- Email: [email protected]
Contingency planning seminar review
Vol.
9, No.
10, Page
9
of locking the security processor inside the processor unit? If the answer is yes, then at least have the sense to fit a lock to the processor box and make sure that access to the key for this lock is rigidly controlled. Keith
CONTINGENCY PLANNING SEMINAR REVIEW
M. Jackson,
Data
Security
Consultant.
Some 170 delegates attended a one-day seminar organized by IBC Technical Services Ltd on contingency planning and disaster recovery in London on 12 May 1987. Chairman of the day, Dr Ken Wong of BIS Applied Systems Ltd, provided some alarming statistics on the types of disaster which can befall computer sites, based on cases detailed in the BIS Disaster Casebook (see "Computer Disaster Statistics 1987" in the June 1987 issue of CFSB). During the course of the day, emphasis was placed on the view that contingency planning should be for the entire organization, not just the computer room, a fact borne out by Dr Wong's statement that "in over half of the fire-related incidents, the fire or explosion started outside the computer room". While a third of recorded incidents resulted in over Cl00 000 of material damage to computer equipment, at least 50% incurred consequential losses in excess of flO0 000. Dr Wong estimated that the risk of any organization suffering a disaster was 1OOO:l. He stated that it was vital that an organization recognize its increasing dependency on automated systems, and therefore the unlikelihood of being able to fall back on manual systems. The organization must assess the business impact from loss of its computing facility, and budget for effective contingency measures. One way of covering the cost of such a plan was to spread it among the various departments using the facilities. This would reduce the impact on the MIS or computer department budget. It is vital, stated Dr Wong, that as part of a recovery plan, priorities are determined, taking account of any possible "cascade" effect, and that any plan must be endorsed by the Board of Directors. Tim Boddington of Shell (UK) was the next speaker. He discussed Shell's requirements for recovery, as well as the rationale behind its back-up and standby arrangements and the lessons learnt. Within Shell's 200 principal computer facilities, there have been four incidents - two of fire, one of flooding, and Shell recovered from each of these, one terrorist bombing. due to the contingency plan the without too much difficulty, company had in place. of the critical Mr Boddington stated that "Identification systems was the most important factor; criticality is time-based." The Shell plan had to cover all elements - data and One of the the latter being the most difficult. communications, advantages of being a multi-national company, he said, was the availability of back-up sites elsewhere in the organization, making reciprocal agreements much easier.
0 1987 Elsevier Science Publishers B.V., Amsterdam./87/$0.00 + 2.20 No part ofthis publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying. recording or otherwise. without the prior permission of the publrshers. (Readers in the U.S.A. - please see special regulations listed on back cover )
Vol. 9, No. 10, Page 10
Mr Boddington stressed the importance of building in as much resilience as possible to any communications network, ensuring good design, route flexibility, and a multiple selection of The testing of carriers, e.g. British Telecom (BT) and Mercury. any plan, and the on-going maintenance of it, were the keys to its For example, Shell holds written success, stated Boddington. purchase orders on manufacturers for replacement equipment as part of the plan. The manufacturers are kept aware of this, and the orders are updated depending on the equipment installed. The manufacturers also recognize that in the case of an invocation, a member of the Shell organization, who would not normally have such authority, might sign the order under emergency conditions. The importance of regular testing of the plan cannot be over-emphasized and care must be taken to ensure changes made at applications level are available at the recovery site. Summing up, Boddington stated that the lessons Shell learnt were "Plan, Test, Review, Re-test". The next speaker, Roger Moore of Hill Samuel & Company, outlined the "Big Bang" Resilience Review undertaken by his company. He stated that the voice network was the most critical to his organization - "no talk - no deal", he said. All the dealing rooms had to be revamped, as the Review considered: Accommodation Voice and data networks Computer equipment Power supply. Risk assessment was vital, and Hill Samuel had split it into four levels: Level Level Level Level
1 2 3 4
-
Single loss Multiple loss Whole computer facility Whole Business.
The resultant Resilience Summary highlighted the fact that contingency planning had to be for the whole business, not just the computer facility. One half would not survive without the other. On Accommodation, Hill Samuel had made use of the "Datachamber" principle, i.e. a secure room within a room, to ensure that dealers had facilities in the case of an emergency, and these were protected physically to the highest level. Protection of the Voice Network was given the highest priority, with separate circuit carriers, splitting the cabling between physically separate ducts. Also, circuit switches were protected by installing modular central equipment, so there was no one point of failure at the Dealer Boards. Dual PABX systems were in place so the circuits were independent of the PABX provided for critical functions. Intercom facilities were also designed to provide limited back-up to each other. The Data Network was protected by multiple feeds on external calls coming in, and back-up circuits for all internal feeds. Price and Trade reporting links are backed-up by a separate PC 0 1987 Elsevier Science Publishers No
B.V., Amsterdam./87/$0.00
+ 2.20
part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical. photocopying, recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A. ~ please see special regulations listed on back cover.)
Vol. 9, No. 10, Page 11
network. Hill Samuel employs dual LAN networks, and designed these so that each dealing floor can operate independently, but is split between two separate networks. Moore also stressed the importance of keeping the Network Controller away from the main computer site, thus isolating the communications links to the off-site centre. Hill Samuel also utilizes off-site computer capacity as back-up and ensures these are fully operational by using them for systems development work. Power supplies to Hill Samuel are protected by UPS facilities, as the criticality of its business is such that it cannot afford any break in power - this is felt to be Hill Samuel's most vulnerable area. Moore stated that the company's post-implementation experiences to date had been: six water leakages, two power The air-conditioning system had failures, and three LAN problems. It transpired that been the main source of the water problem. only two of the water detectors were working. Five of the incidents had occured outside normal working hours. Hill Samuel had encountered a UPS failure - the neutral cable was burnt out by a power overload. This resulted in a loss of a wide range of data and voice communications for some time. The problem was compounded by the fact that the back-up system was knocked out at the same time. It was established that the PCs had caused the overload, and Moore commented that "the situation was contained, but was very worrying for a time". The lessons learnt by Hill Samuel were that: there can be many areas of failure tomorrow may be too late institute Major Incident Reports (MIR) and circulate them to the relevant people plan, test and review contingency planning is not just a part-time job for the DPM. Phil Stamp of the Corporation of Lloyds said that Lloyds produce punch cards (with print!) for some 90 000 underwriter advices. They have one site only, with multiple hardware, to which some 600 screens are connected. Stamp said that their biggest problems were:
a>
convincing management to spend money on a contingency plan. They took the view that enough money had been spent on prevention - who needs a cure?
b)
getting the users to identify critical systems.
In considering their short term option, Lloyds compared hot-start facilities against a second site facility, and opted for The long-term options were Real Estate v Temporary hot-start. Premises, the former giving higher running costs but with investment potential: this was the option selected. Stamp then outlined the planning procedures employed, much along the lines of previous speakers, and reiterated the fact that contingency planning was an ongoing process of test and review. All agreed o 1987 Elsevier Science Publishers B.V., Amsterdam./8ir/$O.O0 + 2.20 No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means. electronic, mechanical, photocopying. recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A.-please see special regulations listed on back cover.)
Vol.
9, No.
10, Page
12
that it would be difficult, however, for Lloyds to simulate disaster, due to the sensitive nature of their business. In summary, Stamp cope with a variety of to gear the expenditure contingency beginning, the DP budget). Their disaster".
a
stated that Lloyds' plan was geared "to They also endeavourec services failures". on the plan to potential loss (in the planning amounted to approximately 2% of future aim, he said, was "to prevent
The next speaker, Paul Robathan of Infact Ltd, described the background to the service offered by his organization, Emergency Telecommunications Services (ETS), the Standby Dealing Room. The basis for setting up the service was that dealers in the City "need to minimize loss from Trading Room disruption", said Robathan. Any disruption to dealing could result in millions of pounds of lost business, and Robathan quoted one such example. A broker in the Minories (a district of London) lost all its Dealing Room telephones for a week. Luckily, the MD was a friend of the BT office across the road, and was able to arrange for the dealers to move to an office in BT, from where they continued their business. Nevertheless, they estimated that they lost 20% of their business in that week because of the problem. Should a broker opt to set up a standby Dealing Room to provide back-up, Robathan stated that each would have to be 70% more complex than any single room, because of the need for controllers etc., for Dealer Boards, voice networks, and digital services. Thus, ETS was born of a need which was growing all the time. In an emergency, up to six clients per Dealing Room, with 72 positions each, can be accommodated, with a Dealer Board of up to 50 exchange lines. Groups of up to 24 desks will be able to share To secure the back-up, a local PABX is not access to these lines. All Dealer Board used, but instead a Centrex Telephone System. voice conversations are recorded, and there is access to up to 50 private wires. Remote and local computer access is available using the and fax facilities will Telex, photocopying, standard protocols. It is Infact's intention, said Robathan, to also be available. bring in a satellite dish for international communications Fibre optic connection to BT and Mercury will also be standby. available. Robathan stated that when the Dealing Rooms are not occupied for on an emergency basis, they will be available to subscribers the training of dealers in a 'live' environment, for testing of new equipment and software, and to handle any overflow dealers may The usual information services will also encounter temporarily. be available (Reuters, Telerate etc.). The final speaker of the day was Bill Farquhar of BIS Applied Systems, who discussed the topic of "How to prepare an effective While covering some of the points already contingency plan". raised by the previous speakers, Farquhar outlined the
0 1987 Elsevier Science Publishers B.V.. Amsterdam.i87/$0.00 + 2.20 No part ofthis publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means, r:lectronic. mechanical, photocopying. recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.]
Vol. 9, No. 10, Page 13
main reasons for an organization having a contingency plan as being:
a> b) c> d)
good business management a means of reducing thinking time when a crisis occurs providing a controlled recovery minimizing the effect of a crisis.
Some people opt "to do nothing about back-up, some insure against crisis, some protect, others pray, or do any combination of these". Some of the options available, hot-start, cold-start, reciprocal arrangements, were outlined briefly, together with their merits/disadvantages. The contingency plan strategy, said Farquhar, had to be defined, along with task lists, asset inventory, insurance etc. Back-up facilities had to be fully documented, back-up teams and their functions defined, all as part of the plan. Testing of the plan, he said, was "vital" for all areas and resources. "Don't underestimate the Summarizing, Farquhar's advice was: effort involved, test your plan regularly, review it, and modify it." One speaker from the floor, representing an Insurance company, said that none of the day's speakers had really included the role insurance companies have to play in devising a contingency plan. He stated that insurance should go hand in hand with the plan, and that most organizations would require an insurance plan tailor-made for them. Otherwise, as someone had said earlier, they would find "loss adjusters re-furbish in battle". Irene King, Alkemi Ltd. Editor's note: IBC are repeating this seminar on 5 October 1987 at the Inter-Continental Hotel, London. Further details can be obtained from Louise Comer, IBC Technical Services Ltd, Bath House, 56 Holborn Viaduct, London EClA ZEX, UK; tel: 01-236-4080; tx: 888870.
BOOK REVIEW FILE
Title - Computer Security (Second Edition) Author - John M. Carroll _ Publisher - Butterworths, 80 Montvale Avenue, Stoneham, MA 02180, USA, April 1987. Reviewer - Keith M. Jackson The blurb on the jacket makes the strong claim that the first edition of Computer Security was an essential text, and that the newly-published second edition "will continue to be seen as the definitive reference on the subject". Having grown weary of such claims being made for all sorts of nonsense in the past, I am surprised to find myself agreeing with the publicity. You'll never use Computer Security as bedtime reading, it is too voluminous for that, but you will find an explanation of
0 1987 Elsevier No
Science
Publishers
B.V., Amsterdam./871$0.00
+ 2.20
part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A.-please see special regulations listed on back cover.)
9, No.
10, Page
9
of locking the security processor inside the processor unit? If the answer is yes, then at least have the sense to fit a lock to the processor box and make sure that access to the key for this lock is rigidly controlled. Keith
CONTINGENCY PLANNING SEMINAR REVIEW
M. Jackson,
Data
Security
Consultant.
Some 170 delegates attended a one-day seminar organized by IBC Technical Services Ltd on contingency planning and disaster recovery in London on 12 May 1987. Chairman of the day, Dr Ken Wong of BIS Applied Systems Ltd, provided some alarming statistics on the types of disaster which can befall computer sites, based on cases detailed in the BIS Disaster Casebook (see "Computer Disaster Statistics 1987" in the June 1987 issue of CFSB). During the course of the day, emphasis was placed on the view that contingency planning should be for the entire organization, not just the computer room, a fact borne out by Dr Wong's statement that "in over half of the fire-related incidents, the fire or explosion started outside the computer room". While a third of recorded incidents resulted in over Cl00 000 of material damage to computer equipment, at least 50% incurred consequential losses in excess of flO0 000. Dr Wong estimated that the risk of any organization suffering a disaster was 1OOO:l. He stated that it was vital that an organization recognize its increasing dependency on automated systems, and therefore the unlikelihood of being able to fall back on manual systems. The organization must assess the business impact from loss of its computing facility, and budget for effective contingency measures. One way of covering the cost of such a plan was to spread it among the various departments using the facilities. This would reduce the impact on the MIS or computer department budget. It is vital, stated Dr Wong, that as part of a recovery plan, priorities are determined, taking account of any possible "cascade" effect, and that any plan must be endorsed by the Board of Directors. Tim Boddington of Shell (UK) was the next speaker. He discussed Shell's requirements for recovery, as well as the rationale behind its back-up and standby arrangements and the lessons learnt. Within Shell's 200 principal computer facilities, there have been four incidents - two of fire, one of flooding, and Shell recovered from each of these, one terrorist bombing. due to the contingency plan the without too much difficulty, company had in place. of the critical Mr Boddington stated that "Identification systems was the most important factor; criticality is time-based." The Shell plan had to cover all elements - data and One of the the latter being the most difficult. communications, advantages of being a multi-national company, he said, was the availability of back-up sites elsewhere in the organization, making reciprocal agreements much easier.
0 1987 Elsevier Science Publishers B.V., Amsterdam./87/$0.00 + 2.20 No part ofthis publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying. recording or otherwise. without the prior permission of the publrshers. (Readers in the U.S.A. - please see special regulations listed on back cover )
Vol. 9, No. 10, Page 10
Mr Boddington stressed the importance of building in as much resilience as possible to any communications network, ensuring good design, route flexibility, and a multiple selection of The testing of carriers, e.g. British Telecom (BT) and Mercury. any plan, and the on-going maintenance of it, were the keys to its For example, Shell holds written success, stated Boddington. purchase orders on manufacturers for replacement equipment as part of the plan. The manufacturers are kept aware of this, and the orders are updated depending on the equipment installed. The manufacturers also recognize that in the case of an invocation, a member of the Shell organization, who would not normally have such authority, might sign the order under emergency conditions. The importance of regular testing of the plan cannot be over-emphasized and care must be taken to ensure changes made at applications level are available at the recovery site. Summing up, Boddington stated that the lessons Shell learnt were "Plan, Test, Review, Re-test". The next speaker, Roger Moore of Hill Samuel & Company, outlined the "Big Bang" Resilience Review undertaken by his company. He stated that the voice network was the most critical to his organization - "no talk - no deal", he said. All the dealing rooms had to be revamped, as the Review considered: Accommodation Voice and data networks Computer equipment Power supply. Risk assessment was vital, and Hill Samuel had split it into four levels: Level Level Level Level
1 2 3 4
-
Single loss Multiple loss Whole computer facility Whole Business.
The resultant Resilience Summary highlighted the fact that contingency planning had to be for the whole business, not just the computer facility. One half would not survive without the other. On Accommodation, Hill Samuel had made use of the "Datachamber" principle, i.e. a secure room within a room, to ensure that dealers had facilities in the case of an emergency, and these were protected physically to the highest level. Protection of the Voice Network was given the highest priority, with separate circuit carriers, splitting the cabling between physically separate ducts. Also, circuit switches were protected by installing modular central equipment, so there was no one point of failure at the Dealer Boards. Dual PABX systems were in place so the circuits were independent of the PABX provided for critical functions. Intercom facilities were also designed to provide limited back-up to each other. The Data Network was protected by multiple feeds on external calls coming in, and back-up circuits for all internal feeds. Price and Trade reporting links are backed-up by a separate PC 0 1987 Elsevier Science Publishers No
B.V., Amsterdam./87/$0.00
+ 2.20
part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical. photocopying, recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A. ~ please see special regulations listed on back cover.)
Vol. 9, No. 10, Page 11
network. Hill Samuel employs dual LAN networks, and designed these so that each dealing floor can operate independently, but is split between two separate networks. Moore also stressed the importance of keeping the Network Controller away from the main computer site, thus isolating the communications links to the off-site centre. Hill Samuel also utilizes off-site computer capacity as back-up and ensures these are fully operational by using them for systems development work. Power supplies to Hill Samuel are protected by UPS facilities, as the criticality of its business is such that it cannot afford any break in power - this is felt to be Hill Samuel's most vulnerable area. Moore stated that the company's post-implementation experiences to date had been: six water leakages, two power The air-conditioning system had failures, and three LAN problems. It transpired that been the main source of the water problem. only two of the water detectors were working. Five of the incidents had occured outside normal working hours. Hill Samuel had encountered a UPS failure - the neutral cable was burnt out by a power overload. This resulted in a loss of a wide range of data and voice communications for some time. The problem was compounded by the fact that the back-up system was knocked out at the same time. It was established that the PCs had caused the overload, and Moore commented that "the situation was contained, but was very worrying for a time". The lessons learnt by Hill Samuel were that: there can be many areas of failure tomorrow may be too late institute Major Incident Reports (MIR) and circulate them to the relevant people plan, test and review contingency planning is not just a part-time job for the DPM. Phil Stamp of the Corporation of Lloyds said that Lloyds produce punch cards (with print!) for some 90 000 underwriter advices. They have one site only, with multiple hardware, to which some 600 screens are connected. Stamp said that their biggest problems were:
a>
convincing management to spend money on a contingency plan. They took the view that enough money had been spent on prevention - who needs a cure?
b)
getting the users to identify critical systems.
In considering their short term option, Lloyds compared hot-start facilities against a second site facility, and opted for The long-term options were Real Estate v Temporary hot-start. Premises, the former giving higher running costs but with investment potential: this was the option selected. Stamp then outlined the planning procedures employed, much along the lines of previous speakers, and reiterated the fact that contingency planning was an ongoing process of test and review. All agreed o 1987 Elsevier Science Publishers B.V., Amsterdam./8ir/$O.O0 + 2.20 No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means. electronic, mechanical, photocopying. recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A.-please see special regulations listed on back cover.)
Vol.
9, No.
10, Page
12
that it would be difficult, however, for Lloyds to simulate disaster, due to the sensitive nature of their business. In summary, Stamp cope with a variety of to gear the expenditure contingency beginning, the DP budget). Their disaster".
a
stated that Lloyds' plan was geared "to They also endeavourec services failures". on the plan to potential loss (in the planning amounted to approximately 2% of future aim, he said, was "to prevent
The next speaker, Paul Robathan of Infact Ltd, described the background to the service offered by his organization, Emergency Telecommunications Services (ETS), the Standby Dealing Room. The basis for setting up the service was that dealers in the City "need to minimize loss from Trading Room disruption", said Robathan. Any disruption to dealing could result in millions of pounds of lost business, and Robathan quoted one such example. A broker in the Minories (a district of London) lost all its Dealing Room telephones for a week. Luckily, the MD was a friend of the BT office across the road, and was able to arrange for the dealers to move to an office in BT, from where they continued their business. Nevertheless, they estimated that they lost 20% of their business in that week because of the problem. Should a broker opt to set up a standby Dealing Room to provide back-up, Robathan stated that each would have to be 70% more complex than any single room, because of the need for controllers etc., for Dealer Boards, voice networks, and digital services. Thus, ETS was born of a need which was growing all the time. In an emergency, up to six clients per Dealing Room, with 72 positions each, can be accommodated, with a Dealer Board of up to 50 exchange lines. Groups of up to 24 desks will be able to share To secure the back-up, a local PABX is not access to these lines. All Dealer Board used, but instead a Centrex Telephone System. voice conversations are recorded, and there is access to up to 50 private wires. Remote and local computer access is available using the and fax facilities will Telex, photocopying, standard protocols. It is Infact's intention, said Robathan, to also be available. bring in a satellite dish for international communications Fibre optic connection to BT and Mercury will also be standby. available. Robathan stated that when the Dealing Rooms are not occupied for on an emergency basis, they will be available to subscribers the training of dealers in a 'live' environment, for testing of new equipment and software, and to handle any overflow dealers may The usual information services will also encounter temporarily. be available (Reuters, Telerate etc.). The final speaker of the day was Bill Farquhar of BIS Applied Systems, who discussed the topic of "How to prepare an effective While covering some of the points already contingency plan". raised by the previous speakers, Farquhar outlined the
0 1987 Elsevier Science Publishers B.V.. Amsterdam.i87/$0.00 + 2.20 No part ofthis publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means, r:lectronic. mechanical, photocopying. recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.]
Vol. 9, No. 10, Page 13
main reasons for an organization having a contingency plan as being:
a> b) c> d)
good business management a means of reducing thinking time when a crisis occurs providing a controlled recovery minimizing the effect of a crisis.
Some people opt "to do nothing about back-up, some insure against crisis, some protect, others pray, or do any combination of these". Some of the options available, hot-start, cold-start, reciprocal arrangements, were outlined briefly, together with their merits/disadvantages. The contingency plan strategy, said Farquhar, had to be defined, along with task lists, asset inventory, insurance etc. Back-up facilities had to be fully documented, back-up teams and their functions defined, all as part of the plan. Testing of the plan, he said, was "vital" for all areas and resources. "Don't underestimate the Summarizing, Farquhar's advice was: effort involved, test your plan regularly, review it, and modify it." One speaker from the floor, representing an Insurance company, said that none of the day's speakers had really included the role insurance companies have to play in devising a contingency plan. He stated that insurance should go hand in hand with the plan, and that most organizations would require an insurance plan tailor-made for them. Otherwise, as someone had said earlier, they would find "loss adjusters re-furbish in battle". Irene King, Alkemi Ltd. Editor's note: IBC are repeating this seminar on 5 October 1987 at the Inter-Continental Hotel, London. Further details can be obtained from Louise Comer, IBC Technical Services Ltd, Bath House, 56 Holborn Viaduct, London EClA ZEX, UK; tel: 01-236-4080; tx: 888870.
BOOK REVIEW FILE
Title - Computer Security (Second Edition) Author - John M. Carroll _ Publisher - Butterworths, 80 Montvale Avenue, Stoneham, MA 02180, USA, April 1987. Reviewer - Keith M. Jackson The blurb on the jacket makes the strong claim that the first edition of Computer Security was an essential text, and that the newly-published second edition "will continue to be seen as the definitive reference on the subject". Having grown weary of such claims being made for all sorts of nonsense in the past, I am surprised to find myself agreeing with the publicity. You'll never use Computer Security as bedtime reading, it is too voluminous for that, but you will find an explanation of
0 1987 Elsevier No
Science
Publishers
B.V., Amsterdam./871$0.00
+ 2.20
part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A.-please see special regulations listed on back cover.)