Tuesday, August 19, 2014

Because politics - Federal banking recommendations on disaster recovery, and what happens when a U.S. Senator takes an interest in the topic

I should caution my readers that the technical capabilities and limitations discussed below are primarily of historical interest. The articles cited in this post date from 2003, which is ancient history when you talk about communications.

Not that disaster recovery is no longer a concern; it clearly is. In a disaster recovery scenario, you set up two computer systems, with the hope that if something happens to one computer system, all processing can be shifted to the other computer system.

But what if a disaster occurs that affects BOTH computer systems? Certainly an earthquake or a hurricane could adversely affect both systems - depending upon where they are placed.

The U.S. Government, in its recommendations to the banking industry, had to grapple with that very issue - but chose not to do so, for reasons outlined in this April 2003 article.

Three U.S. regulatory agencies have released disaster recovery guidelines for financial institutions notable for their lack of any recommended minimum distance between primary and secondary data centers....

In August, an interagency white paper that was released on strengthening the resilience of the U.S. financial system was soundly criticized by banks and brokerages for its suggestion that there be a minimum distance of 200 to 300 miles between a primary and backup data center (see story).

Many firms considered it technically unfeasible. For example, Fibre Channel, the most common network protocol used between data centers, has a distance limit of about 62 miles, or 100 kilometers.

Ah, this is refreshing. Government agencies make decisions solely based upon technical factors.

But I couldn't help but click on the link that appeared at the "(see story)" parenthetical statement. And that link, to a January 2003 article, told an entirely different story.

In letter to U.S. Sen. Charles Schumer (D-N.Y.), the heads of the Federal Reserve System, the U.S. Office of the Comptroller of the Currency (OCC) and the U.S. Securities and Exchange Commission said they will now work individually with companies to develop contingency plans that will help keep backup sites in New York.

"At a time when New York is scrambling to keep businesses downtown in the wake of 9/11, it would have been disastrous to force the mainstays of New York's financial industry to move out of the city," Schumer said in a statement.

It's interesting to note that the January article said nothing about Fibre Channel or its 62 mile limitation. Instead, it talked about a New York Senator who was worried about business moving out of New York. Apparently Senator Schumer worried that the secondary sites, rather than being located in Buffalo, might be located in Raleigh - or perhaps even Boston.

Of course, as Dave Barry once said, any action by a government agency is automatically negated by an equal an opposite reaction from another government agency - something that can be seen when you look at the examination preparation materials issued by the Federal Financial Institutions Examination Council.

Geographic Diversity

When determining the physical location of an alternate processing site, management should consider geographic diversity. In addition, alternate sites should not rely on the same critical infrastructure system that provides utility services such as electricity, telecommunications, transportation, and water. While geographic diversity is important for all financial institutions, this is a particularly important factor for financial industry participants whose rapid recovery is critical to the financial industry. Financial institutions should consider the geographic scope of disruptions and the implications of a citywide or regional disruption. The distance between primary and back-up locations should consider RTOs and business unit requirements. Locating a back-up site too close to the primary site may not insulate it sufficiently from a regional disaster. Alternatively, locating the back-up site too far away may make it difficult to relocate the staff necessary to operate the site. If relocation of staff is necessary to resume business operations at the alternate site, consideration should be given to their willingness to travel, the modes of transportation available, and if applicable, lodging and living expenses for employees that relocate. When evaluating the locations of alternate processing sites, it is also important to subject the secondary sites to a threat scenario analysis.

On the other hand, the text above is couched in phrases such as "management should consider," and no minimum distance is mandated or even mentioned. In other words, there are enough loopholes in this to guarantee that if the senior U.S. Senator from New York raises a stink, any geographic diversity recommendations can be safely disregarded.
blog comments powered by Disqus