Identifying and Protecting Compliance Information Through ...IFSA Presentation Identifying and...
Transcript of Identifying and Protecting Compliance Information Through ...IFSA Presentation Identifying and...
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 1
Release Date: March 21, 2012
Identifying and Protecting
Compliance Information
Through Current
Business Continuation Practices
Produced by:
Thomas Bronack
15180 20th Avenue Phone: (718) 591-5553
Whitestone, NY 11357 Cell: (917) 673-6992
Email: [email protected]
File Name: IFSA presentation
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 2
Overview of Presentation – A Roadmap to Protection.
Safeguarding Financial and Compliance Information:
• Audit Applications to Identify Critical Information and any
Gaps or Exceptions associated with the critical files.
• Utilize Technical Risk Management Services to correct Gaps
and Exposures associated with protecting critical data:
• IT Security (both Physical and Data);
• Vital Records Management;
• Version and Release Management;
• Disaster Recovery and Business Continuity Planning; and
• Process Improvements and Re-Engineering Work Flow.
• Integrate Safeguards within normal Work Flow & Operations.
• Update Standards and Procedures Manual for Work Flow.
• Provide Documentation and Training to Personnel.
• Prepare for the Future through Monitoring and Adjustment.
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 3
Auditing Accounting and Compliance Applications
Data
Programs
Accounting
Applications
Compliance
Applications
Compliance
Reports
Internet
Accounting information is submitted from locations throughout
the organization and processed by the Accounting Applications.
Output from Accounting Applications Is used to generate
Compliance Reports.
Compliance Data is CRITICAL and must be subjected to the
scrutiny of IT Security, Vital Records Management, and Business
Continuity Planning so that compliance information can be
protected from destruction and traced to its source.
Compliance
Data
Critical
Applications
and
Data that
must be
Protected and
Included in
BCP
Critical Data and
Applications for BCP
Critical Compliance Controls
needed to safeguard assets
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 4
Graham-Leach-Bliley
Safeguard Rule
HIPAA
Security Rule
Sarbanes-Oxley
404 Rules
California
SB 1386
Effective Date: May 23, 2002 April 21, 2003 June 5, 2003 July 1, 2003
Compliance
Deadline
May 23, 2003 April 21, 2005 June 15, 2004
(for public companies with market cap. of
$75 million or more)
June 15, 2005
(for other SEC reporting companies)
Covered Entities Financial Institutions as defined
in the Bank Holding Company
Act that possess, process, or
transmit private customer
information.
Organizations that possess, transmit,
or process electronic protected health
information (EPHI).
Publicly owned companies that file
periodic reports with the SEC.
Any public or private
entity that has
unencrypted
electronic personal
information of
California residents.
Purpose Protect Customer Information
from unauthorized disclosure or
use.
Protect EPHI from unauthorized
disclosure or use.
Provide senior management
assessment of effectiveness of
company’s “internal controls for
financial reporting” and attestation by
independent auditors.
Protect California
residents from
Identity Theft.
Operative
Mechanisms
Information Security
Program:
• Responsible Employee
Selection,
• Risk Assessment,
• Information Safeguards and
Controls,
• Oversight of “Service
Providers”,
• Testing and Monitoring.
Security Safeguards:
• Risk Assessment,
• Policies and Procedures to control
access,
• Physical Security Measures,
• Contingency Plan,
• Appointment of Security Officer,
• Training and communication to
increase awareness,
• Audits and maintenance of Audit
Trails,
• Agreements with “busines
associates”,
• Testing and Evaluation.
Internal Control Framework:
• (Coso Framework or
Equivalent)
• Control environments –
Compliance and Ethics,
• Risk Assessment and
Analysis,
• Control Activities – policies,
procedures, controls,
• Information and
Communications,
• Monitoring or operations and
control activities to determine
continuing effectiveness of
internal controls.
Criminal
Consequences of
Noncompliance
Fines and Imprisonment for up
to 5 years.
Fines to $250,000 and imprisonment
for up to 10 years.
Fines up to $5 million and prison
sentences for up to 20 years for
deliberate violations.
Civil liability to any
injured California
resident.
Existing Laws and their Consequences
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 5
Application and Program Profile
Local
Vault
Remote
Vault
JOB 1
JOB n
Application
-
-
-
-
De-allocate
Allocate
Data I/O
Display
Backup
Archive
Report
Batch On-Line Data
Base
Applications de-allocate / allocate files for input / work / output operations. Then they process data for
display and report generation. Finally backup and archive operations are performed to protect
critical data and report on their status.
Program
Control
Area
Data
Areas
Critical data can be in Batch, On-Line, or Data Base Files.
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 6
Application Interconnections and Data Usage
Job 1
Job n
-
-
-
Application
Feed Files
Job 1
Job n
-
-
-
Passed File
Job 1
Job n
-
-
-
Wrap
Around
File
Job 1
Job n
-
-
- New Master
Old Master Log File
Shadow File to
Alternate Site
Combines
Old Master
with Log
File to create
New Master
Daily transactions
to be merged with
Master file(s)
“Prioritizing applications as to their criticality, is based upon business needs and feed files used to initiate the application in question. Because of this, the synchronization of Back-up and Restoration must be planned and implemented to satisfy application needs in the order of their critical importance and processing sequence.”
The various methods for introducing data to an application, and maintaining it going forward, are
shown below.
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 7
Batch
Job
On-Line
Job
LOG
Local
Vault
Remote
Vault
Off-Site
Vault
Tape
Tape
BKUP
Tape
BKUP
Tape
Forward
Recovery
Local
Recovery
Local
Back-Up
Disaster
Recovery
Disaster
Recovery
Facility
Vital Records Management Techniques
DASD
DASD
BACKUP
LOCAL RECOVERY
REMOTE
RECOVERY
DASD
Real-Time Vaulting
Incremental Vaulting
A / B Log Files
Updated DASD Control Systems duplicate tape backup / recovery with DASD
devices in a Controlled NAS and SAN environment for more rapid response and
better data Protection, but the concept remains the same.
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 8
Why you need a Recovery Plan
* Justifying the Need for a Recovery Plan. - Enterprise-Wide Commitment
- Disaster and Business Recovery
Planning implementation.
- Risk Management implementation.
* Laws and Regulators.
- Controller of the Currency (OCC). - OCC-177 Contingency Recovery Plan.
- OCC-187 Identifying Financial Records.
- OCC-229 Access Controls.
- OCC-226 End-User computing.
- Sarbanes-Oxley, Gramm-Leach-Bliley,
- HIPAA, The Patriot Act, EPA Superfund, etc.
* Penalties. - Three Times the Cost of the Outage, or more,
- Jail Time is possible and becoming more probable.
* Insurance. - Business Interruption Insurance.
- Directors and Managers Insurance.
“Define all Regulatory, Legal, Financial, and Industry rules and regulations that must be complied with, and assign the duty of insuring that these exposures are not violated to the Risk Manager”.
“Have the Legal and Auditing Departments define the extent of Risk and Liabilities, in terms of potential and real Civil and Criminal damages that may be incurred.”.
“Once you have defined your exposures, construct an insurance portfolio that protects the business from sudden damages that could result from a disaster event.”
“For Contingency Planning to be successful, a company-wide commitment, at all levels of personnel, must be established and funded. Its purpose is to protect the company, its business, its shareholders, and its employees.”
Rapid increase in Regulations after 9-11-01
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 9
Contingency Planning
Contingency Recovery Disciplines
Contingency Planning
Disaster Recovery Business Recovery
Risk Management
Charter:1. Eliminate Business Interruptions.
2. Ensure Continuity of Business.
3. Minimize Financial Impact.
4. Adhere to Legal / Regulatory
Requirements.
EDP Protection: Corporate Asset Protection:
Management Controls:
1. Critical Jobs.
2. Data Sensitivity and
Access Controls.
3. Vital Records Management.
4. Mainframe / Mid-Range
disaster recovery.
1. Inventory Control.
2. Asset Management.
3. Configuration Management.
4. Business Continuity.
5. Office Recovery.
1. Exposures.
2. Insurance.
3. Legal / Regulatory Requirements.
4. Cost Justifications.
5. Vendor Agreements.
“These four Contingency Planning
Disciplines allow for logical work
separation and better controls.”
“Contingency Planning affects every part of
the organization and is separated into logical
work areas along lines of responsibility.”
Contingency Recovery Interfaces
Contingency
Recovery
Planning
Executive Management
Data
Processing
Company
Operations
Auditing Public
Relations
Facilities
Personnel
General
Services
“Establishing interfaces with key departments will
Allow for the inclusion of corporate-wide recovery
procedures (Security, Salvage, and Restoration, etc.)
in department specific Recovery Plans.”
Finance
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 10
COSO Risk Assessment Committee Of Sponsoring Organizations (COSO) was formed to develop
Risk Management and Mitigation Guidelines throughout the industry.
Designed to protect Stakeholders from uncertainty and associated risk that could erode value.
A Risk Assessment in accordance with the COSO Enterprise Risk Management Framework, consists of (see www.erm.coso.org for details):
• Internal Environment Review,
• Objective Setting (Recovery Point Objective, Recovery Time Objective),
• Event Identification (Range of Disaster Event types),
• Risk Assessment,
• Risk Response,
• Control Activities,
• Information and Communication,
• Monitoring and Reporting.
Creation of Organizational Structure, Personnel Job Descriptions and Functional Responsibilities, Workflows, Personnel Evaluation and Career Path Definition, Human Resource Management.
Implementation of Standards and Procedures guidelines associated with Risk Assessment to guaranty compliance to laws and regulations.
Employee awareness training, support, and maintenance going forward.
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 11
Information Technology Risk Assessment (ITRA) Final Report Layout
and Baseline Controls Matrices
ITRA Deliverable Format:
Cover Page
Table of Contents
Executive Summary
Introduction
Background
Summary of Findings
Recommendations
Conclusions
Supporting Charts Appendix I
Overview Appendix II
IT Audit Schedule Appendix III
Definition of Risk Matrix Terms Appendix IV
Baseline Control Matrices Appendix V
Detailed Findings Appendix VI
Detailed Work Program Appendix VII
Technology Acronyms Appendix VIII
Areas Covered within IT Risk Assessment
1. Organization and Management Policies.
2. Segregation of Duties.
3. Logical Access Controls.
4. Physical Access Controls.
5. Systems Development Life Cycle (SDLC)
and Change Management Controls.
6. Incident Response (Problem Management,
Help Desk, Problem Escalation, Crisis
Management, etc.).
7. Business Continuity.
8. Data Center Computer Operations.
9. Network Communications.
10. Operating Systems Software.
11. Database Systems.
12. Application Systems.
13. End-User Computing.
(289 IT Risk Analysis Audit Controls are reviewed within the 13 areas listed below)
13 Areas broken down into 8 Baseline Controls
Circled areas are condensed
into one of the eight
Baseline Control Matrices
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 12
Detailed Findings document
Finding: Implication: Priority: Recommendation:
Critical Financial Files are not
protected. Security Flaw High Implement IT
Security over files
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 13
• Adhere to Compliance Requirements (Business and Industry) by implementing Business Continuity Planning disciplines;
• Implement Data Protection Techniques like Data Sensitivity, IT Security and Vital Records Management;
• Document SDLC, including: Development, Testing, Quality Assurance, Production Acceptance, Version Management, and Production Operations; • Utilize Automated Tools;
• Eliminate “Single-Point-Of-Failure” concerns;
• Integrate Asset / Inventory / Configuration Management practices;
• Create Problem and Crisis Management practices and procedures;
• Optimize Work-Flow through Re-Engineering and Automation;
• Provide Documentation, Training, and Awareness programs.
Strategies for Eliminating Audit Exceptions ($$)
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 14
1. Project Initiation and Management.
2. Risk Evaluation and Control.
3. Business Impact Analysis (BIA).
4. Developing Business Continuity Strategies.
5. Emergency Response and Operations.
6. Designing and Implementing Business Continuity Plans.
7. Awareness and Training Programs.
8. Maintaining and Exercising Business Continuity Plans.
9. Public Relations and Crisis Communications.
10. Coordinating with Public Authorities.
The “Ten Step” Process Recommended by the Business Continuity Institute for BCP (see: www.thebci.org)
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 15
Contingency Planning Strategy (FEMA) EMERGENCY MANAGEMENT PREPAREDNESS – PROJECT PLAN
THE PLANNING PROCESS: HAZARD SPECIFIC INFORMATION:
1. Establish a Planning Team. 1. Fire.
2. Analyze Capabilities and Hazards. 2. Hazardous Materials Incidents.
3. Develop the Plan. 3. Floods and Flash Floods.
4. Implement the Plan. 4. Tornadoes.
EMERGENCY MANAGEMENT CONSIDERATIONS: 5. Severe Winter Storms.
1. Direction and Control. 6. Earthquakes.
2. Communications. 7. Technology Emergencies.
3. Life Safety APPENDICES:
4. Property Protection. 1. Vulnerability Analysis Chart.
5. Community Outreach. 2. Training Drills and Exercises Chart.
6. Recovery and Restoration. 3. Information Sources (where to turn
7. Administration and Logistics. For additional information).
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 16
Business Impact
Analysis (BIA)
Business Site
or Function
Recovery
Plan Recovery
Plan Recovery
Plan Recovery
Plan
Help Desk
Network
Control
Center
(NCC)
Operations
Control
Center
(OCC)
Contingency Command Center
(CCC)
Users
Covering
various
Conditions
and Scenarios
related to
range of
problems.
Library of
Recovery Plans
Library of
Problem Types
Many Sites
And
Functions
One Per Site
or
Function
Conditions
and problems
are sensed
and reported
to Help Desk.
Problems Receives Problems
and escalates
as needed.
Receives Critical
Problems,
Activates Plans,
and Manages
Recovery. Match Problem to Recovery
Recovery Plans direct personnel to restore business operations in response to encountered problems.
The Help Desk escalates critical problems, initiates recovery plans, and manages recovery activities.
Overview of Business Continuity Planning and BIA’s
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 17
Facilities Forms Software Supplies
Disaster Recovery
Database
Personnel Vital Records
Recovery Tasks
Disaster Recovery
Templates
Data Source
Forms & Descriptions
Plan Preface
Methods & Phases
Project Checklist
Disaster Recovery Forms
Disaster
Recovery
Plans
Mail-Merge
Product
Disaster
Recovery
Plans
Word Templates
Mail Merge
Form Screen
and Merge
Data
Extract, Merge,
Tailor, and
Report
Disaster Recovery Plan Data Sources and Output Generation
Equipment
Vendors
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 18
IT Security Management
1. IT Security Organizational Structure and assigned Personnel Positions.
2. IT Security Personnel and their Functional Responsibilities:
a. Data Owner definition.
b. Data Sensitivity.
c. Data Usage guidelines.
d. Data Access Controls.
e. Violation Capturing.
f. Violation Reporting.
g. Required Forms.
h. Procedures for completing forms.
i. Forms submission and processing.
3. Existing Documentation and Training.
4. Standards and Procedures manual sections.
<NOTE>: The IT Security Management discipline will be included as needed in the SMC processes
documented within the S&P Manual.
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 19
Vital Records Management
1. Define Vital Records Management Organizational Structure.
2. Define Vital Records Management personnel and their functional
responsibilities.
3. Vital Records Management Standards: a. Vital Records definition;
b. Library Management and Naming Conventions for Vital Records,
c. Backup requirements;
d. Vaulting requirements; and,
e. Recovery requirements.
3. Vital Records Management procedures: a. Identification;
b. Classification;
c. Back-up procedures;
d. Local Vaulting;
e. Remote Vaulting, Retention, and Archiving;
f. Restoration, Re-Use, and/or Destruction procedures;
g. Interface with Tape Management System; and
- Vault Management,
- Encryption.
4. Vital Records Management Standards and Procedures Manual sections,
including process descriptions.
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 20
Customer Site Remote Vault Vital Records Transport
Critical
File
Remote
Tape Vault
Local Vault
Tapes Transported
To/From Customer Site
Vaulting Backup Tape Life Cycle
Encryption?
Backup
Tape Return Cycle
Backup
Tape
Vaulting Cycle
Transport To / From by Truck
1
2 3
4
5
6
7
8
Local,
NAS, or SAN
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 21
Systems Development Life Cycle, INITIATING a development request
End User
Request
for new
program
BKUP
Development Testing
Unit &
System
Testing.
Quality
Assurance
Usage,
Naming,
Placement.
Security,
Vital Records,
Back-Up,
Recovery,
Audit.
Production Acceptance
BKUP
Change
Management Maintenance
Security, Vital Records,
Back-Up, Recovery, Audit.
BKUP
Off-Site
Vault
Disaster
Recovery
Facility
Business
Recovery
Facility
Real-Time Periodic
Version
and
Release
Control
Enhance
and
Repair
End-User
Location
New
Recovery
Update
Production
Vendor Vendor
On-Line
data files
On-Line
data files
On-Line
data files
End User defines:
• Business Purpose,
• Business Data,
• Ownership,
• Sensitivity,
• Criticality,
• Usage,
• Restrictions,
• Back-Up,
• Restoration,
• Business Continuity,
• Disaster Recovery.
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 22
New Application Development Request Form Life Cycle
Date:
User Information ________
Business Justification ________
Technical Justification ________
Build or Buy? ________
Development (Build/Modify) ________
Test (Unit, System, Regression) ________
Quality Assurance ________
Production Acceptance ________
Production ________
Support (Problem / Change) ________
Maintenance (Fix, Enhance) ________
Documentation ________
Recovery ________
Documentation
Recovery
Procedures
• Application Overview
• Application Setup
• Input / Process / Output
• Messages and Codes
Documentation
Documentation
• Business Need
• Application Overview
• Audience
• Business / Technical Review
• Cost Justification
• Build or Buy decision
• Request Approval
• Sensitive Data
• IT Security
• Vital Records Management
• Tape Vaulting / Encryption
• Disaster Recovery
• Business Recovery
Dates are used to show application development status and as links to documentation
Documentation
• Support Programmer
• End User Coordinator
• Vendor Contacts
• Recovery Supervisor
Link to
Documentation
Development Request Form
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 23
Quality Assurance and SDLC Checkpoints
Schedule
Request
Interfaces Between Applications, QA, and Production Groups.
Create
Service
Request
Perform
Technical
Assessment
Perform
Business
Assessment
Perform
Requested
Work
Application
Group
Testing
Return
to
Submitter
Create QA
Turnover
Package
Submit to
Production
Acceptance
Successful
Successful
No Yes
No
Create
Production
Acceptance
Turnover
Package
QA Review
And
Accept
Yes
Error Loop
Error
Loop
APPLICATIONS GROUP
QA GROUP
TESTING and QA
Turnover Package Components:_________
• Service Form and results from
Assessments,
• Change & Release Notes,
• Application Group Testing Results,
• Test Scenarios & Scripts,
• Messages & Codes, and Recoveries,
• Data for Regression and Normal Testing,
• Documentation.
PRODUCTION Acceptance
Turnover Package Components:
• Explanation and Narrative,
• Files to be released,
• Predecessor Scheduling,
• Special Instructions,
• Risk Analysis,
• Authorizations.
Perform
Requested
Work
QA
Review
Meeting
Perform
Post-
Mortem
CP #
1
CP #
2 CP #
3 Perform
User
Acceptance
Testing
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 24
Utilizing Automated Tools
Whenever possible, automated tools should be utilized to:
• Gather inventory information;
• Gather Business Impact Analysis (BIA) information;
• Merge BIA information into Business Continuity Plans.
• Scan paper documents through Optical Character Recognition (OCR) readers.
• Utilize Job Scheduler Information on job sequence and resource requirements.
• Utilize Job Scanners to validate sequence and resources.
• Utilize automated job turnover products like Endevor and PVCS to enforce
standards, naming conventions, and placement requirements.
• Utilize communications analyzers like Netview to capture problems, initiate
recoveries and circumventions, and to report problems to the help desk.
• Utilize Problem Management Systems and integrate them within the Help
Desk environment.
• Assist Application Development and Maintenance.
• Supplement Systems Management Disciplines (Problem, Change, Capacity,
Performance, etc.)
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 25
Eliminating Single-Point-Of-Failure
Memory
Central
Processing
Unit
Channel
Local
Control
Unit
Transmission
Control
Unit
Communications
Lines
Local
Devices
Transmission
Control
Unit
Mainframe Computer
Remote
Devices
Remote
Devices
Internet
Local Environment
Remote
Environment
Locate any single-point-of-failure within
the Information Technology environment
and evaluate its impact should the
component fail. If impact is High, then
a secondary path or device should be
added to the configuration and recovery
procedures created (automated procedures
if possible).
Can also include Vendors, Inputs, and
other physical and logical requirements
needed to run the business.
Primary Path
Secondary Path
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 26
Identifying and Controlling Assets and Equipment
Asset Management (Financial and Legal)
• Acquisition (Interface with Finance for costs and Legal for Vendor Agreement).
• Re-Deployment (Interface with Facilities Management for install and removal).
• Termination (Surplus Equipment Disposal).
• Financials (Total Cost of Ownership).
Inventory Management (Asset Location and Criticality)
• Resource Identification (Vendor Make and Model Information).
• Usage contract conditions.
• Location.
Configuration Management (System and User)
• Component and Release Management.
• Systems Generation.
• Deployment, Installation, and Removal.
• Support (Problem and Crisis Management).
• Maintenance (Change Management)
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 27
How disasters occur, and avoiding them....
Environment
Disaster
Problem
Standards
and Procedures
Business Continuity Disaster Avoidance Disciplines
Equipment
Locations
Software
DATA
Single Point
of Failure
System,
Sub-System,
Application,
Utility.
Vital Records Management
Vaulting,
Recovery,
Access Controls.
Facilities Management,
Business Recovery.
Regulations
and Legal
Requirements
Auditor Corporate, IT, and
Independent
People Functions Performed,
Job Descriptions,
S & P Manual,
Training.
Vendors Products & Services,
Recovery Site,
Off-Site Vault.
Defined as an unscheduled business interruption
that impacts critical functions and / or services.
Problems are defined as deviations from standards,
causing a missed business delivery. Problems cause
disasters when they affect critical business services
To safeguard against Disasters, make sure
that Standards and Procedures include data entry
and workflow validated for critical resources.
“Since disasters are no more than problems affecting critical components, it stands to reason that the elimination of standards violations will reduce problems and avoid the likelihood of disasters.” This is the reason why we believe you should Develop and Implement strict Standards and Procedures to guide personnel through their Job functions and assure compliance.
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 28
User
Guides
S&P
Manual
Inventory &
Configuration
Support and Recovery Techniques
Problem
Symptoms
Analyze
Circumvent
Document
Log Problem
Route /
Escalate
Track
Resolve
Post
Mortem
Upgrade
Supportive
Documentation
1 System Software
2 Comm. Systems
3 Corp. Security
4 DB Systems
5 DASD
6 Cap. & Performance
7 Decision Support
8 Optical Storage
9 CICS
10 Systems Mgmnt.
and Controls
Problem Resolvers
Problem Feed-Back, Rerouting and Escalation
Problem Bypass Procedures
Problem Indicators
Console
Log
Unexpected
Results
Completion
Code Messages
and Codes
Job
Runbook
Problem Descriptions
Meaning Actions to
be Taken
Possible
Causes
Reference Materials
Restart
Procedures
Recovery
Procedures
Problem
Record
Contacts
Escalation
Resolvers
Problem History
Review Problem Reporting
and Resolution Procedures
Imm
edia
te
a
ctio
ns
Omegamon
Netview
AF / Operator
OPC / ESA
Diagnostic Tools F
ollo
w-o
n A
cti
on
s
Users
NCC
OCC
HD
Problem
Repository
Job
Runbooks
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 29
Network
Control
Center
(NCC)
Production
Support
Staff
Applications
Support
Staff
Systems
Support
Staff
Help
Desk
Staff
Problem Analyze Document Capture
Symptoms Circumvent Report
Log,
Route,
Escalate,
Track
Resolve
Comm.
Support
Staff
Tools:
Omegamon,
Netview.
Recovery Techniques and Personnel Involvement
Operations
Control
Center
(OCC)
Tools:
Omegamon,
AF / Operator.
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 30
Network Control
Center (NCC)
Operations Control
Center (OCC)
Command Center
SYS 1 - 972
LP1 LP2 LP3
VM CPUX CPUH
SYS 4 - 972
LP1 LP2 LP3
CPUF CPUZ BKUP
3745
TCU 3745
TCU 3745
TCU
LAN
LAN
LAN
LAN
Communications Environment
Applications Environment
“Providing a centralized control point for application
and communications support, the Command Center
can recognize problems and activate appropriate
recovery teams in response to crisis situations.”
Contingency
Recovery
Coordinator
Situation
Manager
Recovery
Team
Recovery
Team
Recovery
Team
Problem to
Recovery
Matrix
Problem
Recovery
Activate
Problem
Log
Compare
Problem Help
Desk
Status
Route
Transmission
Control
Unit
Local
Area
Network
LP - LPAR, or
Logical Partition
Command Center
Interactions
Users
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 31
Contingency Recovery Coordinator Responds to problems classified as “Potential Crisis Situations” by:
• Logging the problem within the Problem Log;
• Comparing the problem to the Recovery Matrix;
• Selecting the appropriate Recovery Plan;
• Activating the Recovery Team identified within the
Recovery Plan; and,
• Monitoring recovery operations and reporting on their
status to Management.
Situation Manager Reporting to the Contingency Recovery Coordinator and responsible for monitoring Recovery Team operations
and providing assistance through any mechanism at their disposal. When situations become overly complex and a potential
crisis can occur, the Situation Manager will take appropriate escalation actions needed to concentrate more resources on the
resolution of the problem.
Recovery Teams
Designed to pull expertise together so that specific talents can address problems that require recovery operations, before
normal processing can be resumed. Each Recovery Team consists of a Team Manager and Team Members. The organization
of a Recovery Team is supplied to the Situation Manager and Contingency Recovery Coordinator. This organizational
description includes functional responsibilities and alternate personnel for each of the recovery positions. Recovery Teams may
require recovery tools to be utilized as an aid in performing recovery operations.
Command Center
Contingency
Recovery
Coordinator
Situation
Manager
Recovery
Team
Recovery
Team
Recovery
Team
Problem to
Recovery
Matrix
Recovery
Activate
Problem
Log
Compare
Help
Desk
Status
Route
OCCNCC
Contingency Recovery Operations
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 32
Development Testing
Maintenance
Quality
Assurance
Production
Acceptance
Production
Disaster
Recovery
Vital
Records
Off-Site
Vault
Disaster Recovery Facility
Mainframe and Office Recovery
Change Management
Service Level Management,
Project Life Cycle,
Walk Thru’s,
Unit Testing,
System Testing,
Scenarios,
Scripts,
Recovery Tests,
Regression,
Benchmarks,
Post Mortem.
Test Validation,
Components,
Naming,
Placement,
Functionality,
Process.
Batch,
On-Line,
IT Security,
Operations,
Recovery,
IT Audit.
Project Life Cycle,
Component & Release Management,
Standards & Procedures,
User Guides & Vendor Manuals,
Training (CBT & Classroom), etc...
Service Level Reporting, Capacity Management, Performance Management, Problem Management,
Inventory Management, Configuration Management.
Service Level Management,
Project Life Cycle,
Batch and On-Line
Management
A Forms Management & Control System, used to originate
work requests and track work until completed, will facilitate
optimum staff productivity and efficiency.
Systems Management Controls and Workflow
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 33
Standards and Procedures Manual - Structure
i. Table of Contents
ii. Benefits from S&P Manual.
iii, Company Overview.
iv. Division and Department Overview.
v. Compliance Requirements.
vi. Company Organization.
vii. Department Organization.
viii. Job Functions and Descriptions.
ix. Forms Library.
x. Workflow Analysis.
xi. Tools Analysis.
xii. Available Training.
1. Service Level Management
2. Inventory Management
3. Configuration Management
4. Capacity Management
5. Performance Management
6. Application Development
7. Application Maintenance.
8. Application Testing.
9. Quality Assurance.
10. Production Acceptance
11. Production Operations
12. Recovery Management
13. IT Security Management
14. Vital Records Management
15. Change Management
16. Problem Management:
a. Operations Control Center,
b. Network Control Center,
c. Help Desk,
d. Crisis Management,
e. Activating Contingencies,
f. Contingency Command Center.
17. Data Processing Environment.
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 34
• Risk Assessment to identify Continuity of Business (COB) exposures and
gaps relating to newly adopted Business Recovery requirements.
• Business Impact Analysis requirements definition and risk analysis studies,
• Data Sensitivity studies and evaluations,
• IT Security (Physical and Data) studies and evaluations,
• Vital Records (Vaulting Services) and/or Library Management,
• Business Recovery Documentation evaluation and needs definition,
• Business Recovery Plan (Development, and/or Implementation),
• Disaster Recovery Vendor(s) (Evaluation through Selection),
• Business Recovery Training (Documentation, On-Line, and Class Room),
• Permanent Personnel Recruitment and Placement Services,
• Consulting, Outsourcing, and Temporary Personnel Services.
Business Recovery Services
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 35
Overall Project Phases (part 1 of 2)
Start
Risk
Assessment
IT
Security
SDLC
Systems
Management
CEO, CFO
Design Reports
(Section 302)
Review and
Approve
Reports
Operational
Risk
Manager (ORM)
Technical
Risk
Manager (TRM)
Data
Sensitivity
Study
Access
Controls
(Userid / Pswd)
Version &
Release
Management
Backup
&
Recovery
Development
And
Maintenance
Testing and
Quality
Assurance
Production
Acceptance
Production
Operations
SLA / SLR Asset
Management
Configuration
Management
Inventory
Management
Vital
Records
Management
A
Change
Management
Problem
Management
Performance
Management
Capacity
Management
I
II
III
IV
Sarbanes Oxley IT Audit
IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 36
Overall Project Phases (part 2 0f 2)
A
Recovery
Standards &
Procedures
Business
Continuity
Management
Disaster
Recovery
Planning
Risk
Management
Contingency
Planning
Standards
Definition
Procedures
Creation Documentation
Forms
Management
& Control
On-going
Support
Training
Section
404
Compliance
Section
409
Compliance
End
V
VI
VII
Sarbanes Oxley IT Audit