Disaster recovery ability of banks
Monday, 20 April 2009
Imran Ahmed, FCA, CISA
IN recent past a story about hacking of Rab Website by four IT students of a private technology institute in the city's Mirpur created fresh concern among the general citizens. The story further says that recently those hackers had hacked at least 22 websites including that of the Bangladesh Army.
This story gives valid reason to the clients of the banks to be concerned about the security of their personal data of wealth management, availed credit facilities etc., maintained and managed by the banks. God forbid if database of a bank is somehow destroyed and if lost data cannot be recovered, the consequence will be colossal and far-reaching in the banking sector. Business of the bank will come to a stand-still as, on the one hand, depositors may not be able to prove their current deposit balance, while the bank, on the other hand, will not be able to entertain clients because of absence of data.
To protect information asset, banks apply various methods like taking daily backup though the day. The days that a bank's daily backup would provide adequate protection to a business's critical processes are long gone. Banks also have separate processes of archiving old data and replication of data at an offsite location. In case of any disaster, banks have to recover data from damaged, failed, corrupted, or inaccessible secondary storage media such as hard disk drives, storage tapes, CDs, DVDs, RAID, and other kinds of electronic storage system when it cannot be accessed normally.
Nowadays online banking, Internet banking, SMS banking, mobile wallet etc., are all buzzwords in the banking sector. Banks try to allure customers offering these hi-tech services. To support such technology-oriented banking services, banks are required to invest heavily in technology; some banks have already invested tens of millions of takas for their banking software and hardware. Because of the boon of technology, a client can bank from any corner of Bangladesh. This resulted in rapid growth of client base and enormous increase in day-to-day transaction volume. For example, one account-holder who maintains bank account in Dhaka can also bank online from Chittagong. All the transactions are recorded in the central database of the bank. If the data is gone for any reason, banks will hardly be able to continue business.
Banks can lose data for a myriad of disasters such as (1) natural catastrophe (i.e., earthquakes, fire, floods, storm etc.), (2) human behaviour (i.e., hacking, virus attack, unauthenticated data alteration, robbery, bomb threat, arson, etc.), and (3) technological breakdowns (i.e., power outages, computer crash, etc.). Among other safety measures to safeguard information assets (i.e. data), banks must have disaster recovery plan, which is also a mandatory requirement of the Bangladesh Bank, the regulator of the banks. The Bangladesh Bank Guideline on Information and Communication Technology for the scheduled banks and financial institutions requires that banks must have a Business Continuity Plan for its Information Technology (IT) and a Disaster Recovery Plan, mentioning banks' action plan for (i) during office hours disaster, (ii) outside office hours disaster, and (iii) immediate and long-term action plan in line with the business.
The Bangladesh Bank also requires that a Disaster Recovery Site (DRS) must be in place replicating the Data Centre (Production Site), DR site must be at a minimum of 10 kilometres (radius) of distance from the 'production' site and the DR site should be equipped with compatible hardware and telecommunications equipment to support the live systems in the event of a disaster. Surprisingly, out of 30 private commercial banks (PCB), four state-owned commercial banks and five special banks, only four PCBs, viz. Dhaka Bank, Eastern Bank, BRAC Bank and Dutch Bangla Bank, have established DR site in compliance with the Bangladesh Bank ICT guidelines. Eight foreign banks, out of nine operating in Bangladesh, have DR sites, albeit outside Bangladesh. Moreover, the Bangladesh Bank requires that banks must carry out and document disaster recovery testing at least once a year; but we can simply put our doubt about disaster recoverability of banks in Bangladesh.
To effectively test disaster recovery we must know, why are we testing? What are we expecting and what are we trying to accomplish? What are the goals when we are conducting a disaster recovery plan test? Some of the benefits of testing disaster recovery procedures include confirmation that DR Plan actually works and a practical assessment of data recovery ability of the bank's production site and DR site. It also provides a great training and creates awareness within the organisation.
Goals of DR testing include whether bank's backup software can restore data; whether disaster alert procedure really works. It helps to keep a bank's disaster recovery management efficient and plan maintenance to keep the plan up to date. Test participants get real training opportunity. Finally, DR testing highlights any gaps, omissions or any undocumented changes in the environment.
DR test should not necessarily be always enterprise wide; rather, it should be restricted to resource availability. It should be conducted by drawing a clear test plan and a clear set of objectives, prior to test. These objectives will be used to measure the success of the test. Success of DR testing does not always depend on flawless data recovery; finding gaps in the DR Plan may also demonstrate a good success.
It is very difficult and risky to conduct DR test directly disrupting production environment (i.e. during banking hours) as it requires subject matter expertise and long practical experience. Server virtualization might be one of the most suitable alternatives to test disaster recovery without hampering production environment. Server virtualization tools are well available with IT vendors.
Sooner rather than later banks have to prove their system's disaster recovery effectiveness to regulators and clients at large to continue banking business. Banks must ensure that they have a solid contingency plan and their system is resilient enough to continue smooth banking operation in the event of disaster. But the red flag is that most of the banks do not have disaster recovery site, which might be a great concern.
The writer is a banker. He is SAVP & In-Charge, Audit and Internal Control Division, Dhaka Bank Ltd and can be reached at
email:imran.ahmedfca@yahoo.com
IN recent past a story about hacking of Rab Website by four IT students of a private technology institute in the city's Mirpur created fresh concern among the general citizens. The story further says that recently those hackers had hacked at least 22 websites including that of the Bangladesh Army.
This story gives valid reason to the clients of the banks to be concerned about the security of their personal data of wealth management, availed credit facilities etc., maintained and managed by the banks. God forbid if database of a bank is somehow destroyed and if lost data cannot be recovered, the consequence will be colossal and far-reaching in the banking sector. Business of the bank will come to a stand-still as, on the one hand, depositors may not be able to prove their current deposit balance, while the bank, on the other hand, will not be able to entertain clients because of absence of data.
To protect information asset, banks apply various methods like taking daily backup though the day. The days that a bank's daily backup would provide adequate protection to a business's critical processes are long gone. Banks also have separate processes of archiving old data and replication of data at an offsite location. In case of any disaster, banks have to recover data from damaged, failed, corrupted, or inaccessible secondary storage media such as hard disk drives, storage tapes, CDs, DVDs, RAID, and other kinds of electronic storage system when it cannot be accessed normally.
Nowadays online banking, Internet banking, SMS banking, mobile wallet etc., are all buzzwords in the banking sector. Banks try to allure customers offering these hi-tech services. To support such technology-oriented banking services, banks are required to invest heavily in technology; some banks have already invested tens of millions of takas for their banking software and hardware. Because of the boon of technology, a client can bank from any corner of Bangladesh. This resulted in rapid growth of client base and enormous increase in day-to-day transaction volume. For example, one account-holder who maintains bank account in Dhaka can also bank online from Chittagong. All the transactions are recorded in the central database of the bank. If the data is gone for any reason, banks will hardly be able to continue business.
Banks can lose data for a myriad of disasters such as (1) natural catastrophe (i.e., earthquakes, fire, floods, storm etc.), (2) human behaviour (i.e., hacking, virus attack, unauthenticated data alteration, robbery, bomb threat, arson, etc.), and (3) technological breakdowns (i.e., power outages, computer crash, etc.). Among other safety measures to safeguard information assets (i.e. data), banks must have disaster recovery plan, which is also a mandatory requirement of the Bangladesh Bank, the regulator of the banks. The Bangladesh Bank Guideline on Information and Communication Technology for the scheduled banks and financial institutions requires that banks must have a Business Continuity Plan for its Information Technology (IT) and a Disaster Recovery Plan, mentioning banks' action plan for (i) during office hours disaster, (ii) outside office hours disaster, and (iii) immediate and long-term action plan in line with the business.
The Bangladesh Bank also requires that a Disaster Recovery Site (DRS) must be in place replicating the Data Centre (Production Site), DR site must be at a minimum of 10 kilometres (radius) of distance from the 'production' site and the DR site should be equipped with compatible hardware and telecommunications equipment to support the live systems in the event of a disaster. Surprisingly, out of 30 private commercial banks (PCB), four state-owned commercial banks and five special banks, only four PCBs, viz. Dhaka Bank, Eastern Bank, BRAC Bank and Dutch Bangla Bank, have established DR site in compliance with the Bangladesh Bank ICT guidelines. Eight foreign banks, out of nine operating in Bangladesh, have DR sites, albeit outside Bangladesh. Moreover, the Bangladesh Bank requires that banks must carry out and document disaster recovery testing at least once a year; but we can simply put our doubt about disaster recoverability of banks in Bangladesh.
To effectively test disaster recovery we must know, why are we testing? What are we expecting and what are we trying to accomplish? What are the goals when we are conducting a disaster recovery plan test? Some of the benefits of testing disaster recovery procedures include confirmation that DR Plan actually works and a practical assessment of data recovery ability of the bank's production site and DR site. It also provides a great training and creates awareness within the organisation.
Goals of DR testing include whether bank's backup software can restore data; whether disaster alert procedure really works. It helps to keep a bank's disaster recovery management efficient and plan maintenance to keep the plan up to date. Test participants get real training opportunity. Finally, DR testing highlights any gaps, omissions or any undocumented changes in the environment.
DR test should not necessarily be always enterprise wide; rather, it should be restricted to resource availability. It should be conducted by drawing a clear test plan and a clear set of objectives, prior to test. These objectives will be used to measure the success of the test. Success of DR testing does not always depend on flawless data recovery; finding gaps in the DR Plan may also demonstrate a good success.
It is very difficult and risky to conduct DR test directly disrupting production environment (i.e. during banking hours) as it requires subject matter expertise and long practical experience. Server virtualization might be one of the most suitable alternatives to test disaster recovery without hampering production environment. Server virtualization tools are well available with IT vendors.
Sooner rather than later banks have to prove their system's disaster recovery effectiveness to regulators and clients at large to continue banking business. Banks must ensure that they have a solid contingency plan and their system is resilient enough to continue smooth banking operation in the event of disaster. But the red flag is that most of the banks do not have disaster recovery site, which might be a great concern.
The writer is a banker. He is SAVP & In-Charge, Audit and Internal Control Division, Dhaka Bank Ltd and can be reached at
email:imran.ahmedfca@yahoo.com