U.S. regulators issue disaster recovery guidelines

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,80262,00.html

By LUCAS MEARIAN 
APRIL 11, 2003
Computerworld 

Three U.S. regulatory agencies have released disaster recovery
guidelines for financial institutions notable for their lack of any
recommended minimum distance between primary and secondary data
centers and their recognition that achieving many of the goals could
take years.

The Federal Reserve, the Office of the Comptroller of the Currency and
the Securities and Exchange Commission on April 8 issued a white paper
describing objectives for disaster recovery and business continuity
plans that should be set in place.

The agencies stated that they expect organizations that fall within
the scope of the white paper [1] to "adopt the sound practices within
the specified implementation time frames."

The regulators focused mostly on what they described as "core clearing
and settlement organizations," or the largest brokerages, custodian
banks and clearing firms, saying they should substantially achieve
disaster recovery and sound business continuity practices by the end
of 2004.

In the event of a wide-scale disaster, the nation's financial system
"rests on the rapid recovery and resumption of the clearing and
settlement activities that support critical markets," the agencies
said.

The guidelines include the recommendation of recovering operations
"within the business day on which a disruption occurs, with the
overall goal of achieving recovery and resumption within two hours
after an event."

"The paper's business continuity objectives, sound practices and
timetables will clearly improve the resilience of the U.S. financial
markets," Donald Kittell, executive vice president of the Securities
Industry Association, stated in a press release.

The document also said that the focus of financial firms should be on
"appropriate back-up capacity necessary for recovery and resumption of
clearing and settlement activities for material open transactions in
the wholesale financial markets."

The agencies' business continuity objectives include rapid recovery
and timely resumption of critical operations following wide-scale
disruptions or loss of staff in "at least one major operating
location," and a high level of confidence through ongoing testing that
plans are "effective and compatible."

In August, an interagency white paper that was released on
strengthening the resilience of the U.S. financial system was soundly
criticized by banks and brokerages for its suggestion that there be a
minimum distance of 200 to 300 miles between a primary and backup data
center (see story).

Many firms considered it technically unfeasible. For example, Fibre
Channel, the most common network protocol used between data centers,
has a distance limit of about 100 miles, or 62 kilometers.

"We were pleased, because they took into account the dialogue agencies
had with the industry after the first white paper came out [in
August]. That's the key point. We're all working together," said
Margaret Draper, a spokeswoman for the Securities Industry Association
in New York.

Draper said the white paper could eventually become the basis for
industry-specific rules that would be administered by self-regulatory
organizations, such as the National Association of Securities Dealers
Inc. and the New York Stock Exchange.

Regulators said firms should also maintain sufficient geographically
dispersed resources to meet recovery and resumption objectives.

But the agencies stated that they aren't recommending that firms move
their primary offices or data centers outside of metropolitan
locations, because they understand that financial firms need to
maintain processing sites near the financial markets.

[1] http://www.sec.gov/news/studies/34-47638.htm



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.