Mon, 15 Jun 1998

Was your savings account data burned?

By Zatni Arbi

JAKARTA (JP): "What happens to my savings accounts now? Do the banks still have the data, or have I lost all the money that I entrusted to them?"

As the riots raged out of control last month and we all felt helpless because of the lack of a reliable national leadership, that must have been among the many questions on peoples' minds.

It was a fair question to raise as we watched looters ripping computers off tables and carrying them out of burning buildings. Banks rely heavily on information technology and if their computers get damaged there is a risk that vital data may be lost.

All big companies, particularly financial institutions, collect massive amounts of data. Banks hold information on every single customer, and large banks with a scattered bank of automated teller machines (ATMs) transfer funds electronically. Every single transaction is recorded by binary numbers, a series of 1s and 0s, which are called data. If they ever lose this data they will be out of business. And you will be too.

Luckily most large banks and financial institutions cannot lose their data so easily because it is regularly backed up. Different banks have different policies on how often backups are made, but they are invariably made fairly frequently.

The backup tapes are stored in a protected, fireproof vault at the data center or at a different location. Storing the tapes "off-site" offers more protection than on-site storage.

The data center itself is usually very well protected. To minimize the risk of flooding it is usually located on the upper floors of a multistory building. Normally it is camouflaged in such a way that you won't be able to find it easily unless you've been an employee of the company for quite some time. In a well- managed security environment, visitors won't see any sign pointing to the Data Center. Even when you know where it is located you may not be able to get in because it is supposed to be a highly restricted area.

However, just like in any other walk of life, disaster can strike at any time.

If a calamity destroyed the data center business activities would be interrupted. This would mean a lot of angry bank customers because ATMs would stop dispensing money. Does this sound familiar to you?

ATM users are by no means the only people who would be affected by the destruction of the data center. A bank is a service institution and when its activities are suspended, even for just for one hour, it loses revenue on services that cannot be rendered.

To avoid a prolonged suspension of operations, many reputable banks and other organizations have prepared themselves against such an event with something called a Disaster Recovery Plan (DRP). With the help of a reliable DRP, the bank can resume business activities in a very short time after a serious disaster.

"A good DRP has a number of elements," said Ronnie A. Dumaguin of PT Pratesis, a company which has been providing disaster recovery services to various companies in Indonesia. "First, it has to assign several Disaster Recovery Teams, each of which is responsible for a different set of tasks. Once a disaster has been declared, the teams will then follow the procedures detailed in the Plan."

DRC

Within 15 minutes of the disaster a damage assessment should be carried out to determine whether it is necessary to move the data center to a different location. If the damage is not serious this may not be necessary. But if, for example, the data center building is no longer safe operations will have to be relocated to a Disaster Recovery Center, or DRC.

A DRC should be equipped with enough hardware, software, network facilities and communication links to set the entire operation in motion again with the minimum disruption to services.

"Preferably a DRC should be quite a distance away from the location of the primary data center," Ronnie explained. "Last month's riots showed why this should be so. If the data center was destroyed outright during riot it would not help much if the recovery center was very close by."

Another very important element of the DRP is the holding of regular training and simulation exercises to ensure that staff now how to react. For example, data center staff should know where they have to meet after evacuating the building, and members of the recovery team should know where the command center has to be set up.

The exercises also help to uncover pitfalls in the Plan. If any mistakes have been made or responsibilities left unallocated this will become evident during the exercises.

Organizations do not normally organize their own contingency plans for the simple reason that no one knows when disaster will strike. Waiting for an uncertain event is one of the most boring tasks that an employee can be paid to do. In most cases disaster management is subcontracted to companies that specialize in providing the service such as PT Pratesis and Gateway Group Inc.

According to a survey conducted by the UK National Computing Center (NCC), a lot of disasters have ended as just that because of a lack of funds allocated to ensure business continuity.

Luckily, according to analysts at Gartner Group, banks are among the institutions that allocate the highest percentage (6 to 8 percent) of their information technology budget to disaster recovery services.

We can only hope that large Indonesian banks with advanced information technology, including the ubiquitous BCA, will have some level of protection and disaster recovery plan in place. At least then it is not so easy for such banks to lose their data and purge your savings account!