HDFC Bank’s BS 25999 certification journey: An exploration

With BS 25999 certification hot these days, we take a look behind the scenes at HDFC Bank. The BFSI player just completed its first year of certification.

At a time when the banking and financial players in India started to warm up to the idea of business continuity, it’s interesting to note that financial major HDFC Bank’s BCP team had been working on a strategy for over five years. This puts the bank far ahead of the curve, according to Vishal Salvi, the CISO at HDFC Bank. A full year ahead of the Reserve Bank of India (RBI) mandate, HDFC Bank achieved BS 25999 from BSI (in March 2011) for its entire operations. The bank completed its first annual surveillance audit in May 2012.

Post BS 25999 certification, all HDFC Bank processes—technology (DR and infrastructure), business and crisis management processes— are now BS 25999 compliant. These include the operations spread over 3000 branches. HDFC Bank has been working on its IT infrastructure, awareness, policies and frameworks over the last five years, says Salvi. The business continuity office was started under the information security team in 2008. It binds the DR initiative, business continuity, business operations and the crisis management team.

The key players

HDFC Bank’s hierarchy follows a pattern where the program management comes under information security. The IT stack and technology for DR falls under IT’s auspices. HDFC Bank operates three data centers with around 250 applications; nearly 50 of these applications are classed as critical. The primary DR site is located at Bengaluru.

Salvi’s Mumbai-based BCP team is responsible for internally driving the BCP agenda. HDFC Bank’s business continuity management (BCM) office is headed by Asmita Gada, who reports to Salvi. This full-fledged independent position deals only with business continuity management. The office is also in charge of framing guidelines, policies and design for the organization-wide template.

Post design, there are governing processes in the form of steering committees (comprising of the senior management, group heads and business heads). The committees meet every six months to decide strategy and business continuity processes. The bank also has a monthly IT steering committee meeting to address tactical and operational challenges in terms of managing and improving infrastructure.

Paving the way - Risk assessment, BIA

HDFC Bank used the BS 25999 risk framework for risk assessment to develop a tailored risk/threat matrix. Business processes were dissected for determination of linked applications to be included into the BCP’s scope. After identification of applications, different local/wide-spread disaster scenarios were considered.

Beyond technology, HDFC Bank had to look at critical buildings and processes. Plans were formulated for relocating affected departments in case of a disaster, covering the people aspect. On the process side, HDFC Bank put multi-site centralization in place, in which processes working out of different cities serve as hot standbys for each other during disasters.

A typical business impact analysis (BIA) report highlights the applications and processes which have requirements like near site and far site recovery, says Salvi. Based on the designated recovery time objective (RTO) and recovery point objective (RPO), the need for hot stand-by systems or high availability systems is determined, in addition to whether the DR requirement is local or far site.

In addition, HDFC Bank performed a business strategic risk assessment exercise via a workshop conducted by BSI auditors with key senior stakeholders. The final step documented all cognizable scenarios before planning their campaign to overcome these difficulties, and put the BCP in place in the shortest timeframe. The final DR requirement was based on risk and criticality.

Implementing BS 25999

The usual practice is to hire a consultant and ensure compliance before going for certification. In HDFC Bank’s case, Salvi and his team took the in-house approach. The bank went for a pre-audit before the certification audit; both performed by BSI.

The pre-audit identified changes needed in the existing setup. According to Salvi, the audit process itself was very comprehensive, involving multiple auditors across different locations. This involved branch visits across India and HDFC Bank’s DR site. The same approach was adopted for the recent surveillance audit.

According to Salvi, employees and stakeholders had a fair level of awareness due to the earlier change management and awareness activities. During the audits, BSI auditors met with various department heads and stakeholders to determine how BS 25999 requirements were met.

With its BS 25999 certification, HDFC Bank claims to have achieved “zero RPO” on certain processes through online replication from the primary site to the DR site. Its RPOs range from 0-15 minutes on an average, with a maximum of 30 minutes.

Though the RTO can stretch into days, it’s a function of how prioritization takes place, explains Salvi. This helps prioritize system need in case of total disruption. Salvi reasons that during a disaster, resources are assumed to be limited. It’s unreasonable to assume that all applications be brought online. A priority (or triage) framework is a must for planning how to invoke recovery.

The road ahead

Salvi sees the certification as a validation of the bank’s efforts. According to Salvi, BSI has attested to the fact that HDFC Bank was the first Indian bank to comply with BS 25999 across all its functions, including processes, branches and datacenters. He believes that this milestone gives assurance and confidence about the bank’s robust business continuity measures to stakeholders.

Salvi’s team conducts training programs across HDFC Bank through mediums like video to create awareness towards DR planning, especially for the emergency response teams. The bank’s BCP plan includes tabletop exercises held to simulate disaster scenarios using role play. By exposing people to these situations, Salvi identifies and eliminates inadequacies in the current plan. The bank now conducts unplanned drills, where designated applications are selected for invoking of DR.

Plans are underway at HDFC Bank to conform to the new ISO 22301 business continuity standard (slated to replace BS 25999). Once this is official, the bank intends to undergo compliance validation. The bank has also implemented in-house monitoring tools which will be integrated into the IT GRC project in 2013.

Read more on Disaster recovery