ROR- Disaster Recovery- NAFCU 20120208
Transcript of ROR- Disaster Recovery- NAFCU 20120208
Disaster Recovery
Presented By:
Robert Rutkowski, Esq.
• Legal necessity of disaster recovery plans
• AIRES Disaster Preparedness and Response Plan
• Compliance reports
• Catastrophic act reports
Today’s Discussion
2 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Records preservation
Today’s Discussion
• Different types of disasters
• Disasters In-Depth: Computers and Electronic Disasters
3 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• NCUA rules on security programs
Legal Necessity of Disaster Recovery PlansDisaster Recovery Plans
Legal Reasons to Have a Plan
• Not having one could be: – Breach of fiduciary duty of care
– Corporate negligence
– Breach of due diligence
5 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• NCUA put forth regulations requiring CUs to have a plan in place
Examples
• In Re the TJ Hopper
• Diversified Graphics, Ltd. V. Groves
6 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Bank of Louisiana v. Sungard Recovery Services, Inc.
Complying with OSHA
• Generally provide safe, clean and healthy work environment not likely to cause death or serious injury
7 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Complying with OSHA: Emergency Action Plan
• Have a written plan
• Procedures for reporting a fire or other emergency
8 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Procedures for emergency evacuation complete with exit routes
• Procedures for employees who remain to execute critical plan operations before evacuation
Complying with OSHA: Emergency Action Plan
• Procedures to account for all employees after disaster/evacuation
• Rescue or medical duty procedures
9 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Contact info for key staff having more information regarding plan
Complying with OSHA: Fire Prevention Plan
• List all major fire hazards
• Procedures for storing heat generating equipment
• Storage of hazardous materials
• Fuel source hazards
10 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Names of staff responsible for maintaining safeguards for fuel
Complying with OSHA: Exit Routes
• Must be at least two routes leading directly outside to a street or to a place having such access
• Walls must have a one hour fire rating
11 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• If building is four or more stories, walls must have a two hour fire rating
Complying with OSHA
• OSHA also requires procedures for more specific potential hazards
12 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Family and Medical Leave Act
• May allow for leave for serious injuries sustained during disaster
• Employee must have worked at least 12 months for the CU and is allowed 12 weeks leave for every 12 months
13 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
CU and is allowed 12 weeks leave for every 12 months worked
• Injury most qualify as “serious medical condition”– Broad definition
Family and Medical Leave Act
• Things that will probably NOT qualify for this type of leave: – Cleaning up one’s house
– Rebuilding after a flood/disaster
– Dealing with consequences of someone’s death
14 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Dealing with consequences of someone’s death
Insurance Coverage
• Review policies for coverage and exclusions
• All-risk building property damage policy– Ensures against most types of loss to property and business
– Does not cover loss from flood, earthquake, war, vermin, etc.
15 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Does not cover loss from flood, earthquake, war, vermin, etc.
• Riders/separate policies can be purchased for these disasters
Insurance Coverage: Available Options and Riders
• Business interruption insurance– Provides for loss of income caused by interruption of an ongoing
business as a result of a disaster or other included risk under the policy
16 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Extra expense insurance– Protects against increased costs in finding and maintaining an
alternate place of doing business during period of repair or in locating and setting up new quarters if damaged premises cannot be re-let
Insurance Coverage: Available Options and Riders
• Valuable papers insurance– Provides replacement for loss, damage or destruction of vital
papers
• Accounts receivable insurance
17 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Accounts receivable insurance– Provides protection for loss due to inability to collect accounts
receivable because records have been lost, destroyed or damaged
Insurance Coverage: Available Options and Riders
• Earthquake coverage
• Flood coverage
18 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Electronic data processing (EDP) equipment coverage– Protects against both physical loss of an EDP system, tapes,
peripheral equipment, etc., in the extra expense of duplicating data
Insurance Coverage: Available Options and Riders
• Miscellaneous– Additional riders and endorsements are available to provide
protection for other items
19 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Reasonable Man Standard
• CU management is held to the standards of a reasonable man- what would a reasonable, rational, prudent person in a similar position do?
20 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Corpus Juris Secundum, Vol. 19, Section 491
• Directors and officers owe a duty to the corporation to be vigilant and to exercise ordinary or reasonable care and diligence and the utmost good faith and fidelity to conserve corporate property and if loss or depletion of assets results from their willful or negligent failure to
21 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
assets results from their willful or negligent failure to perform their duties, or a willful or fraudulent abuse of trust, they are liable provided the losses were natural and necessary consequences of omission on their part
World Trade Center:Credit Union ExampleCredit Union Example
Hurricane Katrina:Credit Union Example
AIRES Disaster Preparedness & Response Plan& Response Plan
Planning-Ensuring Financial Services to Members
• Is written Disaster Preparedness & Response Plan (DPR) in place?
• Does plan address periodic testing?
25 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Are updates to plan and testing efforts documented in Board minutes?
• Does plan identify specific threats to delivering vital financial services to members?
Planning-Ensuring Financial Services to Members
• Does plan identify critical systems and their role in providing members with vital financial services?
• Does plan ensure timeline for restoring critical systems?
26 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Does plan include multiple forms of communication?
Planning-Ensuring Financial Services to Members
• Does plan establish various methods for disseminating information to members?
• Does plan address communication between key staff, corporate CUs, vendors, league affiliates, local media
27 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
corporate CUs, vendors, league affiliates, local media and status reports to NCUA/state regulator?
• Does plan include evacuation and/or “shelter-in-place” guidance?
Planning-Ensuring Financial Services to Members
• Does plan include pre-event preparations? – Will back-ups of data be performed and accessible from a safe
location?
– Are members informed on how to contact CU after disaster occurs?
28 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Resources: Allocation of Equipment, Facilities and Supplies
• Has CU determined its equipment, facility and supply needs in the event of a disaster?
• Is a list of critical systems including emergency vendor/supplier contact information maintained at CU
29 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
vendor/supplier contact information maintained at CU and alternate locations?
• Are appropriate contingencies developed in the event back-up or alternate systems fail?
Resources: Allocation of Equipment, Facilities and Supplies
• Is there a designated alternate worksite(s) which is a reasonable distance from the CU based on potential disasters identified in DPR?
• Is a secondary alternate worksite location designated?
30 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Is a secondary alternate worksite location designated?
Resources: Allocation of Equipment, Facilities and Supplies
• Has CU designated one or more off-site storage facilities for back-up information within a safe, but reasonable distance from CU?
• Has CU established a reliable means for disbursement of
31 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Has CU established a reliable means for disbursement of cash and/or checks in event of disaster?
Resources: Allocation of Equipment, Facilities and Supplies
• Does CU maintain sufficient insurance and is basic policy information included in plan?
32 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Evaluation- Testing of Contingencies for All Critical Systems
• Is plan tested periodically- what was date of last test?
• Are agreements with shared service branches evaluated for ability to handle increased transactions in case of disaster?
33 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
disaster?
• Are disaster support agreements with system vendor(s) evaluated at least annually?
Evaluation- Testing of Contingencies for All Critical Systems
• Are disaster support agreements for buildings and facilities reviewed annually?
• Are temporary locations periodically tested for readiness?
• Are alternate communication means tested by key CU
34 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Are alternate communication means tested by key CU staff members?
• Has CU tested ability to communicate with local media?
• Are test results integrated into plan?
People-Maintaining Readiness of Staff and Officials
• Does plan include listing of key people and their responsibilities?
• Does plan clearly identify individual authorized to initiate/terminate the plan and their alternate?
35 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
initiate/terminate the plan and their alternate?
• Has CU considered special skills and capabilities of staff members to aid in various types of disasters?
People-Maintaining Readiness of Staff and Officials
• Does plan provide for each individual’s specific responsibilities and secondary duties?
• Does plan designate a Disaster Recovery Team?
36 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Does plan identify a site for team to assemble after disaster?
People-Maintaining Readiness of Staff and Officials
• Are all CU personnel provided with initial and periodic training as it relates to plan?
• Is emergency contact information current on 5300 Call Report?
37 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Report?
Alliances- Establishing Relationships With Other Organizations
• Does plan identify essential alliances?
• Are communication plans in place for alliances?
• Has CU considered whether geographic separation with its alliances is important?
• Are alliances able to support emergency needs?
38 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Are alliances able to support emergency needs?
• Are alliances part of testing?
Review-Updating Internal Plans for Effectiveness
• Is plan periodically reviewed by officials and updated?
• Are post-incident response reviews performed after CU is affected by disaster or service disruption?
39 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Are deficiencies found by CU during testing and/or causes for service disruption corrected in plan?
Experience-Incorporate Lessons Learned From Others
• Are lessons learned from others evaluated and incorporated into CU’s preparedness efforts?
• Has management reviewed the plans of its major vendors and utilized the best practices?
40 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
vendors and utilized the best practices?
NCUA Profile Form 4501A
• Changes to the NCUA Form 4501A – Credit Union Profile, effective Dec 31, 2011– Regulatory Information
• Added the question for CU’s with 100 employees or 50 or more employees with a Federal contract of at least $50,000:
41 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
more employees with a Federal contract of at least $50,000: What is the last date you filed an EEO-1 Survey with the Equal Employment Opportunity Commission?
• Added a question concerning whether the CU has a diversity policy or program
– CU Programs and Member Services
• Added a question about the CU’s current minority membership
• Added a question about the CU’s potential minority membership
Compliance Reports
Compliance Report
• Requires each federally insured CU to file annual statement certifying compliance with Part 748– File with regional director
– Federally insured state-chartered CU can send statement to regional director via state supervisory authority
43 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
regional director via state supervisory authority
• Have President or other managing officer sign and date
Compliance Report
44 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Catastrophic Act Reports
Catastrophic Act Report
• Each federally-insured CU must notify regional director within five (5) business days of any catastrophic act
• Catastrophic includes any disaster, natural or otherwise, that results in some physical destruction or damage to
46 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
that results in some physical destruction or damage to CU, or causing an interruption in vital member services projected to last greater than two (2) consecutive business days
• Record of disaster must be prepared and filed at main office within reasonable time after catastrophic act occurs
Catastrophic Act Report
47 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Record should include:– Office where catastrophic act occurred
– When it took place
– Amount of any loss
– Whether any operational or mechanical deficiencies contributed or
Catastrophic Act Report
48 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Whether any operational or mechanical deficiencies contributed or might have contributed
– What has been done or is planned to correct deficiencies
Records Preservation
749.0: What is Covered In this Part?
• Requires all federally-insured CU to maintain record preservation program
• Serves to identify, store and reconstruct vital records in the event of destruction
50 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
the event of destruction
• Flexibility in the format that CU can use for maintaining writings, records or other information
749.1: What Are Vital Records?
• As of the most recent month-end:– List of share, deposit, and loan balances for each member’s
account which:
• Shows balance individually identified by a name or number
• Lists multiple loans of one account separately
51 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Lists multiple loans of one account separately
• Contains information sufficient to enable CU to locate each member, such as address and phone number
749.1: What Are Vital Records?
– Financial report, which lists all of the CU’s asset and liability accounts and bank reconcilements
– List of CU’s financial institutions, insurance policies and investments
– Emergency contact information
52 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
749.2: What Must a CU Do with Vital Records?
• Board of Directors responsible for establishing vital records preservation program within six (6) months after its insurance certificate is issued
• Must contain procedures for storing duplicate vital
53 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Must contain procedures for storing duplicate vital records at a vital records center
749.2: What Must a CU Do with Vital Records?
• Must designate staff member responsible for carrying out vital records duties
• Previously stored records may be destroyed when current records are stored
54 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
current records are stored
749.2: What Must a CU Do with Vital Records?
• Must maintain records preservation log showing:– What records are stored
– When records were stored
– Who sent the records for storage
55 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Develop methods to restore vital member services
749.2: What Must a CU Do with Vital Records?
• CU’s that have some or all of their records maintained by an off-site data processor are considered to be in compliance for the storage of those records if the service agreement specifies that the data processor uses safeguards against the simultaneous destruction or
56 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
safeguards against the simultaneous destruction or production and back-up information
749.3: What Is a Vital Records Center?
• A storage facility at any location far enough from the CU’s offices to avoid the simultaneous loss of both sets of records in the event of disaster
57 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
749.4: What Format May the CU Use for Preserving Records?
• Any format that can be used to reconstruct the CU’s records– Paper originals
– Machine copies
– Micro-film or fiche
58 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Micro-film or fiche
– Magnetic tape
749.4: What Format May the CU Use for Preserving Records?
– Any electronic format that:
• Accurately reflects information in the record
• Remains accessible to all persons who are entitled to access by statute, regulation or rule of law
• Is capable of being reproduced by transmission, printing or otherwise
59 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
otherwise
749.5: What Format May the CU Use for Maintaining Writings, Records or Info Required By Other NCUA Regulations?
• Any format, electronic or other, that:– Accurately reflects information
– Remains accessible to all persons who are entitled to access by statute, regulation or rule of law
– Is capable of being reproduced by transmission, printing or
60 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Is capable of being reproduced by transmission, printing or otherwise
749.5: What Format May the CU Use for Maintaining Writings, Records or Info Required By Other NCUA Regulations?
• CU must maintain necessary equipment or software to permit an examiner access to the records during examination process
61 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Appendix A to Part 749: Record Retention GuidelinesRecord Retention Guidelines
What Format Should the CU Use for Retaining Records?
• NCUA does not recommend a particular format
• If stored on microfilm, microfiche, or in an electronic format, they must be accurate, reproducible and accessible to an NCUA examiner
63 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
accessible to an NCUA examiner
What Format Should the CU Use for Retaining Records?
• If stored on CU premises, they should be immediately accessible upon examiner’s request
• If stored by a third party or off-site, they should be made available to examiner within a reasonable time after
64 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
available to examiner within a reasonable time after examiner’s request
What Format Should the CU Use for Retaining Records?
• CU must maintain necessary equipment or software to permit an examiner to review and reproduce stored records upon request
• CU should ensure that reproduction is acceptable for
65 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• CU should ensure that reproduction is acceptable for submission as evidence in a legal proceeding
Who is Responsible for Establishing a System for Record Disposal?
• CU’s Board of Directors may approve a schedule authorizing disposal of certain records on a continuing basis upon expiration of specified retention periods– Eliminates need for Board approval each time CU wants to
dispose of same types of records created at different times
66 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
dispose of same types of records created at different times
What Procedures Should a CU Follow When Destroying Records?
• CU should prepare an index of any records destroyed and retain index permanently
• Destruction of records should normally be carried out by at least two (2) persons whose signatures, attesting to
67 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
at least two (2) persons whose signatures, attesting to the fact that records were actually destroyed, should be affixed to the listing
What Are the Recommended Minimum Retention Times?
• Each state can impose its own rules
• CU should consider consulting with local counsel when setting minimum retention periods
68 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• A record pertaining to a member’s account that is not considered a vital record may be destroyed once it is verified by supervisory committee
What Are the Recommended Minimum Retention Times?
• Individual shares and loan ledgers should be retained permanently
• Records, for a particular period, should not be destroyed until both a comprehensive annual audit by supervisory
69 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
until both a comprehensive annual audit by supervisory committee and a supervisory examination by the NCUA have been made for that period
What Records Should Be Retained Permanently?
• Official records– Charter, bylaw and amendments
– Certificates or licenses to operate under programs of various government agencies
• Ex: certificate to act as issuing agent for the sale of U.S.
70 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Ex: certificate to act as issuing agent for the sale of U.S. savings bonds
What Records Should Be Retained Permanently?
– Current manuals, circular letters and other official instructions of a permanent character from the NCUA and other governmental agencies
71 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
What Records Should Be Retained Permanently?
• Key operational records– Minutes of meetings of the membership, Board of Directors, credit
committee and supervisory committee
– One (1) copy of each NCUA 5300 financial report or its equivalent
– One (1) copy of each supervisory committee comprehensive
72 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– One (1) copy of each supervisory committee comprehensive annual audit report and attachments
What Records Should Be Retained Permanently?
– Supervisory committee records of account verification
– Applications for membership and joint share account agreements
– Journal and cash record
– General ledger
73 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
What Records Should Be Retained Permanently?
– Copies of periodic statements of members, or the individual share and loan ledger (a complete record of the account should be kept separately)
– Bank reconcilements
– Listing of records destroyed
74 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
What Records Should a CU Designate for Periodic Destruction?
• Any record not described above unless it must be retained to comply with requirements of consumer protection regulations
75 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
What Records Should a CU Designate for Periodic Destruction?
• Should be scheduled so that the most recent of the following records are available for the annual supervisory committee audit and NCUA examination– Applications of paid-off loans
– Paid notes
76 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Paid notes
What Records Should a CU Designate for Periodic Destruction?
– Various consumer disclosure forms, unless retention is required by law
– Cash received vouchers
– Journal vouchers
– Canceled checks
77 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Bank statements
– Outdated manuals, canceled instructions, and nonpayment correspondence from NCUA and other governmental agencies
Appendix B to Part 749
Different Types of Disasters
Natural Disasters: Floods/Rain Storms
• Flash flooding soaks everything in water
• Raw sewage in water
• Floating debris
• Silt in water damaging computers and everything else
81 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Lightning starting fires or power outages
• Hail
Natural Disasters: Landslide
• Floating debris
• Destruction to property
• Disruption to utility services, transportation
82 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Natural Disasters: Tornadoes
• High winds destroy everything in its path
• Downed power lines
• Items smashing into your building, ATMs, windows
• Roof rips off and destroys
83 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
valuable materials in offsite
storage facility
Natural Disasters: Hurricanes
• Just look at Hurricane Katrina
• Flooding
• Winds
• Rain
84 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Hail
• Tidal surges
• Killings
• Looting
• CHAOS!
Natural Disasters: Snow
• Blocks roads
• Extreme cold
• High winds
• Drifting snow makes transportation difficult (including going home)
85 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
going home)
• Snow is heavy and can collapse roof causing damage on inside of structure
• In spring: watch for floods resulting from quick thawing!
Natural Disasters: Extreme Temperatures and Drought
• Extreme cold: – Icy road conditions- employees and vendors cannot or are not
willing to drive into work
– Emergency teams needed elsewhere
– Power lines downed by weight of ice
86 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Power lines downed by weight of ice
• Extreme heat: – Peak energy hours causing black/brownouts
• Drought
Technological Disasters
• Fire
• Blackout or brownout
• Industrial explosion
• Hazardous materials accident
87 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Pipeline explosion
• Transportation disruption
• Water main, gas main or sewer break
Social Disasters
• Arson
• Bombing threat/bombing
• Terrorism
• Civil disturbance
88 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Disgruntled employees, stealing sensitive info
• Criminal activity
• Labor strife
Disasters In-Depth: Computers and Electronic
DisasterDisaster
Computers and Electronic Disasters
• Typically involves: – Loss of or damage to data
– Inability of programs to function
– Loss of data communication
90 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Computers and Electronic Disasters
• Can occur because of natural disaster: – Floods
– Fires
– Earthquakes
• Can occur because of manmade disasters:
91 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Can occur because of manmade disasters:– Air conditioning failures
– Viruses
– Hacking
– Vandalism
Three Steps in Computer & Electronic Disaster Planning
• Risk assessment
• Risk reduction
92 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Recovery
Risk Assessment
• What is the probability that a particular disaster will occur?
• How serious is the effect likely to be if it does occur?
93 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Put together a disaster recovery team
Risk Reduction: Three Major Techniques
• Watching your power
• Guarding your computers
94 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Caring for your systems
Source: “Data Disaster: Planning for a Computer Meltdown”, nfib.com,
11/1/05
Watching Your Power
• Develop an alternate power supply– Backup generation, which can keep your computer running for a
short time period during a power outage, can help prevent data loss
• Protect against power surges
95 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Protect against power surges– Good surge protectors cost around $100
Watching Your Power
• When the air crackles, disconnect the modem– Electricity can easily travel through telephone lines during an
electrical storm and can damage computer equipment through your modem
96 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Be sure that you are insured– Policies should cover hardware and software
– Ask about availability and costs of critical records coverage
Guarding Your Computers
• Use a password and change it frequently
• Protect your files– Sophisticated software allows you to grant system access on a
selective basis
• Segregate responsibilities
97 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Segregate responsibilities– Segregate manual and computer responsibilities- this prevents
any one employee from obtaining all the tools necessary to manipulate the system or cover up theft
Guarding Your Computers
• Back it up!– Most important security rule of all
– Back up your drive with all data weekly or daily (or even more frequently), depending on volume of transactions
– Rule of thumb: you should never be in a position where reentry of
98 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Rule of thumb: you should never be in a position where reentry of data requires more than a day’s work
Guarding Your Computers
• Keep your backup disks or tape in a safe place, preferably miles away from your business– Put in a fireproof office safe or at an office across town
– Store at a commercial data center
– Consider a “round robin’ arrangement where you always have two
99 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Consider a “round robin’ arrangement where you always have two to four backups circulating
• When you send a fresh backup to location #1, you move its backup to location #2 and so on
Guarding Your Computers
• Keep a paper trail– Since you may need to reenter data, keep your paper audit trail
strong and clear
• Develop emergency operating procedures
100 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Develop emergency operating procedures– How will you restore data and get your system up and running
again?
– If you have to run without computers, do you have adequate paper-based systems in place?
Guarding Your Computers
• Limit physical access– Only employees that need access should have access to
computer systems containing sensitive information
• Allow business use only
101 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Allow business use only– Viruses often spread from disk to disk or disk to drive- employees
should not be able to load personal software onto your business computer
Guarding Your Computers
• Exercise caution when downloading– Many viruses enter a system when files are downloaded from
electronic bulletin boards or software exchanges
• Give your computers periodic checkups
102 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Give your computers periodic checkups– Updated anti-viral software regularly
• Ask for help– Utilize a consultant if necessary
Caring For Your System
• Keep food and beverages away from your computers
• Maintain the right temperature– Watch for excessively warm or damp rooms
– Dry, cool environment is best
103 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Dry, cool environment is best
• Clean your computer– Many system crashes occur because of dust and dirt
Caring For Your System
• Write down a plan– Make sure your computer protection and security program is
written down!
• Don’t think that “it can’t happen to you”
104 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Don’t think that “it can’t happen to you”– Aside from man-made and natural disasters, computer often
suddenly break down for inexplicable reasons
Recovery Planning
• Who calls whom and what information should they be prepared to give?
• Who performs the needed diagnostics?
• Who restores the files?
• What are the instructions for packing and shipping
105 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• What are the instructions for packing and shipping corrupted files?
Recovery Planning
• Key elements: – Communication
– Designated operators
– Designated manager
– External resources
106 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– External resources
– Insurance
Source: “Disaster Planning for Computers and Networks”, Boss, Richard W., ala.org/ala/pla/plapubs/technotes/disasterplanning.htm
Communication
• Don’t assume that regular telephone service will be available
• Key personnel should have cell phones
107 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Instructions for dealing with a computer/electronic disaster should be stored in a watertight, wall-hung cabinet near the entrance door
• All important telephone numbers should be available
Designated Operators
• Server operator on duty each hour
• Should have instructions to call support desks for servers that have been affected
108 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Should participate in occasional disaster drills
Designated Managers
• A manager should be available by phone 24 hours a day, 7 days a week
109 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
External Resources
• Vendors are an important resource for diagnosing problems that result from a disaster
• Should be able to pinpoint problems remotely
110 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Make sure you have a provision in the contract for emergency support
Insurance
• Coverage for servers, computers, networks, clients
• Must have a current inventory of all hardware and software, including purchase data and price– Store a copy at a remote site
• Take photographs of damage promptly after disaster
111 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
• Take photographs of damage promptly after disaster
NCUA Rules on Security Programs
NCUA Rules
• Part 748: Security Program, Report of Crime and
Catastrophic Act and Bank Secrecy Act Compliance -§748.0: Security program– Requires each federally insured CU to develop written security
program within 90 days of effective date of insurance
113 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
program within 90 days of effective date of insurance
Security Response Programs: Overview
• Effective June 1, 2005
• Requires all federally-insured CUs to adopt a response program to direct them when they detect/suspect unauthorized access to their member information
114 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
unauthorized access to their member information
• www.ncua.gov/ref
Overview
• Six main categories of planning and action– Assessment of situation
– Notification to regulatory and law enforcement agencies
– Contain and control the situation
– Corrective action
115 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
– Corrective action
– Notification to members
– Revising service provider contracts
Overview
• Need be designed to do the following– Protect from robberies, burglaries, larcenies and embezzlement
– Ensure security and confidentiality of member records
– Respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious
116 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
information that could result in substantial harm or serious inconvenience to a member
– Assist in identification of persons who commit or attempt such actions and crimes
– Prevent destruction of vital records
Questions & Answers
• Any questions?
117 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Thank you
• Contact Me
Robert Rutkowski
Partner, Credit Union Practice Group
Weltman, Weinberg & Reis Co., LPA
118 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
Weltman, Weinberg & Reis Co., LPA
(216) 739-5004
www.weltman.com
www.thatcreditunionblog.com
Better Yet – Call Dawn!!
Dawn Pagon,National Manager of Client Relations
Credit Union Practice Group
(216) 739-5021
119 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA
(216) 739-5021