A Forrester Consulting Thought Leadership Paper...

A Forrester Consulting Thought Leadership Paper Commissioned By EMC

The Data Storage Imperative: Backup, Recovery and

Archiving in India

April 2012

Forrester Consulting

The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific

Page 1

Table Of Contents

Executive Summary ............................................................................................................................................................................... 2

India Policies and Regulations ........................................................................................................................................................... 2

Data Storage Approaches Currently Vary Widely Across the Region ..................................................................................... 5

Regulations Will Continue To Have a Major Impact on Data Storage Strategies and Approaches ................................ 7

Key Recommendations ...................................................................................................................................................................... 10

Appendix A: Methodology and Respondent Profile .................................................................................................................. 11

Appendix B: A List of Regulations in India................................................................................................................................... 14

Appendix C: Data Storage, Backup and Archiving Regulations in India ............................................................................. 15

© 2012, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available

resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView,

TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective

companies. For additional information, go to www.forrester.com. [OrderID]

About Forrester Consulting

Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging

in scope from a short strategy session to custom projects, Forrester’s Consulting services connect you directly with research analysts who

apply expert insight to your specific business challenges. For more information, visit www.forrester.com/consulting.

http://www.forrester.com/consulting



Page 2

Executive Summary

Storing, accessing and leveraging business-critical data will remain a strategic imperative for organizations of all

sizes across Asia Pacific (AP). In fact, implementing and managing effective policies for data storage, backup and

recovery are now more critical than ever. Trends such as cloud computing, social technologies and mobility are

driving major changes in the amount of data being generated, types of data being stored (both structured and

unstructured), and regulations in areas like data sovereignty and residency.

In September 2011, EMC commissioned Forrester Consulting to evaluate data backup, recovery and archiving

adoption trends and challenges across AP. In particular, to assess how organizations are storing data and the

impact of regulations focused on data protection and recovery.

This document analyzes some of the key trends, perceptions and actions that IT organizations are undertaking

as they seek to cost-effectively store data to support business requirements while also complying with rapidly

changing regulations. To do so, Forrester has surveyed 550 respondents across 11 countries in AP, including 50

in Australia and 30 in New Zealand, conducting in-depth interviews with a mix of senior IT and business

decision-makers who have deep knowledge of their organizations’ IT operations.

Key Findings Forrester’s study yielded several key findings:

India has fast changing regulatory environment, where compliance requirements related to data

protection/security are becoming tighter. Organizations should formalize processes for, ongoing analysis

and monitoring of relevant laws and regulations; and decide on best feasible approaches to data storage,

backup, and archiving that serve business needs and compliance requirements.

Data Storage Approaches Currently Vary Widely. This will remain the case as an effective information

governance strategy must leverage a variety of tools, technologies and approaches based on the type of

information being stored and relevant policy requirements.

Regulations Will Continue To Have A Major Impact On Data Storage Strategies And Approaches. IT

organizations must carefully consider all approaches to storing and accessing business-critical data and

continually assess technology capabilities against changing laws and regulations.

India Policies and Regulations

There are exhaustive statutory laws exists in the aspects of taxation, corporations, labors, consumer protection,

investor protection, foreign currency exchange, anti-terrorism, industrial policies, among others in India. Under

the country’s economic liberalization policy, various reforms have been carried forward. The authorities are

trying to bring legislation up-to-date with fast technological advancement in India, just as other governments

and international organizations are initiating worldwide. Enacting new personal data protection laws in 2011

has brought implications to all industries including the aspect of security measures and data transfer to third



Page 3

parties. The authority has appointed working groups to constantly review existing legislations related to

corporate governance, risk management, data protection and security, and others, which likely result in further

amendments in existing policies and guidelines.

Personal Data Protection Laws

India has adopted new data protection rules in April 2011, which was designed to protect ‘sensitive personal

data and information,’ applicable to all industries. When collecting, storing, and handling personal information,

organizations are required to obtain written consent from individuals; have clear and easily accessible

statements of privacy policies; implement reasonable security practices; and have comprehensively

documented security policies.1

Organizations may adopt International Standard IS/ISO/IEC 27001 or other security standard approved by the

central government. Data breach notification is not mandatory, but one must demonstrate the organization has

implemented security control measures as per one’s information security policies documented in the event of an

information security breach when called upon by the authority.2

Under the most recently amended Act, tougher penalties will be charged in case of data breach. Disclosure of

information, knowingly and intentionally without the consent of the person concerned and in breach of the

lawful contract may be punished with imprisonment for a term extending to three years, or with fine extending

to INR 500,000, or with both.3

SOX Compliance

The authority monitors corporate governance of listed companies in India through the Clause 49 that is

incorporated in the listing agreement of stock exchanges with listed companies.4 The Indian authority has

tightened the governance rules by issuing amendments.5

Unless the company is publicly listed or SEC registrants in the US, the Sarbanes-Oxley Act (SOX, 2002) is not

compulsory. However, SOX is widely regarded as the global de facto governance standard. SOX requirements

are becoming de facto best practice, especially for companies that are seeking investment from the US.

Record Retention Requirement

Corporate acts and taxation law typically determine data retention schedules based on the type of records, such

as financial/accounting records, corporate tax records, and related documents. Financial records must be

retained for eight years at least while tax records must be kept for seven years. There is no regulatory

requirement related to retaining employee record in India.

Data Encryption Requirement

There is no centrally controlled encryption law in India, but there are guidelines to managing sensitive personal

data or information (SPDI) and requirements for online trading.



Page 4

Passwords and storage of highly sensitive information must be encrypted using internationally proven

encryption techniques to prevent unauthorized disclosure and modification 6

Electronic communication systems used for the transmission of sensitive information must be equipped

with suitable security software and, if necessary, with an encryptor or encryption software 7

Online trading brokers are required to use encryption technology for security, reliability and

confidentiality of data 8

Encryption requirement, data transfer restriction, and business continuity/disaster recovery (BC/DR)

requirements in India are summarized below (Figure 1).

Figure 1

Encryption, Cross-Border Data Transfer, and BC/DR Requirement in India

Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012

Cross-border Data Transfer

Under the new data protection rules, organizations may transfer personal data to a third party in India or

outside India if the third party affords the same level of data protection that is adhered to by the data privacy

rules in India; and the transfer is necessary for the performance of the lawful contract; or the information

provider has consented to such transfer.9

Business Continuity and Disaster Recovery

The Reserve Bank of India (RBI) has released business continuity planning (BCP) guidelines for the banking

sector.10 The RBI specifies technology aspects of BCP including high availability and fault tolerance for mission

critical applications and services; RTO/RPO metrics that fit the criticality of the business process and function;

auditing the deployed architecture for the mission critical applications and services; periodic investigation of the

experienced outage; define testing procedure; and regular BCP testing at least annually for maintaining BCP up

to date and effective.11

The RBI also suggests near site disaster recovery architecture in order to enable quick recovery and continuity

of critical business operations.12 Furthermore, banks should submit an annual statement describing RTOs set for

critical systems; we well as a quarterly statement reporting major failures and steps taken to avoid such

failures.13



Page 5

Data Storage Approaches Currently Vary Widely Across the Region

Daily backup of corporate data is the most common approach across AP, particularly in Japan (84% of

respondents), New Zealand (80%) and Australia (78%). In contrast, only 35% of China respondents currently

leverage daily backup, far below the regional average. In fact, 28% of China respondents still backup their data

weekly, by far the highest rate in the region – versus only 2% in Australia and no Japan respondents (see figure

4).

One-third of Korean respondents support real-time backup, the highest in AP. Thailand (10%) and Philippines

(12%) lag, but so too do the more mature IT markets of Japan (13%) and New Zealand (13%). Among

organization types, very large organizations (10k+ employees) are twice as likely to support real-time backup

than smaller organizations (<1k employees), 34% vs. 16%.

Figure 2

Frequency Of Data Backup Varies Widely Across Asia Pacific

Base: 550 decision-makers


Managing ever-increasing data volumes is the primary challenge APJ organizations face in regards to

backup/recovery/archiving (see Figure 5). India is the lone exception, where increasing data volumes are edged

slightly by the challenge of improving efficiency of backup operations.

Organizations across the region vary significantly in how closely they follow regulations outlining the length of

years to store historical data (see Appendix C). Australia has the highest percentage of respondents who

19%

10%

12%

13%

13%

18%

18%

24%

24%

27%

33%

62%

64%

64%

35%

84%

79%

74%

58%

62%

51%

60%

11%

18%

20%

28%

3%

6%

2%

4%

11%

7%

9%

8%

4%

24% 2%

1%

2% 16%

10%

10%

Total AP

Thailand

Philippines

China

Japan

ANZ

Singapore

Malaysia

Indonesia

India

Korea

Real-time Daily Weekly Other*

On average, how often do you backup corporate data that is considered most critical?



Page 6

eliminate stored data after the required number of years (40%) – versus only 15% in China and 17% in Korea.

In contrast, 32% of respondents in both Malaysia and Indonesia currently store all historical data forever –

versus only 12% in Australia and no respondents in Japan.

Figure 3

Challenges To Backup, Recovery and Archiving Are Extensive



Tape-based storage remains critical in key AP markets, including Korea, where respondents are most likely to

view tape-based storage as critical to their business, rating the importance of searching for data on tapes 8.4 out

of 10, with 1 being lowest and 10 being highest. China respondents also rank the importance of searching for

data on tapes highly at 6.7 out of 10, well above the regional average of 5.8. Finally, among verticals, BFSI rank

the importance of searching for data on tapes highest at 6.5 – versus only 5.1 for both public sector respondents

and IT service providers.

The reliability of tape-based storage is also a consideration, with Korean respondents rating reliability highest at

8.4 out of 10 – versus a regional average of 6.8 and a low of 5.8 in Japan. Among verticals, both BFSI (7.1) and

Manufacturing (7.0) rate tape reliability above the regional average.

Despite ongoing demand, concerns related to managing tapes also impact organizations’ strategies. Across the

region, maintaining tape drives/libraries to restore data on tapes is the primary concern. The only exception is

Korea, where organizations are most concerned over physically managing the large number of tapes in use.

8%

9%

10%

13%

16%

22%

Over-reliance on manual processes

Lack of internal skill/knowledge

Lack of simplified management/automation tools

Increasing operational complexity

Improving efficiency of backup operation

Managing ever-increasing data volume

What are the challenges that you’re currently facing with regards to backup/recovery/archiving? Please select up to three.



Page 7

Regulations Will Continue To Have a Major Impact on Data Storage Strategies and Approaches

Awareness of regulatory requirements varies widely across the region. Surprisingly, Japan respondents in

particular rate their awareness particularly low at 4.4 out of 10 (with 10 being highest) – while Korea (8.5) and

China (7.8) both score well above the regional average of 6.9. Among specific regulations, AP organizations are

most familiar with the Private Information Protection Law (7.2 out of 10) and least familiar with the

International Finance Reporting Standard (IFRS) at 5.6 and Sarbanes-Oxley (SOX) at 5.9.

Organizations in Indonesia and Philippines are most likely to increase spending as a result of regulations. Across

the region as a whole, regulations related to disaster recovery and business continuity are most likely to drive

increased spending on backup, recovery and archiving. When considering all regulatory requirements, AP

organizations are slightly more likely to retrieve data quarterly than monthly (see Figure 6).

Figure 4

The Frequency Of Data Retrieval Varies Widely



Discs and internally managed off-site locations are viewed as the two most appropriate mediums for storing

corporate data in order to comply with legal and regulatory requirements (see Figure 7). Disks are viewed most

favorably in mature IT markets like Australia, Japan, Korea, New Zealand and Singapore while internally

managed off-site location is preferred in growth markets like China, India, Indonesia, Malaysia and Philippines.

21%

2%

12%

13%

14%

19%

20%

24%

24%

30%

49%

22%

31%

18%

20%

28%

30%

16%

20%

34%

18%

19%

16%

16%

14%

17%

16%

16%

22%

16%

16%

22%

12%

17%

20%

38%

23%

20%

6%

32%

20%

12%

22%

3%

23%

31%

18%

27%

22%

30%

10%

20%

14%

8%

17%

Total AP

Japan

Thailand

New Zealand

Malaysia

India

Singapore

Australia

Philippines

Indonesia

China

Monthly Quarterly Half yearly Yearly Others

Please indicate how often you have typically retrieved data for regulatory purpose over the past three years.



Page 8

Figure 5

Organizations Continue To Leverage Multiple Data Storage Approaches



Over the next 12 months, most of organizations expect 10-29% or larger data volume growth, and the expected

growth rate of data volume likely continues to accelerate over the next 2-3 years (see Figure 8). Organizations in

Japan, India and Indonesia expect the largest data growth rates, while Australia expects the lowest over the next

12 months. Results vary slightly when considering data growth rates over the next 2-3 years, with Japan,

Thailand and Indonesia expecting the largest data growth rates while Singapore expects the lowest.

Figure 6

Data Storage/Backup Volume Will Continue To Grow And Accelerate

What average annual data growth rate do you expect for your data storage/backup requirements in the next 12 months, and over the next 2-3 years?



6.2

6.4

6.5

6.5

7.1

7.2

Off-site location - managed by a 3rd party

Tapes

WORM media

Optical media

Off-site location - internally managed

Disks

On a scale of 1 to 10, where 10 is most appropriate and 1 is least appropriate, how appropriate do you think each of the following is for storing corporate data in order to comply with legal/regulatory requirements?

13%

22%

50%

9%

50%+

30 – 49%

10 – 29%

Less than 10%

Next 12 Months

32%

31%

25%

5%

50%+

30 – 49%

10 – 29%

Less than 10%

Next 2-3 Years



Page 9

Data volume and efficiency improvement as the key investment drivers for data backup and recovery in AP over

the next 2-3 years (see Figure 9). China ranks ‘security capabilities’ highest while Singapore weighs ‘complying

with regulations’ as a primary driver. ‘Disaster recovery’ is the secondary focus after data volume in Australia

and New Zealand. Japan and Korea rank ‘utilization rate improvement’ higher than other countries do. Indonesia

is the only country that doesn’t consider data volume as the key driver, but lists efficiency improvement and

disaster recovery as primary reasons for back and recovery investment.

Figure 7

Data Backup, Recovery, And Archiving Investments Are Driven By Many Different Factors



16%

16%

13%

13%

9%

9%

9%

Managing larger volumes of data

Improving the efficiency of storage/backup infrastructure

Improving security capabilities

Improving DR readiness

Complying with regulations

Improving utilization rates of storage/backup infrastructure

Infrastructure consolidation

Which of the following do you think are likely to drive investment for backup/recovery/archiving over the next 2-3 years? Please select up to three.



Page 10

KEY RECOMMENDATIONS

Monitor all relevant laws and regulations applicable to your industry. Given the high frequency of changes in

regulations across the region, organizations should optimally review all applicable policies and requirements

every 12 months across all countries in which the organization operates. This includes data privacy and

protection laws as well as regulations targeting business continuity and disaster recovery, among others.

Review backup and recovery tools, technologies and approaches regularly. To ensure adequate support for

data laws and regulations, organizations should analyze their storage, backup and archiving approaches every

12-18 months. This is essential for not only ensuring compliance but also for containing the cost of managing

growing data volumes and meeting service level expectations of the business.

Evaluate technology and approaches to reduce costs and improve management efficiencies. In addition to

reviewing core storage solutions in use, look to adopt a common platform for backup and archiving. At the

same time, evaluate data management solutions like data deduplication.

Analyze current internal policies for data storage and retention. Identify areas where data can be stored for

shorter periods of time to reduce ongoing operational expenditures. Simultaneously, apply the appropriate

information governance approach based on data requirements. For instance, by leveraging archiving for long

term data retention and backup for operational data.

Understand the impact of cloud computing and traditional outsourcing. An effective information governance

strategy must extend to support data stored off-premises. Whether the data resides in shared infrastructure or

dedicated infrastructure, organizations must ensure the data is stored and protected in a compliant manner.



Page 11

Appendix A: Methodology and Respondent Profile

In this study, Forrester conducted telephonic interviews with 550 organizations across verticals such as

banking, financial services, and insurance; manufacturing; public sector; telecom; and IT service providers in

Australia, China, India, Indonesia, Japan, Korea, Malaysia, New Zealand, the Philippines, Singapore, and Thailand

to evaluate their need to store/back-up/archive data, awareness level of legal requirement, and technology

requirements & adoption status. Survey participants included both IT and business decision-makers in

managerial roles namely at large enterprises (more than 1,000 employees) mainly and some SMBs (500 to 999

employees). The study began in October 2011 and was completed in March 2012.

Figure 8

Type Of Organization

Base: 550 enterprise IT and business decision-makers


MNCs 37%

Local/Regional 41%

Public 22%

How would you describe your company?



Page 12

Figure 9

Breakdown By Employee Size

Base: 550 enterprise IT and business decision-makers


Figure 12

Approaches To Storing Corporate Data

Base: 550 enterprise IT and Business decision-makers


10,000+ 17%

5,000-9,999 14%

1,000-4,999 54%

500-999 15%

How many people are there in your company?

91%

45%

85%

89%

94%

Paper

Online Storage

Tape

Server

Storage

Which of the following is used to store corporate data? Please select all that apply.



Page 13

Figure 10

Approaches To Managing Storage Operation



72%

59%

60%

65%

71%

72%

74%

74%

80%

82%

83%

AP Average

India

Korea

China

Japan

Indonesia

Thailand

Malaysia

Singapore

Philippines

ANZ

% of respondents choosing 'All managed internally'

Please select the one statement that best describes how your company manages storage environment.



Page 14

Figure 11

Historical Data Retention and Elimination Practice



Appendix B: A List of Regulations in India

The Companies Act 1956

The Securities Contracts (Regulation) Act 1956

The Income Tax Act 1961

The Information Technology Act (the IT Act) 2000

The Information Technology (Certifying Authorities) Rules 2000

The Information Technology (Amendment) Act 2008

The Clause 49 of the Listing Agreement

The Information Technology (reasonable security practices and procedures and sensitive personal data

or information) Rules 2011

41%

20%

28%

29%

32%

38%

44%

48%

50%

55%

60%

64%

27%

36%

24%

23%

34%

30%

40%

30%

23%

15%

17%

33%

23%

32%

32%

31%

20%

28%

12%

16%

20%

28%

17%

0%

9%

12%

16%

17%

14%

4%

4%

6%

7%

3%

7%

2%

Total AP

Malaysia

Indonesia

India

Thailand

Philippines

Australia

Singapore

New Zealand

China

Korea

Japan

1. Store data for longer than the legally required no. of years

2. Eliminate after the required no. of years

3. Never eliminated historical data in the past

4. Other (no formal procedure in place, uncertain)

Which of the following best describes how you manage historical corporate data?



Page 15

Appendix C: Data Storage, Backup and Archiving Regulations in India

Data privacy rules - The Information Technology (reasonable security practices and procedures and sensitive

personal data or information) Rules 2011 or the Data Privacy Rules applies to sensitive data of any individual

collected, processed or stored by any entity in India. Anyone who uses prior to collection of sensitive data,

the body corporate or the data processor must obtain prior written consent (by letter, fax or email) from the

prospective provider, regarding the purpose of usage of such data (5 (1)); shall provide a privacy policy for

handling of or dealing in personal information (4(1)); being considered to have reasonable security practices

and procedures (8 (1)). Sensitive data must not be collected unless it is for a lawful purpose and the

collection is necessary for that purpose (5 (2)); and shall not be retained for longer than is required for that

purpose (5 (4)). Disclosure of sensitive personal data or information by body corporate to any third party

shall require prior permission from the provider of such information (6 (1)).

Security measures – Under the Data Privacy Rules 2011, the body corporate and the Data Processor should

implement reasonable security practices and standards; have a comprehensively documented information

security program, and security policies. These must contain managerial, technical, operational and physical

security control measures that are commensurate with the information assets being protected and with the

nature of business (8 (1)). The International Standard IS/ISO/IEC 27001 on ‘Information Technology -

Security Techniques - Information Security Management System - Requirements’ is recognized as an

approved security practices standard that the body corporate or the Data Processor could implement to

comply with security measures (8 (2)). Any other security standard approved by the Central Government

may also be adopted in compliance with the security measures (8 (3)). Under the Information Technology

(Certifying Authorities) Rules 2000, organizations are encouraged to ensure the secure disposal of sensitive

information assets on all corrupted/damaged or affected media both internal (e.g. hard disk/optical disk)

and external (e.g. diskette, disk drive, tapes etc.) to the system, and preferably such

affected/corrupted/damaged media both internal and external to the system shall be destroyed (5.3

Sensitive Information Control (7)); removable electronic storage media must be removed from the computer

and properly secured at the end of the work session or workday (5.3 (4)); hard disks containing sensitive

information and data must be securely erased prior to giving the computer system to another internal or

external department or for maintenance (5.3 (6)).

Penalties - Under 43A of the IT Act 2000, a body corporate that posses, deals or handles Sensitive Data in a

computer resource is liable to pay compensation if it is negligent in implementing and maintaining

reasonable security practices and procedures, and such negligence results in wrongful loss or wrongful gain

to any person. Under 72A of the IT Amendment Act 2008, a person who is providing services under a lawful

contract, may be liable to imprisonment for a term of up to 3 years, or a fine up to INR 500,000

(approximately U.S.$100,000), or both for disclosure of personal information of any individual: (a) with the

intent to cause, or knowing that he is likely to cause, wrongful loss or wrongful gain; and (b) without the

consent of such individual, or in breach of lawful contract.

Encryption – The Government has laid down the IT Security Guidelines under the Information Technology

(Certifying Authorities) Rules 2000, stating that highly sensitive information assets should be stored in an

encrypted format to avoid compromise by unauthorized persons (5.3 Sensitive Information Security (1));

electronic communication systems used for the transmission of sensitive information, such as routers,

switches, network devices and computers, must be equipped with suitable security software and, if

necessary, with an encryptor or encryption software (5.3 (6)). The Securities and Exchange Board of India



Page 16

(SEBI) mandates the use of encryption technology for security, reliability and confidentiality of data through

use of encryption technology and prescribes a 64 bit/128 bit encryption for standard network security. For

securities trading over a mobile phone or Wireless Application Platform (WAP), SEBI recommends that

transmission from the WAP Gateway server to the Internet server should be secured using Secured Socket

Layer (SSL) security, preferably with 128 bit encryption; the Reserve Bank of India (RBI) advise that banks

should use at least 128-bit SSL for securing browser to web server communications and encryption of

sensitive data like passwords in transit within the enterprise itself.

Data Transfer - Under the Data Privacy Rules 2011, a body corporate or Data Processor (‘Transferor’) may

transfer Sensitive Data to a third party in India or outside India, provided: the third party affords the same

level of data protection that is adhered to by the Transferor under the Data Privacy Rules; and transfer is

necessary for the performance of the lawful contract between the Transferor and the Provider; or the

Provider has consented to such transfer (7 Transfer of Information).

Outsourcing in the Banking sector – Under the “Guidelines on Managing Risks and Code of Conduct in

Outsourcing of Financial Services by banks 2006”

(http://www.rbi.org.in/commonman/English/scripts/Notification.aspx?Id=40), banks would not require

prior approval from the Reserve Bank of India (RBI) for outsourcing of financial or other services if the

service provider is located in India, but will have to notify the RBI of all the financial services planned to

outsource. Outsourcing outside India will require RBI’s prior approval upon the factors including country

risk, the bank’s procedure to deal with country risk issues, and appropriate contingency and exit strategies.

Outsourcing arrangements should only be entered into with parties operating in jurisdictions generally

upholding confidentiality clauses and agreements.

Business Continuity in the Banking sector – Under the “Guidelines on Information security, Electronic

Banking, Technology risk management and Cyber frauds” issued by the RBI, banks should consider looking at

BCP methodologies and international standards (BS 25999 by BSI) which follows the “Plan-Do-Check-Act

Principle” (2.1 BCP Methodology). BCP methodology should include Business Impact Analysis (Phase 1), Risk

Assessment (Phase 2), Determining Choices and Business Continuity Strategy (Phase 3), Developing and

Implementing BCP (Phase 4). Action plans and key steps in each phase are determined in the Guideline. Risk

Assessment in the Phase 2 should include formulating Recovery Time Objectives (RTO) based on the

Business Impact Analysis in the previous phase; and identification of the Recovery Point Objective (RPO) for

data loss for each of the critical systems and strategy to deal with such data loss, which may also be

periodically fine-tuned by benchmarking against industry best practices. The Guideline suggests the DR

planner(s) may determine the most suitable recovery strategy for each system and RTO/RPO metrics that fit

the criticality of the business process and function with the available budget, and mapped into the underlying

IT infrastructure (8. Technology Aspect of BCP). Common Strategies for Data Protection is listed as: Backups

made to tape and sent off-site at regular intervals (preferably daily); Backups made to disk on-site and

automatically copied to off-site disk, or made directly to off-site disk; Replication of data to an off-site

location, which overcomes the need to restore the data (only the systems then need to be restored or

synced), which generally makes use of storage area network (SAN) technology; High availability systems that

keep both data and system replicated, off-site, enabling continuous access to systems and data; and Local

mirrors of systems/data and use of disk protection technology such as RAID.

http://www.rbi.org.in/commonman/English/scripts/Notification.aspx?Id=40



Page 17

1 India issued new privacy rules called the Information Technology (reasonable security practices and

procedures and sensitive personal data or information) Rules 2011. Organizations are required to notify

individuals when personal information are collected, make a privacy policy available, take steps to secure

personal information, obtain prior permission when disclosing personal information to a third party, may

transfer personal data only if necessary, and to another country that ensures the same level of data protection as

provided under the Rules. Source: “Ministry of Communications and Information Technology (Department of

Information Technology) Notification”, Government of India, Ministry of Communications and Information

Technology, 11 April 2011 (http://www.mit.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf)

2 See footnote 1 above.

3 The Ministry of Information Technology (MIT) amended the IT Act 2000 by adding more severe penalties for

data breach to curtail Internet usage for misuse and terrorist activities. Source: “The Information Technology

(Amendment) Bill 2008”, Government of India, MIT, Department of Electronics and Information Technology, 22

December 2008 (http://164.100.24.219/BillsTexts/LSBillTexts/PassedLoksabha/96-c%20of%202006.pdf)

4 The Securities & Exchange Board of India (SEBI) has constituted the Clause 49 applicable to all listed entities

having a paid up share capital of INR 3 crores and above or net worth of INR 25 crores or more at any time in the

company’s history. This came into effect from 1 January 2006 for the improvement of corporate governance of

all listed companies. Source: SEBI, 29 March 2005 (http://www.sebi.gov.in/press/2005/200566.html)

5 The SEBI has issued amendments to the existing Clause 49 including mandating listed companies to disclose

the relationship between independent directors; not allowing vacancy period of an independent director longer

than 180 days. Source: “Press Release: Changes to Clause 49 of the Listing Agreement”, SEBI, 8 April 2008

(http://www.sebi.gov.in/Index.jsp?contentDisp=SubSection&sec_id=25&sub_sec_id=25)

6 The MIT has released guidance on key steps for organizations when managing personal information security

breaches. Source: “Information Technology (Certifying Authorities) Rules, 2000”, Department of Electronics and

Information Technology, MIT, Government of India, 17 October 2000

(http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/act2000.pdf)


8 The SEBI mandates Internet trading system to have provision for security, reliability and confidentiality of data

through use of encryption and in line with the SEBI’s directives on standards for web interfaces and protocols.

Source: “Master Circular for Stock Exchanges”, SEBI, 31 March 2010

(http://www.sebi.gov.in/cms/sebi_data/commondocs/anncir2_p.pdf)


10 The Reserve Bank of India (RBI) advised banks to implement a BCP with a robust information risk

management system thoroughly test it to verify its full capability against the changing scenario and assumptions

at frequent intervals, as per the policy, subjected to review annually. A copy of the BCP approved by the Board

http://www.mit.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

http://164.100.24.219/BillsTexts/LSBillTexts/PassedLoksabha/96-c%20of%202006.pdf

http://www.sebi.gov.in/press/2005/200566.html

http://www.sebi.gov.in/Index.jsp?contentDisp=SubSection&sec_id=25&sub_sec_id=25

http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/act2000.pdf

http://www.sebi.gov.in/cms/sebi_data/commondocs/anncir2_p.pdf



Page 18

may be forwarded for perusal to the General Manager of the RBI. Source: “Operational Risk Management -

Business Continuity Planning”, RBI, 15 April 2005


11 The RBI has released comprehensive guidelines for technology risk management, IT governance, and BCP

applicable to the banking sector. Source: “Guidelines on Information security, Electronic Banking, Technology

risk management and cyber frauds”, RBI, Department of Banking Supervision, Central Office, 29 April 2011



13 The RBI notified banks to submit 1) an annual statement describing at the end of each financial year

describing the critical systems, their RTOs and the strategy to achieve them, 2) a quarterly statement reporting

major failures during the period for critical systems, customer segment/services impacted due to the failures

and steps taken to avoid such failures in future, starting from June 2005. Source: “Operational Risk Management

- Business Continuity Planning”, RBI, 15 April 2005





A Forrester Consulting Thought Leadership Paper...

Documents

Transcript of A Forrester Consulting Thought Leadership Paper...