1 / 41

BOT Business Continuity Planning (BCP)

This article discusses the framework, business impact analysis, and structure of business continuity planning (BCP) for disaster risk in the banking industry, with a focus on the Indonesian Bank.

rdelapaz
Download Presentation

BOT Business Continuity Planning (BCP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BOT Business Continuity Planning (BCP) Bank Indonesia Nov 20, 2007

  2. Business Continuity Planning • BCP Framework • Business Impact Analysis • BCP Structure Command • Crisis Management Preparedness • Testing and Maintenance • Cooperation with Banks and Financial Institutions • ITD BCP

  3. Business Continuity Planning (BCP) for Disaster Risk Objectives Disaster Risk Events During Event Post Event Potential Loss Incidents Potential Loss Incidents Natural Disaster • Fire / Flood /Extreme weather Infrastructure failure • Power outage • Telecoms • IT system Unsafe crisis events • Terrorist attack • Riots • Protests • Political unrest • Bomb/Bomb threats Avian flu pandemic (work in progress) • Damage to BOT’s assets, including premises and equipment • Peril to employees • Restricted access to workstation • Damage or loss of key information Operating Objectives Operating Objectives • Minimize immediate loss • Ensure employee safety • Evacuation plans • Maximize loss recovery • Minimize business interruption • Insurance • Back-up facilities Examples Examples Overriding Objective To prevent systemic risk that may be caused by BOT when impacted by disaster risk

  4. BCP: Framework Framework Preparation (Normal Operations) • Ensure implementation of effective BCP • Clear and effective testing procedures • Continuous communication • Training on risk awareness • Appropriate disaster risk prevention measures Loss Recovery (Resume Normal Operations) Damage Control (Emergency Situation) • Ensure effective emergency response • Effective evacuation plan • Effective fire extinguishing plan Effective Contingency Plans • Ensure maximum recovery of loss and resume normal operations • Damage assessment, reconstruction and key personnel succession plan Business Continuity (Post-emergency Situation) • Ensure business continuity for critical operations • Ensure back-up systems help minimize disruptions

  5. Business Continuity Planning • BCP Framework • Business Impact Analysis • BCP Structure Command • Crisis Management Preparedness • Testing and Maintenance • Cooperation with Banks and Financial Institutions • ITD BCP

  6. BCP: Business Impact Analysis What is BIA? BIA is a detailed analysis of business processes to determine the impact of business disruption on the organization

  7. BCP: Business Impact Analysis Purpose • Identify a list of business process recovery priorities, including service level agreement and recovery time objective • Identify minimum resources to support the processes • The result of BIA is also used for developing contingency plan including facilities/ infrastructure BOT The priority of business process Resource Allocation at Backup site Business process 1 Level 1 : 1 day - Working area others Level 2 : 3 days - IT equipment The externals Level 3 : 7 days - Office equipment

  8. BCP: Business Impact Analysis Overview of BIA assessment Classify business processes into 2 groups as followed: (1) Financial Market Transaction and Payment System (FinT & Pays) : business processes that are critical to the stability of financial institutions, monetary system and economy e.g. Current Account System, Electronic Cheque Clearing System (2) Non - Financial Market Transaction and Payment System (Non- FinT & Pays): business processes that their disruption may affect BOT’s internal operations

  9. BCP: Business Impact Analysis Assessment Assumptions • Scope of damage: • (Worst case) Disaster affects only BOT, there is no other damages to external parties and other infrastructures • Main working areas are totally damaged, cannot be resumed • The premises for backup site is not damaged, but IT system cannot be recovered. • Period of Disaster: Peak Time for each business process • Method to assess impact: evaluate each business process separately, e.g., Electronic Cheque Clearing System is damaged, while other systems can still be operated

  10. BCP: Business Impact Analysis Business Process Priority Level 1: RTO < 1 day • Financial Market and Reserve Management / Financial Risk Management & Operations • Payment Systems • Deposit & Debt Instrument • Banknote Management Level 2: RTO < 3 days • Data Management System • Enterprise Resource Planning System Level 3: RTO < 7 days • Others Reflects in Service Level Agreement between IT & BU

  11. Business Continuity Planning • BCP Framework • Business Impact Analysis • BCP Structure Command • Crisis Management Preparedness • Testing and Maintenance • Cooperation with Banks and Financial Institutions • ITD BCP

  12. BCP: Structure Command Business Continuity Plan Steering Committee Court of Directors Business Continuity Plan Steering Committee Top Management Committee Assistant Governor Strategic Capabilities Group Strategic Services Department (Operational Risk Management Division) Departments

  13. BCP: Structure Command BCP Steering Committee • Deputy governor of corporate support services as a chairman • Assistant governor of operations group and strategic capabilities group • Senior directors and directors of related departments such as  IT Department  General Administration Department  Management Assistance Department  Security Department  Strategic Services Department Members Roles and Responsibilities • Set up policies and strategies for bank-wide and departmental BCP • Set up framework for establishing / reviewing / testing and updating BCP • Consider the consistent linkage of critical operation systems

  14. BCP: Structure Command BCP Steering Committee Roles and Responsibilities • Set up policies and strategies for bank-wide and departmental BCP • Set up framework for establishing / reviewing / testing and updating BCP • Consider the consistent linkage of critical operation systems

  15. BCP: Structure Command Crisis Management Center (CMC) Top management committee and secretariat Line of Command Crisis Command Center Senior management representatives from critical depts. and related supporting depts. Crisis Coordination Center Selected staff for critical functions. Operating Command Centers Payment system Department Deposit & Debt Instrument Department Banknote Management Fin mkt. & reserve mgnt./ Fin Risk Mgnt. IT Department Security Healthcare Service Engineering and premise Hotline

  16. Business Continuity Planning • BCP Framework • Business Impact Analysis • BCP Structure Command • Crisis Management Preparedness • Testing and Maintenance • Cooperation with Banks and Financial Institutions • ITD BCP

  17. Other Departments System K System H System G NON-IT NON-IT NON-IT IT IT IT BCP: Crisis Management Preparedness BCP Development & Revision BOT BCP IT Department System Z System B System A Infrastructure NON-IT (Evacuation, Meeting location, Transportation, call-tree, etc)

  18. BCP: Crisis Management Preparedness IT Backup Data Center Primary Data Center Backup Data Center • Electricity supplies and telecommunication systems are separated from HQ’s • 24 hour CCTV & access control • Electric fence along the perimeter

  19. BCP: Crisis Management Preparedness CMC & BU Backup Workspace Working space for critical business units equipped with necessary computer systems & equipment

  20. BCP: Crisis Management Preparedness Awareness and Training Education / awareness for all or selected staff Training for key personnel • Regular BCP test • Bank-wide (Annually) • Departmental level (as necessary) • Key persons are required to participate • Key persons would be aware of their roles and responsibilities

  21. Business Continuity Planning • BCP Framework • Business Impact Analysis • BCP Structure Command • Crisis Management Preparedness • Testing and Maintenance • Cooperation with Banks and Financial Institutions • ITD BCP

  22. BCP: Testing and Maintenance Annual BCP Test: Worst Case Scenario Scenario • Main buildings at headquarter and data center cannot be accessible • Assume 10% of core function staff were injured and could not work • Disaster takes place at the critical time of the day Scope • IT and non-IT • All critical functions • FIs were involved in testing Testing time • Weekend (2 days) External Participants • FI’s

  23. BCP: Testing and Maintenance Annual BCP Test: Goals • The evacuation plan and journey to back-up side • Control and limit the damage by Security Department • Establish and operate of Healthcare Center • Establish and prepare for the Crisis Management Center (CMC) • Recovery of critical operation systems • Ensure key personnel succession plan • Communicate / broadcast / clarify message to public • Response to financial market

  24. BCP: Testing and Maintenance Maintenance • Review and update BCP review in the case of : • Changes in organizational structure • Changes in business process/employees • Business unit finds that present BCP is not appropriate or practical

  25. Business Continuity Planning • BCP Framework • Business Impact Analysis • BCP Structure Command • Crisis Management Preparedness • Testing and Maintenance • Cooperation with Banks and Financial Institutions • ITD BCP

  26. BCP: Cooperation with Banks and FIs BOT Policies • A guideline for IT contingency plan (OCT 2005) • A Policy statement on BCM&BCP of FI (Jan 2007) • Note: • BCM&BCP of FIs shall be in writing by Jan 2008 • FI’s need to conduct BCM&BCP test at least once a year

  27. Business Continuity Planning • BCP Framework • Business Impact Analysis • BCP Structure Command • Crisis Management Preparedness • Testing and Maintenance • Cooperation with Banks and Financial Institutions • ITD BCP

  28. Other Departments System K System H System G NON-IT NON-IT NON-IT IT IT IT BCP: ITD BCP IT BCP BOT BCP IT Department System Z System B System A Infrastructure NON-IT (Evacuation, Meeting location, Transportation, call-tree, etc)

  29. BCP: ITD BCP Non IT Fire Equipment and Evacuation Map Meeting Location Meeting Point Emergency Response Procedure IT Call Tree Alternative Contacts 21 ต.ค. 48

  30. BCP: ITD BCP Communication Channels Status report by phone Email notification of system recovery status

  31. Internet BCP: ITD BCP Redundant Network Connectivity Braches / BMC Headquarter Backup Data Center Primary Data Center Surawong Office Members

  32. System Disruption ….. BNPro EFS CA CAPro DB DB DB DB Disaster Events BCP: ITD BCP IT Disaster Recovery Plan Application RP SMART BOTCHQ ECS B/C-3D BN RG CA BE EFS System + Database Infrastructure Systems Network Data Center

  33. BCP: ITD BCP IT Activities for BCP Tests • BCP Test Preparation (Before disaster occurrence) • Planning • Equipment preparation • Prepare Test data • Backup data for normal operations after the test • Infrastructure preparation, e.g., changing weekend date to business day • BCP Test (From disaster occurrence until BCP test completion) • Simulate wide-area system failure • Evacuation • Disaster Recovery at backup sites • Support during business operations • Post-test (System recovery) • Recover all systems and applications for normal business operations • Restore actual data • Data and system verification

  34. BCP: ITD BCP IT Activities for BCP Tests • Communication Problems • BOT Internal • Within department • BCP understanding of involved parties • Between business units • External Entities • Financial Institutes • Publics, Journalists • Government • Readiness of involved parties in terms of equipments, personnel and BCP sequences • Need awareness training

  35. Wireless Access at BOT

  36. BOT WLAN Requirements • Meeting rooms • Be able to access Internet and BOTNET during meetings especially during Steering Committee Meetings • Modern meeting room environment • Mobile office concept

  37. Malicious Hacker Wireless LAN (WLAN) Wireless LAN • No physical boundary • Require strong security • Unauthorized resource access • Eavesdrop traffic • War driving • Impersonation LAN • Physical Security • Firewall

  38. User DB BOT WLAN Security BOTNET Internet Radius Server Network Policy • Authentication • Mutual Authentication • IEEE 802.1x : • PKI Certificate-based (EAP-TLS) • Password-based (PEAP) • Encryption (WPA2) : AES • Network Segregation • Internal : same as wired • External : Internet only Encryption Data Encryption Data Wireless Zone Authentication)

  39. Mobile Office • Objective: an office environment where employees can have network access from anywhere they work • Pilot Project • Pilot group: IT department • representatives from all IT divisions • An employer is assigned a notebook instead of PC • Equipped with BOT PKI certificate for WLAN authentication • Measure effectiveness/efficiency after 6 months

  40. Mobile Office Areas Meeting Rooms ITD Office Area Library Coffee Shop Cafeteria

  41. Q&A

More Related