Appendix C: Internal And External Threats
While a business continuity plan (BCP) should be focused on restoring the financial institution's ability to do business, regardless of the nature of the disruption, different types of disruptions may require a variety of responses in order to resume operations. Many types of disasters affect not only the financial institution but also the surrounding community. The human element can be unpredictable in a crisis situation, and it should not be overlooked when developing a BCP since employees and their families could be affected as significantly as, or more significantly than, the institution. Therefore, institution management should consider various internal and external threats and determine the impact they may have on the entire institution, including employees. While the type and severity of internal and external threats may be different for each financial institution, this section discusses four primary categories of threats that should be considered when developing the BCP. These threats include malicious activity, natural disasters, technical disasters, and pandemics.
Fraud, Theft, or Blackmail
Since fraud, theft, or blackmail may be perpetrated more easily by insiders, implementation of employee awareness programs and computer security policies is essential. These threats can cause the loss, corruption, or unavailability of information, resulting in a disruption of service to customers. Restricting access to information that may be altered or misappropriated reduces exposure. The institution may be held liable for release of sensitive or confidential information pertaining to its customers; therefore, appropriate procedures to safeguard information are warranted.
Personnel should know how to handle intruders, bomb threats, and other disturbances. The locations of critical operation centers should not be publicized, and the facilities should be inconspicuous. A disgruntled employee may try to sabotage facilities, equipment, or files. Therefore, personnel policies should require the immediate removal from the premise of any employee reasonably considered a threat and the immediate revocation of their computer and facility access privileges. Locked doors, motion detectors, guards, and other controls that restrict physical access are important preventive measures.
Vandalism and Looting
Vandalism and looting represent a threat because individuals often seek financial gain by exploiting security weaknesses exposed during an emergency or disaster situation. In the event of an area-wide disaster, the financial institution's security staff may be unable to reach the damaged facility and it may be difficult to obtain services from outside security personnel without prior notification. Therefore, management should address these potential threats before a disaster occurs by implementing alternate security measures to protect both the physical and logical assets of the financial institution.
The risk of terrorism is real and adequate business continuity planning is critical for financial institutions in the event a terrorist attack occurs. Some forms of terrorism (e.g., chemical or biological contamination) may leave facilities intact but inaccessible for extended periods of time. The earlier an attack is detected, the better the opportunity for successful treatment and recovery. Active monitoring of federal and state emergency warning systems, such as those of FEMA and the Centers for Disease Control (CDC), should be considered.
Terrorism is not new, but the likelihood of disruption and destruction continues to increase. The loss of life, total destruction of facilities and equipment, and emotional and psychological trauma to employees can be devastating. Collateral damage can result in the loss of communications, power, and access to a geographic area not directly affected by the attack.
Terrorist attacks can range from bombings of facilities to cyber-attacks on the communication, power, or financial infrastructures. The goal of cyber-terrorism is to disrupt the functioning of information and communications systems. Unconventional attacks could also include the use of chemical, biological, or nuclear material. Bio-terrorists may employ bacterial or viral agents with effects that are delayed, making prevention, response, and recovery problematic. While the probability of a full-scale nuclear attack is remote, it is necessary to address the readiness to deal with attacks on nuclear power plants and industries using nuclear materials and for attacks initiated by means of "dirty" nuclear devices, which are weapons combining traditional explosives with radioactive materials..
A fire can result in loss of life, equipment, and data. Data center personnel must know what to do in the event of a fire to minimize these risks. Instructions and evacuation plans should be posted in prominent locations, should include the designation of an outside meeting place so personnel can be accounted for in an emergency, and should provide guidelines for securing or removing media, if time permits. Fire drills should be periodically conducted to ensure that personnel understand their responsibilities. Fire alarm boxes and emergency power switches should be clearly visible and unobstructed.
All primary and back-up facilities should be equipped with heat or smoke detectors. Ideally, these detectors should be located in the ceiling, in exhaust ducts, and under raised flooring. Detectors situated near air conditioning or intake ducts that hinder the build up of smoke may not trigger the alarm. The emergency power shutdown should deactivate the air conditioning system. Walls, doors, partitions, and floors should be fire-resistant. Also, the building and equipment should be grounded correctly to protect against electrical hazards. Lightning can cause building fires, so lightning rods should be installed as appropriate. Local fire inspections can help in preparation and training.
Given government regulations to control ozone depletion, Halon fire suppression systems are being replaced with alternative fire suppressant systems. Current systems utilize clean agents and include Inergen, FM-200, FE-13, and carbon dioxide. Additionally, dry pipe sprinkler systems are being used that activate upon detection of a fire and fill the pipe with water only when required. Consequently, the risk of water damage from burst pipes may be minimized. These systems should be the staged type, where the action triggered by a fire detector permits time for operator intervention before it shuts down the power or releases fire suppressants. Personnel should know how to respond to these automatic suppression systems, as well as the location and operation of power and other shut-off valves. Waterproof covers should be located near sensitive equipment in the event that the sprinklers are activated. Hand extinguishers and floor tile pullers should be placed in easily accessible and clearly marked locations. The extent of fire protection required depends on the degree of risk an institution is willing to accept and local fire codes or regulations.
Floods and Other Water Damage
A financial institution that locates an installation in or near a flood plain exposes itself to increased risk and should take the necessary actions to manage that level of exposure. As water seeks the lowest level, critical records and equipment should be located on upper floors, if possible, to mitigate this risk. Raised flooring or elevating the wiring and servers several inches off the floor can prevent or limit the amount of water damage. In addition, institutions should be aware that water damage could occur from other sources such as broken water mains, windows, or sprinkler systems. If there is a floor above the computer or equipment room, the ceiling should be sealed to prevent water damage. Water detectors should be considered as a way to provide notification of a problem.
A disaster resulting from an earthquake, hurricane, tornado, or other severe weather typically would have its probability of occurrence defined by geographic location. Given the random nature of these natural disasters, institutions located in an area that experiences any of these events should consider including appropriate scenarios in their business continuity planning process. In instances where early warning systems are available, management should implement procedures prior to the disaster to minimize losses.
Some disasters produce a secondary problem by polluting the air for a wide geographic area. Natural disasters such as flooding can also result in significant mold or other contamination after the water has receded. The severity of these contaminants can affect air quality at an institution and even result in evacuation for an extended period of time. Business continuity planning should consider the possibility of air contamination and provide for evacuation plans and the shut down of HVAC systems to minimize the risks caused by the contamination. Additionally, consideration should be given to the length of time the affected facility could be inoperable or inaccessible.
Some financial institutions maintain facilities close to chemical plants, railroad tracks, or major highways used to transport hazardous materials. A leak or spill can result in air contamination, as described above, chemical fires, as well as other health risks. Institutions should make reasonable efforts to determine the types of materials being produced or transported nearby, obtain information about the risks each may pose, and take steps to mitigate such risks.
The distributed processing environment has resulted in an increased reliance on telecommunications networks for both voice and data communications with customers, employees, electronic payment system providers, affiliates, vendors, and service providers. Financial institutions lacking diversity in their telecommunications infrastructures may be susceptible to single points of failure in the event a disaster disrupts their critical systems.
Customer reliance on institutions for account information creates a critical need for timely recovery of communications systems. Institutions should establish alternate forms of communication in the event local phone systems become inoperable including a plan for how customers will be advised of alternate means to contact the institution. One alternative form of voice communication involves the use of voice over Internet protocol (VoIP), which is the transmission of phone conversations through the Internet or Internet protocol networks. VoIP technologies also operate on both wireless Internet and cellular networks. While VoIP may become a viable solution when local phone systems are inoperable and the Internet is accessible and functioning, management should realize that preplanning may be required to ensure timely implementation of this technology.
In addition to restoring data communication lines with customers, restoration of communications with employees is also critical to any BCP. To make it easier for employees to contact the institution during a disaster, management could distribute pre-established toll-free phone numbers to employees. This method of communication would enable employees to report their status using a centralized location and obtain current information about operational restoration.
Calling trees may prove useless during an area-wide disaster since employees may have evacuated to unknown locations and standard telecommunications systems may be inoperable. Therefore, as an alternative to voice landlines, institutions should consider text messaging via cell phones, wireless personal digital assistants, two-way radios or satellite phones, text-based pagers, corporate and public e-mail systems, and Internet based instant messaging systems. In addition, secure connections may be established through a virtual private network (VPN) using a standard Internet connection and a laptop computer. Management should also ensure they have an adequate supply of batteries to operate the wireless devices and laptop computers.
Electronic Payment System Providers
Communications failures with electronic payment system providers may prevent the use of electronic forms of payment, such as debit and credit cards and electronic funds transfers. Therefore, cash needs become critical when customers and employees do not have access to funds electronically, and cash is in short supply during an area-wide disaster. It may be difficult to obtain additional supplies of cash and take delivery of sensitive documents when transportation and telecommunications services are limited. As such, management should carefully analyze funding needs if they anticipate, or when they become aware of, a pending disaster to ensure that liquidity needs are met in a timely manner.
Affiliates, Vendors, and Service Providers
The restoration of communication with affiliates, vendors, and service providers is also paramount to the timely recovery of an institution. Alternate methods of communication and procedures for accessing, downloading, and uploading information should be pre-established with the institution's technology service providers, correspondents, affiliates, and third-party vendors to ensure continuity of service.
The loss of power can occur for a variety of reasons, including storms, fires, malicious acts, brownouts, and blackouts and may result in widespread failure of the power grid and inoperable power distribution centers. A power failure could result in the loss of computer systems; lighting, heating and cooling systems; and security and protection systems. Additionally, power surges can occur as power is restored, and without proper planning, can cause damage to equipment. As a means to control this risk, voltage entering the computer room should be regulated to prevent power fluctuations. In the event of power failure, institutions should use an alternative power source, such as an uninterruptible power supply (UPS), gasoline, kerosene, natural gas, or diesel generators. A UPS is essentially a collection of standby batteries that provide power for a short period of time. When selecting a UPS, an institution should make sure that it has sufficient capacity to provide ample time to shut down the system in an orderly fashion and ensure that no data is lost or corrupted. Some UPS equipment can initiate the automated shut down of systems without human intervention.
If processing time is more critical, an organization may arrange for a generator, which will provide power to at least the mission critical equipment during extended power outages. Management should maintain an ample supply of fuel on hand, such as propane, natural gas, or diesel fuel, and arrange for replenishment. One potential advantage of natural gas is that it is supplied by a pipeline, avoiding the need to ship it in and maintain it onsite. It is important to note that if a disruption is significant enough it may result in the inability to obtain additional fuel. Further, fuel pumps and delivery systems may not be operable. Therefore, proper planning involves careful consideration of which equipment and facilities should be powered up and whether certain operations should be scaled back.
It is also important to ensure that alternative power supplies receive periodic maintenance and testing to maintain operability. Moreover, management should discuss with local authorities the ordinances relative to the location of generators and the storage and delivery of fuel.
Equipment and Software Failure
Equipment and software failures may result in extended processing delays and/or the inability to implement the BCP. The performance of preventive maintenance enhances system reliability and should be extended to all supporting equipment, such as temperature and humidity control systems and alarm or detecting devices.
Transportation System Disruptions
Financial institutions should not assume regional or national transportation systems will continue to operate normally during a disruption. Air traffic or trains may be halted by natural or technical disasters, malicious activity, or accidents. In instances of area-wide disasters, delivery of essential services may be diverted for humanitarian and other emergency efforts. This can adversely affect cash distribution, fuel delivery, check clearing, and relocation of staff to back-up sites. Institutions should investigate the option of using private, ground-based carriers (e.g., messenger services, trucking companies, bus companies) to ensure the continuation of these vital functions.
Water System Disruptions
Essential necessities, such as water, could be limited or non-existent during a disaster. HVAC systems may be dependent upon water to operate, and initial supplies of drinking water for employees may be quickly exhausted or difficult to find since new shipments may be delayed due to transportation problems. Institutions should plan for potential disruptions in water services by determining the impact of such a disruption on business operations and maintaining adequate reserves on hand.
Appendix B: Glossary
Appendix D: Pandemic Planning