Recovery Time Clear Backlog Escalation Work lost
Risk Assessment Process and Procedures • Risk Identification • Risk Measurement • Recognize the location of risk • Recognize the risk’s cause • Recognize the method use in risk identification and the cause of it. • Recognize control provided in case the risk happen. • Quantitative : “ Analysis based on real numbers (financial numbers) toward security development expense and loss value.” • Qualitative : “ An analysis which determine organization’s risk challenge where measurement is done based on institution, expertise level in measure amount of risk which might happen, and the potential damage”
Minimum Procedures of BCP Immediate Steps Procedures to control crisis Minimum Procedures Scope of BCP System Recovery Procedure such as important information and hardware Backup, back-up site, and employee relocation when disaster occurs. Business Recovery Procedure which describes the detail responsibility and job description for each continuity team. Data Synchronization Procedure in the Main Site and Backup Site
Component of System and Business Recovery Procedures Personnel Technology System and Business Recovery Procedure Components System Documentation and Back-up Data DRC Business Recovery Center
Ruled in Board of Governor Decree No. 8/5/PDG/2006 concerning Bank Indonesia Information Technology Security and Recovery BI Business Continuity Plan Policy Information Technology (IT) Recovery is to provide a substitution of IT System and procedure in attempt of maintaining Bank Indonesia’s operation as a result of any disturbance and/or damage in hardware, software, network telecommunication, application, and IT supporting facility that is caused by abnormal or disaster condition. The Implementation is called Information Technology Recovery Management or Manajemen Pemulihan Teknologi Informasi (MPTI).
BI Business Continuity Plan Policy Abnormal Condition is situation or condition occured as a result of disturbance or damage in hardware, software, network, application, or IT supporting facility which affected continuity of Bank Indonesia’s main tasks. Disaster Condition is situation or condition occured as a result ofincidents which directly/indirectly affected continuity of Bank Indonesia’s main task and occured beyond any reasonable control of Bank Indonesia’s power and capability so that IT cannot be operated, including natural disaster, burnout, strike, riot, revolution, and/or government restriction.
MPTI - Planning Coordinating determination of Application’s RTO and RPO Inventing Critical/Non Critical Application Developing MPTI Method Determining Abnormal and Disaster Condition Scenario Socializing MPTI Evaluation Try Out Scenarios Compiling SOP for Handling Abnormal and Disaster Condition Scenario Administrating MPTI Documents
MPTI – Try Outs and Training Scenario for all application in substitute location periodically. Scenario for each application in substitute location periodically Scenario for supporting facility in substitute location periodically Try Out and Training
MPTI - Evaluation Must be done by Working Unit min. once in a year Planning for activity Budgeting EVALUATION Try Out / Training Evaluation Result is used as reference to MPTI enhancement.
MPTI Working Team – Organization Structure Deputy Governor IT Coordinator : DTI Director Application Executor Public Relation Human Resources IT Recovery Logistics Security
MPTI Working Team • MPTI-BI Working Team consists of : • Leader : Deputy Governor for IT; • Coordinator : IT Director; • Work Unit, as member of MPTI-BI Working Team (Public Relation, Human Resources, Logistics, Security, Application Executor, IT Recovey Work Unit) • MPTI-BI Working Team activity : • Routine Activity in Normal and Abnormal Condition • Incidental Activity in Disaster Condition
Disaster Recovery Center Disaster Recovery Center (DRC) is a substitute facility when Data Center is having disturbance or cannot be functioned properly due to no electricity to Data Center site, fire, or device damage, which is used in limited time as recovery in Data Center is being accomplished to maintain business continuity.
Bank Indonesia’s DRC • . DRC Bank Indonesia is provided to anticipate possibility of natural disaster such as earthquake, flood, or other possibility like terrorist threat in Bank Indonesia Head Office to ensure Bank Indonesia’s operational continuity. DRC Bank Indonesia is also provided to maintain Bank Indonesia’s operational continuity ifa system failure occur in HW, SW, or network device in Bank Indonesia Head Office. DRC Bank Indonesia is equipped with Mini Data Center which is identical with Data Center in KP – BI. Bank Indonesia is planning to implement Second Site DRC which is planned to be located in area with minimum disaster level. This planning is still in survey phase.
Bank Indonesia’s DRC Infrastructure BI’s DRC Infrastructure Hardware and Software Infrastructure (for Application, Firewall, Anti Virus, dll) Mainframe & Tandem Storage Network Devices • Supporting Facility (AC, UPS, Genset) High Speed Network Connection from Head Office to DRC Site Extranet for Stakeholder’s Network
Disasters • Mass blockade at KOPERBI Jakarta in 1998 • Closure of KBI Dili related to disintegration of Timor Timur from Indonesian Government • NAD’s Tsunami in 2004 • Yogyakarta’s earthquake in 2006 • Jakarta’s Flood in 2002 and 2007 • Communication Failure caused by Taiwan’s earthquake in 2007 • Earthquake in Padang, Bengkulu, and Jambi at 2007
Tsunami Banda Aceh – 26.12.2004 • Kantor Bank Indonesia (KBI) Banda Aceh: • Physically damaged and flooded • Devices inside the building (IT and non-IT) was severely damaged and cannot be functioned at all. • Supporting facility such as electricity, telecommunication, and network is not active. Fuel couldn’t be provided. • Communication can only be done by Satellite Phone. • All data in KBI Banda Aceh is lost. Impacts : BI’s services such as clearing, RTGS, etc was stopped, and this could delay economic activity within Aceh or generally in Indonesia.
Action for Disaster Recovery • Coordination with all Working Unit in Bank Indonesia especially Working Unit who are included in MPTI Working Team to recover critical functions. • DTI and other Working Unit (application owner) prepare application back-up server, and other devices especially for critical application. • Coordination with network telecommunication provider to activate network from KPBI to KBI Banda Aceh. • Went on-site to KBI location to activate Payment System with back-up server.
Action for Disaster Recovery (2) • Bank Indonesia Head Office assigned 2 team to recover critical function of KBI Banda Aceh: • Initial Team was in charge of doing field survey to determine devices that are needed, evacuated employee and family, and did a coordination with related party to provide supporting facility. • Second Team was in charge of bringing devices needed to recover KBI Banda Aceh operational and substitute personnel. • Besides team sent from BI-Head Office, KBI Medan also sent a team to support day-to-day operation in KBI Banda Aceh.
Action for Disaster Recovery (3) • Device provided : • Network Device (cooperate with network provider) • PC Desktop and Notebook • Server • Printer • Cable + accessories • Supporting facility such as genset with fuel sent from KBI Medan
Action for Disaster Recovery (4) • Bank Indonesia decided to move the location of KBI Banda Aceh to service house of Head of KBI Banda Aceh because the facility in initial location of KBI Banda Aceh such as electricity, sanitation, and clean water was not provided anymore. • In day 10 after the disaster, KBI Banda Aceh was fully operated with : • Genset for electricity • Communication using CDMA Phone (Flexi) and Satellite Phone • Data Communication using Wireless Local Loop (WLL) • PC was functioned as Clearing Server for SOKL Application • For KBI operational, some personnel were assigned from KPBI
Action for Business Continuity Plan Prepare operational in DRC as back up if BI Head Office could not be functioned or accessed by staff due to flood
Lesson Learned Technology People Process Availability of Human Resources which has competency and always ready to encounter or to be located in disaster area to support critical operational function related to IT or business process. Policy and detail BCP’ s technical procedure for facing any conditions and provide more comprehensive try out’s scenario in Bank Indonesia. Usage of IT devices which are ‘accident proof’ for disaster and usage of redundancy devices for IT and electricity. Improvement in providing Disaster Recovery devices such as : • Stand-by Machine • Substitute Personnel Mobile Communication Devices • Supporting Facility (genset, fuel, clear water etc.) Coordination between MPTI Working Team, BI’s Crisis Management, and the other function in Bank Indonesia’s organization. Improvement for Bank Indonesia’s BCP
Lesson Learned (2) Improvement of activities related to social function role (such as : Employee’s Family Information Center) to comfort personnel. To maintain operational activities of Banking sectors and to minimize risks that may arise from disaster, especially in Jakarta, BI has developed draft of BI Regulation which enforce commercial banks to have BCP and DRP to ensure the continuity of their business activities if disaster or disturbance occurs to their IT Infrastructure. To analyze diasater/ disturbance related risk that affected commercial bank, customer, and financial industry.
Pervasive Computing Characteristics Information processing is part of daily object and activities One user could use different devices in order to ease information access and transaction Anytime Anywhere User friendly Configurable
Strategic steps to pervasive computing acceleration of environment forming to pervasive computing well planned pervasive computing implementation will result on synergy that inline with activities within organization optimal synergism between ICT and business activities will accelerate organization performance. 44
Example of Activities in Bank Indonesia Traveling authorized personnel could be involved in decision making that must be done in an office meeting using teleconference technology. Personnel who is supervising a bank onsite could get access needed to application, information, and data via internet without having to store those information inside his/ her notebook. Personnel could get his/ her job done (e.g. reporting, data entry) in an emergency condition (e.g. security disruption, flood, and traffic jam) as is in a normal one 45
Methodology 46
Supporting technologies Network (particularly wireless network) Security Operating System Application User Interface Middleware End-user devices Smart-wireless sensor etc 48
pervasive computingimplementation category • Remote application execution • People Communication • Document Management System • Personal tracking system for emergency call • Fleet management system • Book and archive tagging system • Asset tagging system • Personal identity tagging system • Video surveillance system • Meeting and presentation room • Learning and practice room • Smart office room
implementedpervasive computing • Company email • Accessed via internet using OWA (Outlook Web Access) • Accessed via mobile devices using OMA (Outlook Mobile Access) • Personnel Tagging System