The agencies identified four broad sound practices that eventually will be the basis for data security for all large IT organizations:
1. Identify clearing
and settlement activities in support of critical financial markets. This assessment must include identification of activities or systems that support or are integrally related to the performance of clearing and settlement activities in those markets. In the broader world, we call that identification of the most critical business processes and its supporting applications and records.
2. Determine appropriate recovery and resumption objectives for the processes and applications identified in Step 1. Core clearing and settlement organizations should plan to both recover and resume processing and other activities that support the critical markets, within the same business day, in which the event occurred (more about the recovery time objective later).
3. Maintain sufficiently geographically dispersed resources to meet recovery and resumption objectives. Here there was considerable discussion prompted in part by a fear of chasing jobs out of the Borough of Manhattan, NY. In some places the paper speaks of distances as great as synchronous remote copy will allow, currently 80-100km with mention that technology will continue to improve and allow greater distances. Asynchronous remote copy applications that offer virtually unlimited distances will suffice just as well, depending on business volumes and the recovery time objective. Volumes would have to be enormous to delay asynchronous recovery for a significant time (an hour for example). In any case, the paper opines that the recovery site must be served by different infrastructure components (transportation, telecommunications, water supply and electric power) than the primary site and it should not be impaired by a wide-scale evacuation or the inaccessibility of staff that serves the primary site.
4. Routinely use or test recovery and resumption arrangements. Test scenarios should include all recovery sites and must presume the availability of key staff at the primary site is impaired. Connectivity between the primary site and back up sites must be tested and those to other core clearing and settlement organizations. Very few large IT sites routinely test connectivity to its large customers and/or suppliers today and that is of increasing concern in this era of automated supply chain management.
Applicability and timing
The requirements documented in this paper apply to core clearing and settlement organizations and to other firms that play significant roles in critical financial markets. There was some discussion in the paper about the definition of "core" and "other" firms. Core clearing and settlement organizations consist of two groups of organizations that provide clearing and settlement services for critical financial markets or act as large-value payment system operators and present systemic risk should they be unable to perform. The first group consists of market utilities (government-sponsored services or industry-owned organizations) whose primary purpose is to clear and settle transactions for critical markets or transfer large-value wholesale payments. The second group of core clearing and settlement organizations consists of those private-sector firms that provide clearing and settlement services that are integral to a critical market (i.e., its aggregate market share is significant enough to present systemic risk in the event of its sudden failure to carry on those activities because there are no viable immediate substitutes). Core clearing and settlement organizations should continue its accelerated efforts to develop, approve and implement plans that substantially achieve the sound practices by the end of 2004.
Other firms are those that play significant roles in critical financial markets (on behalf of themselves or its customers) with sufficient market share in one or more critical financial markets such that a failure to settle its own or its customers' material pending transactions by the end of the business day could present systemic risk. While there are different ways to gauge the significance of such firms in critical markets, as a guideline, the agencies consider a firm significant in a particular critical market if it consistently clears or settles at least five percent of the value of transactions in that critical market. Firms that play significant roles in critical financial markets should develop, approve and implement plans that call for achievement of the sound practices as soon as practicable but generally by April 2005.
The agencies recognize that achievement of the sound practices could be a multi-year endeavor for some organizations and that it is not necessary or appropriate to prescribe any specific technology solution for implementing the sound practices.
Recovery time objective
Recovery and resumption of critical financial markets is defined to mean:
a. Completing pending large-value payments
b. Clearing and settling material pending transactions
c. Meeting material end-of-day funding and collateral obligations to ensure the performance of (a) and (b)
d. Managing material open firm and customer risk positions necessary to ensure the performance of (a) through (c)
e. Communicating firm and customer risk positions to ensure the performance of (a) through (d)
f. Carrying out all support and related functions that are integral to performing the above critical activities
Core clearing and settlement organizations should develop the capacity to recover and resume clearing and settlement activities within the business day on which the disruption occurs with the overall goal of achieving recovery and resumption within two hours after an event. Core clearing and settlement organizations also should develop plans for communicating with participants during a disruption to facilitate its rapid recovery. Notwithstanding the comment on technology above, a two-hour objective will require some form of remote copy to magnetic disk. Recovery and resumption challenges are much larger than just recovering data, but any form of recovering data from magnetic tape, manual or automated, or optical disk will be too slow.
Senior management and boards of directors
Historically, recovery operations have been mainly a concern of systems administrators with modest review by senior management and external auditors. Incorporation of post September 11 business continuity objectives and sound practices raises numerous short- and long-term strategic issues that require continuing leadership and involvement by the most senior levels of management. Boards of directors should review business continuity strategies to ensure that plans are consistent with the firm's overall business objectives, risk management strategies, and financial resources. Decisions about overall business continuity objectives should not be left to the discretion of individual business units.
As one of our vendors likes to say, "with recent events records management has graduated from the back room to the board room."
Managing Partner Evaluator Group
About the author:
Jack Scott is the Managing Partner of Evaluator Group, a Denver based storage analysis firm. He is also Chairman of EmTAG, (Emerging Technologies Advisory Group), the technology headlights of AIIM (Association of Image and Information Management) and a frequent speaker on electronic document storage.
The Evaluator Series and Evaluator Series On-Line (ES/OL) are trademarks of Evaluator Group, Inc. All other trademarks are property of their respective companies.
This was first published in June 2003