pakistan bcp preparedness for city violence july 4, 2007 tariq mahmood, chief security officer
TRANSCRIPT
Pakistan
BCP Preparedness for City Violence
July 4, 2007
Tariq Mahmood, Chief Security Officer
2
agenda
Any Queries 4
3
2
1 A Brief Intro & the Situation
CDC Preparedness
Lessons Learnt
Pakistan
A Brief Intro & the Situation
Pakistan
4
CDC Pakistan – A Brief Intro (Figures as on May 31, 2007)
1. Number of employees 375
2. CDS live securities 655
3. Participants / Account Holders 534
4. Eligible Pledgees 102
5. Number of shares available in CDS 44.73 Billion
6. Market Capitalization of Shares US $ 30.93 Billion
7. Share Holder’s Equity US $ 17.92 Million
8. Total Assets US $ 21.84 Million
9. Total Revenue US $ 12.36 Million
10.Profit after Tax US $ 3.94 Million
5
Situation
May 12, 2007: A Saturday – Though a full working day but only 50% of the staff attend offices while remaining take off
All three Stock Exchanges are closed on Saturday but some of the stock brokers do attend their offices to perform back office work; Banks and Issuers/RTAs are open but mostly for half day only
Normally there is only 10% of the business of Mon – Fri. for CDC
Blockage in access to offices & other commercial areas was expected due to various political rallies planned that day
Violence with that severity was not predictable; CDC called only most essential staff to attend office with arrangements for their stay at hotel
No usual traffic in the city – Airport, Railway Stations, public transport affected
All utilities were available – Mobile, Telephone, Electricity, Networking etc.
Business Centers / Shops remained closed
Three offices of CDC in Karachi were operational though at lower scale and provided services to customers till first half of the day only. The CDS was available full day.
CDC offices in other cities provided full services
Pakistan
CDC Preparedness
7
CDC Preparedness - Introduction CDC established DR Site in same city in 2000
CDC developed its first DR Plan in 2000
Mock DR Drills of different levels were conducted in 2001, 2004, 2005 and 2006
BCP of critical business functions was added in the revised DRP in 2006
IBM Global Consulting was assigned to develop a comprehensive BCP covering all business functions in Oct 2006
Several planning meetings and staff awareness presentations were conducted
All business functions prepared their draft BCP by April 2007
Table Top tests were conducted to improve BCP
Draft BCP of entire CDC was completed in May 2007
Following few slides present some of the aspects of the methodology, standards and processes used in the preparation of this BCP
8
Major Threats Unauthorized access
Hardware failure
Utility failure
Natural disasters
Loss of key personnel
Human errors
Neighborhood hazards
Tampering
Disgruntled employees
Risk of Employees Safety
Improper use of technology
Repetition of errors
Cascading of errors
City Violence Illogical processing Invalid translation of user needs
(technical requirements) Inability to control technology Equipment failure Incorrect entry of data Concentration of data Inability to react quickly Inability to substantiate processing Concentration of responsibilities Erroneous/falsified data Misuse of administrative authorities
9
CDC decided to develop a predictive model that will enable CDC to preemptively recognize and successfully respond to a threat before it becomes a crisis
Result: CDC targets to become a leading-edge predictive organization
Infinite EventsInfinite Events
FiniteInternal
& ExternalImpacts
FiniteInternal
& ExternalImpacts
Major EffectsMajor Effects
People
Processes
Technology
Infrastructure
Applications
Databases
Partners
Market
Economic
People
Processes
Technology
Infrastructure
Applications
Databases
Partners
Market
Economic
Resiliency PlanningResiliency Planning
Prioritized Ranking of Threats
Review of Existing Plans
Threat Reduction Controls
Gap Analysis
Development & Testing of Resiliency Plans
Prioritized Ranking of Threats
Review of Existing Plans
Threat Reduction Controls
Gap Analysis
Development & Testing of Resiliency Plans
Physical, Personnel, Information, Reputation, Participants,
Economic, Public and Private Infrastructure
Impacts
Physical, Personnel, Information, Reputation, Participants,
Economic, Public and Private Infrastructure
Impacts
11
CDC Emergency / Disaster Escalation paths
.
Alarm
Ala
rm
Det
ecti
on
Damage Assessment
Resumption Procedure Select.
DR Committee Convocation
Notification of Losses to
Insurance Co.
Declaration ?Emergency Disaster
IT Recovery Procedures for Critical LAN's
Critical Workplaces Recovery
Help Desk Support Service
Recovery
Communication to CDC's personnel
Comm. to Media, suppliers,
customers
Notification of Losses to
Insurance Co.
IT Recovery Procedures for Critical LAN's
Workplaces Recovery
Help Desk Support Service
Recovery
Communication to CDC's personnel
Comm. to Media, suppliers,
customers
Request ofCivic and
Vendor Services
IT Recovery Procedures for
NonCritical LAN's
Problem
End
.
Secure Damaged Site.
Repair Damaged Assets
Secure Damaged Site.
Repair Damaged Assets
Request of Civic and
Vendor Services
12
CDC Business Continuity Teams
Disaster Recovery Manager
IT Disaster Recovery Coordinator
Disaster Recovery Committee
Help Desk Support Team
Assessment Team IT System Engineers Team
Equipment and Facilities Team
Business Continuity Plan Team Organization
Surveillance Team
IT Operations Team
Application / Technical Support Team
Telco Engineers Team
Administration Support Team
Enterprise
Security Support Team
Technical Support Team
Secretariat Support
13
Design Criteria-1: Basic Business Continuity Plan
CDC House
DR Site
KSE
Branches
Problem Emergency Disaster
AlertZero hours 2 hours ?? 8 hours ?
E S C A L A T I O N & D E C L A R A T I O N P L A N
relocation
relocation
relocation
Ta
keo
ver
Takeover
14
Design Criteria-2: Pre-Staged and Out of Region Recovery
CDC House
DR Site
Remote Site
Branches
Problem Emergency Disaster
AlertZero hours 2 hours 8 hours
E S C A L A T I O N & D E C L A R A T I O N P L A N
IT High Availability
Primary replication link
Alternate replication link
Takeover
Takeover
Workload RotationPre-staged Staff & Technology
Pre-staged Staff & TechnologyPre-staged Staff & Technology
Data Integrity
Data Integrity
July 4, 2007
Lessons Learnt
Pakistan
16
Lessons Learnt
People issues are paramount– Impact of location of employees; their safety, morale and cross training is important
Communications strategies– Although communications systems were available, however these may be affected; To consider multiple
business recovery hotlines, Telecommuting, Business Continuity Website
Third-party contracts without continuity requirements– Although it was a one day situation, however if it was a longer duration, service providers and suppliers
recoverability capabilities could pose problems; To ensure they got adequate business continuity plans
Improved focus on resiliency and investment in continuous availability strategies– To continue emphasis on business processes’ resiliency, investment in fault tolerant systems, data storage
and network redundancy and to consider improved insurance coverage
Non-critical technology more important than anticipated– Although CDC was able to continue its data center operations, however it need to consider that worst case
scenarios can become reality and it should prepare for that. To consider virtual office strategies.
17
Let’s acknowledge that Business Continuity is a process and people design, not only a technology design ……
40%
60%
ProcessDefinition/design, compliance and continuous improvement
PeopleRoles & responsibilities, management, skills development & discipline
Technology Hardware and software capabilities
Any Queries ?
Pakistan
July 4, 2007