Wave Systems Corp. (fka WAVXQ)

[dude_danny]

How to Protect the Data?

BY JACK MILLIGAN
http://www.bai.org/bankingstrategies/2005-sep-oct/data/index.asp
Onsite or offsite? Tape or disk? Continuity planning involves a series of inter-related decisions.

| SYNOPSIS | Since the 9/11 terrorist attacks in 2001, financial institutions have been under regulatory pressure to improve their disaster recovery and business continuity plans. Compliance with the mandates requires resolution of several issues that center on storage, backup and retrieval of internal data. Institutions need to differentiate between critical and non-critical data.

Data security and recovery may be the most important piece of a business continuity plan. Even a local power outage lasting just three or four hours can cause a major disruption, depending on what processes the bank uses to save its data. In an industry that’s paying more and more attention to the management of operational risk, it makes good business sense to have a plan in place that protects that data and lays out a roadmap for getting the bank up and running again.

Institutions are expected to focus on all their critical operations when preparing a business continuity plan (see sidebar), but the preservation of internal data is what inevitably attracts the most attention from bankers. “The only irreplaceable piece of the company is the data,” says Sami Akbay, senior director of marketing at GoldenGate Software in San Francisco, which provides a data recovery solution to a variety of financial services companies, including Charlotte-based Bank of America Corp.

Related Sidebar
Regulatory Mandate

There are certain basic elements that every data recovery program should have, beginning with offsite storage of all critical information, experts say. Large institutions generally maintain backup data processing centers that are in close proximity to their primary operations center, and certain core data is stored simultaneously at both locations.

Some large institutions have also established additional data centers well away from the primary site so that a major event like the failure of an entire power grid would not result in both centers shutting down, experts say. The vast majority of community banks cannot afford the luxury of a secondary data center, but must still take steps to store their critical data in a secure location away from the bank’s own facility.

The data should also be encrypted to ensure its confidentiality if it is lost or stolen — a distressingly frequent occurrence nowadays. In fact, the Gramm-Leach-Bliley Act of 1999 makes corporate directors explicitly responsible for reviewing and approving their bank’s data security program. “It’s crucial that banks ensure the protection and privacy of data — their own data as well as the customer’s,” says Aida Plaza Carter, director of bank information technology at the OCC.

What process should an institution follow to store data? That’s a decision to be based on both cost and performance considerations. Steve Finnes, continuity manager for IBM Corp.’s line of iSeries servers, estimates that a significant number of banks employ some type of real-time data storage, although a great many still rely on tape backup technology to secure their critical information.

In a typical tape storage system, the bank would back up its critical data to tape each night, turn over the tapes to a courier, who would deliver them to an offsite storage location that is often managed by a third-party service provider. There are three fundamental problems with this approach, experts say. First, any disruption that occurs during normal business hours will probably result in at least a few hours of data loss, since the backup function occurs only at day’s end. It can also take longer to restore lost data when it has to be retrieved from a tape. And, tapes are subject to being lost or stolen during transit offsite.

“If you’re managing data, the fact that you’re moving it on a common channel means that at some point something is going to get lost,” says Ron Roberts, president of Blupointe DRS in Atlanta, which distributes data backup and recovery software developed by Toronto-based Asrigra. “At some point a truck is going to tip over, or the courier is going to lose the tapes,” he says. “At some point, it’s going to be a disaster.”

Indeed, it was reported in June that CitiFinancial Inc., the consumer finance unit of New York-based Citigroup Inc., lost information on 3.9 million CitiFinancial branch customers when a box of mainframe data tapes was being shipped to a credit bureau. Bank of America Corp. likewise was reported to have lost backup tapes with account data on 1.2 million customers.

Both Citigroup and BofA declined to comment.

REAL-TIME DATA BACKUP

Alternative storage solutions marketed by several firms use the Internet to back up data in real time and store it offsite on disks. This eliminates the risk of losing vital customer information while in physical transit and the inherent 24-hour lag time in tape systems. These systems also enable the bank to restore lost data in much less time.

For example, Renasant Corp., a $2.3-billion-asset bank headquartered in Tupelo, Miss., avoids tape altogether by using a product from Hoboken, N.J.-based NSI Software to save all loan and customer service transactions in real time to mainframes at its tech center in Tupelo and also to a disaster recovery site 10 miles away, according to vice president and network operations manager James Hayes. (The bank is in the process of relocating this disaster recovery facility 150 miles away to Birmingham, Ala.)

Other information, including certain teller transactions, are not saved to the tech center online, but are still copied at night and saved to both tape and disk. For his part, Hayes believes the extra cost of real-time replication over the Internet for Renasant’s most critical data is worth it. “The advantage to us is that we could recover faster,” he says.

While backing up data online to disks is generally more expensive than off-line tape storage, Tony Barbagallo, EVault’s senior vice president for marketing, argues that the cost of the online approach has declined significantly as the cost of bandwidth has dropped. Jason Buffington, director of business continuity at NSI, says pressure from the FFEIC to make drastic improvements in recovery time after a significant event has gradually moved some large banks toward online storage. “If you have to be back in operation within four hours, tape is immediately off the table,” he says.

As the Renasant example attests, putting together a data recovery plan requires banks to differentiate between critical and non-critical data, particularly if they’re considering online backup. EVault’s Barbagallo says the cost of online storage can be a function of volume — the more you store, the more you pay. He defines critical data as anything that changes daily and is crucial for the operation of the bank. This would include, for instance, all transactional data like teller and ATM transactions, trading and related capital markets information and any kind of electronic payment.

“It’s anything where [the bank] basically would be dead in the water if it was lost for good,” Barbagallo says. This is the kind of data that banks should consider backing up using technologies that entail fast recovery times, he adds.

Non-critical data might include whatever doesn’t change daily or isn’t absolutely essential to the quick recovery of the bank’s transactional capabilities, such as human resource files. This information can be more safely backed up using various copying and storage technologies that aren’t performed on a real-time basis.

E-mail is rarely placed in the must-save data category by recovery experts, although this earns a strong dissent from Dale Windle, chief executive officer at Ottawa-based Decisive Technologies, which offers a data retention and archival solution to companies, including banks. Windle argues that recent regulatory initiatives such as the Sarbanes-Oxley Act, combined with e-mail’s emergence as important evidentiary matter in civil and criminal suits, has created a legal liability that tips it into the critical category.

“If a court says it wants to see certain documents and you can’t produce them because a disaster has occurred, you’re guilty of a crime,” Windle says.

Finally, experts agree that it’s crucial for banks to test their disaster recovery systems periodically — an expectation that the regulators impose on all banks. Cynthia A. Bonnette, director of risk assessment at Alexandria, Va.-based consultant NETBankAudit, says the regulators no longer require a “big bang” test where, once a year, institutions test all their critical systems simultaneously. Instead, banks can test various pieces of their business continuity and disaster recovery plans on a staggered basis throughout the year, she says.

Hayes says that Renasant has never had to rely on the institution’s data recovery plan in a real life situation, but does test the system on a regular basis. “We think of it as a nice security blanket,” says Hayes. “It’s like insurance. Hopefully we’ll never have to use it.”

dude_danny