If you looked at the news on the TV-tube or on a national news website such as www.msnbc.com today you will see that Cedar Rapids, IA is under water. This is a city not far from my home town, and I know there were a few companies that either had to “execute” their disaster recovery (DR) and business continuity (BCP) plans or are putting their businesses on hold.
When I did BCP and DR reviews as an IT Security Consultant mostly for FFIEC Bank Reviews/Assessments, as well when I led this effort at prior companies I was at - these were a few of the items of concern:
Generally the process to create a BCP plan is simple - it is the process of gathering the information, accessing the information, and keeping the information up to date and current (you do have a DR/BCP considerations in new projects and apart of your change management processes don’t you ?) is the painful bit. This shouldn’t be a once a year project that a company assigns an IT person to – it should consist of a committee that meets regularly with input from all departments.
Here are the general steps of the process:
- Perform a business impact analysis - what would happen to the business and its customers during an disruption of business ? - What systems and processes are needed by the business and its departments to function ?
- Perform a risk assessment / threat analysis – Flood, Fire, Loss of Power, Pandemic Bird Flu, Earthquake, Tornado/Hurricane, Bribery, Computer Attack, Loss of Communication Lines ? – what is the likely hood of this event occurring and what is its impact.
- Develop recovery time objectives - how long can you be down or unavailable ?
- Develop procedures for each department - Safety, Evacuation procedures, command centers, calling lists, off-site inventories, vendor lists, customer contact information, recovery teams, team members and responsibilities.
- Test the plan - Tabletop testing based on mock scenarios, and technical recovery tests of systems are important here.
- wash, rinse and repeat …
With Payment Processing applications the following are topics that you need to think about:
- Batch processing, and transferring of data files. (do you have documented information and equipment and software and configurations to perform this ?)
- Real Time Authorizations considerations
- Communication Links to end-points and providers
- Availability of Backup Hardware
- Data replication strategy
- Backups of systems
- Ability to restore systems
- Data Integrity concerns and potential loss of data
- Security of Payment Card information during a disaster
- HSM, encryption keys and key custodians
- Reconfiguration of client systems to connect to alternate site
- Are processes and install/setup/configurations documented so some one else other then the “go-to-guy” can perform these steps ? Because he or she is with their family because they lost or are displaced from their home.
I’m sure I can think of more considerations and you can too – but the point was to make you think – another recent event described here: at a hosting center where the hosting center was not allowed to bring up their backup generators and execute their BCP plan because of an order from the Fire Department and safety concerns.