170 likes | 369 Vues
Pakistan. BCP Preparedness for City Violence. Tariq Mahmood, Chief Security Officer. July 4, 2007. Pakistan. agenda. 1. A Brief Intro & the Situation. 2. CDC Preparedness. 3. Lessons Learnt. 4. Any Queries. A Brief Intro & the Situation. Pakistan.
E N D
Pakistan BCP Preparedness for City Violence Tariq Mahmood, Chief Security Officer July 4, 2007
Pakistan agenda 1 A Brief Intro & the Situation 2 CDC Preparedness 3 Lessons Learnt 4 Any Queries
A Brief Intro & the Situation Pakistan
CDC Pakistan – A Brief Intro (Figures as on May 31, 2007) • Number of employees 375 • CDS live securities 655 • Participants / Account Holders 534 • Eligible Pledgees 102 • Number of shares available in CDS 44.73 Billion • Market Capitalization of Shares US $ 30.93 Billion • Share Holder’s Equity US $ 17.92 Million • Total Assets US $ 21.84 Million • Total Revenue US $ 12.36 Million • Profit after Tax US $ 3.94 Million
Situation • May 12, 2007: A Saturday – Though a full working day but only 50% of the staff attend offices while remaining take off • All three Stock Exchanges are closed on Saturday but some of the stock brokers do attend their offices to perform back office work; Banks and Issuers/RTAs are open but mostly for half day only • Normally there is only 10% of the business of Mon – Fri. for CDC • Blockage in access to offices & other commercial areas was expected due to various political rallies planned that day • Violence with that severity was not predictable; CDC called only most essential staff to attend office with arrangements for their stay at hotel • No usual traffic in the city – Airport, Railway Stations, public transport affected • All utilities were available – Mobile, Telephone, Electricity, Networking etc. • Business Centers / Shops remained closed • Three offices of CDC in Karachi were operational though at lower scale and provided services to customers till first half of the day only. The CDS was available full day. • CDC offices in other cities provided full services
Pakistan CDC Preparedness
CDC Preparedness - Introduction • CDC established DR Site in same city in 2000 • CDC developed its first DR Plan in 2000 • Mock DR Drills of different levels were conducted in 2001, 2004, 2005 and 2006 • BCP of critical business functions was added in the revised DRP in 2006 • IBM Global Consulting was assigned to develop a comprehensive BCP covering all business functions in Oct 2006 • Several planning meetings and staff awareness presentations were conducted • All business functions prepared their draft BCP by April 2007 • Table Top tests were conducted to improve BCP • Draft BCP of entire CDC was completed in May 2007 • Following few slides present some of the aspects of the methodology, standards and processes used in the preparation of this BCP
Major Threats City Violence Illogical processing Invalid translation of user needs (technical requirements) Inability to control technology Equipment failure Incorrect entry of data Concentration of data Inability to react quickly Inability to substantiate processing Concentration of responsibilities Erroneous/falsified data Misuse of administrative authorities • Unauthorized access • Hardware failure • Utility failure • Natural disasters • Loss of key personnel • Human errors • Neighborhood hazards • Tampering • Disgruntled employees • Risk of Employees Safety • Improper use of technology • Repetition of errors • Cascading of errors
Result: CDC targets to become a leading-edge predictive organization CDC decided to develop a predictive model that will enable CDC to preemptively recognize and successfully respond to a threat before it becomes a crisis Infinite Events Resiliency Planning Finite Internal & External Impacts Major Effects People Processes Technology Infrastructure Applications Databases Partners Market Economic Prioritized Ranking of Threats Review of Existing Plans Threat Reduction Controls Gap Analysis Development & Testing of Resiliency Plans Physical, Personnel, Information, Reputation, Participants, Economic, Public and Private Infrastructure Impacts
CDC Emergency / Disaster Escalation paths . Request of Civic and Request of Civic and Vendor Services Vendor Services Alarm Notification Notification of Losses to of Losses to Insurance Co. Insurance Co. Secure Secure Damaged Site. Damaged Site. Detection IT Recovery Alarm IT Recovery Procedures for Procedures for Critical LAN's Critical LAN's IT Recovery Critical Procedures for Workplaces NonCritical LAN's Recovery Damage Assessment Help Desk Workplaces Resumption Support Service Recovery Procedure Select. Recovery Help Desk DR Committee Support Service Convocation Communication to Recovery CDC's personnel Comm. to Communication to Declaration ? Emergency Disaster Media, suppliers, CDC's personnel customers Comm. to Media, suppliers, Repair Problem customers Damaged Assets Repair End Damaged Assets .
CDC Business Continuity Teams Business Continuity Plan Team Organization Disaster Recovery Manager IT Disaster Recovery Coordinator Secretariat Support Disaster Recovery Committee Administration Assessment Team IT System Engineers Support Team Team Enterprise Surveillance Team Telco Engineers Team Security Support Team Technical Support Equipment and IT Operations Team Team Facilities Team Application / Technical Help Desk Support Support Team Team
Design Criteria-1: Basic Business Continuity Plan DR Site KSE relocation CDC House relocation Takeover relocation Takeover Branches Alert Zero hours 8 hours ? 2 hours ?? Emergency Problem Disaster E S C A L A T I O N & D E C L A R A T I O N P L A N
Design Criteria-2: Pre-Staged and Out of Region Recovery DR Site Pre-staged Staff & Technology Data Integrity Workload Rotation Remote Site CDC House IT High Availability Alternate replication link Data Integrity Primary replication link Pre-staged Staff & Technology Pre-staged Staff & Technology Takeover Takeover Branches Alert Zero hours • 8 hours • 2 hours Emergency Problem Disaster E S C A L A T I O N & D E C L A R A T I O N P L A N
Lessons Learnt Pakistan July 4, 2007
Lessons Learnt • People issues are paramount • Impact of location of employees; their safety, morale and cross training is important • Communications strategies • Although communications systems were available, however these may be affected; To consider multiple business recovery hotlines, Telecommuting, Business Continuity Website • Third-party contracts without continuity requirements • Although it was a one day situation, however if it was a longer duration, service providers and suppliers recoverability capabilities could pose problems; To ensure they got adequate business continuity plans • Improved focus on resiliency and investment in continuous availability strategies • To continue emphasis on business processes’ resiliency, investment in fault tolerant systems, data storage and network redundancy and to consider improved insurance coverage • Non-critical technology more important than anticipated • Although CDC was able to continue its data center operations, however it need to consider that worst case scenarios can become reality and it should prepare for that. To consider virtual office strategies.
Let’s acknowledge that Business Continuity is a process and people design, not only a technology design …… Technology Hardware and software capabilities 40% ProcessDefinition/design, compliance and continuous improvement PeopleRoles & responsibilities, management, skills development & discipline 60%
Any Queries ? Pakistan July 4, 2007