Bank of India’s BS 25999 certification journey nears completion

This is the story of how Bank of India turned around its business continuity strategy from a state of chaos as it geared up for BS 25999 certification.

Sameer Ratolikar, the head of business continuity planning (BCP) and chief information security officer at Bank of India found himself in an unenviable spot during 2011. The leading public sector bank lacked formal documentation for permissible downtime, appropriate disaster recovery (DR) strategies, and an incident management plan. “An application server failure took hours or days to fix. There was no structured pattern for application management with respect to people, processes and technology,” says Ratolikar. As business continuity requirement deadlines established by The Reserve Bank of India (RBI) loomed ahead, Ratolikar and his team decided to take the mammoth effort heads on.

BS 25999 certification fundas

BS 25999 is a business continuity management standard formulated by the British Standards Institution (BSI). BS 25999 has two parts:

  • Part 1 lays down the Code of Practice. It provides BCM best practice recommendations and guidelines.
  • Part 2 constitutes specifications. It provides requirements for a business continuity management system (BCMS) based on BCM best practices. Part 2 helps you demonstrate compliance via an auditing and certification process.

With operations in over 3800 branches across India as well as more than 30 overseas branches and subsidiaries, Bank of India undertakes daily transactions to the tune of crores of Rupees through Internet banking, mobile banking and ATM channels. So it‘s imperative that the bank’s data center and treasury are available 24 X 7. This initiated Bank of India’s efforts to start development of a BS 25999 based business continuity management system (BCMS) in 2011. The banking major will probably be the first among its Indian peers to achieve BS 25999 certification.

The BCMS deployment began in May 2011, after RBI issued a mandate appealing all banks to establish BCMS by April 2012. Bank of India recently completed the internal audits of its data center and treasury located in Mumbai to ensure compliance. The disaster recovery site in Bangalore hasn’t been certified yet, although it has undergone requisite assessment.

Taking the first step

User apprehension was the first major challenge for Bank of India. A core team of five members was formed to raise awareness on this front.

To present a powerful business case to the business stakeholders, Ratolikar’s team organized a joint meeting for all the department heads. These stakeholders comprised the owners of more than 40 important application and business units which included:

  • Financial intrusion application - Priority center head
  • HRMS application - HR head
  • E-mail application - IT head
  • AML application - Anti Money Laundering department head
  • Central Depository Services India Limited (CDSL) application - Share trading department head
  • National Securities Depository Limited (NSDL) application - Share trading department head

The joint session leveraged graphic templates and a video presentation to demonstrate the impact of application unavailability on business. It helped these heads understand GAP and business impact analysis (BIA) exercises, risk assessment observations, and mitigation measures. Each asset or business owner was approached individually, and a business continuity coordinator appointed per department.

GAP analysis helped Bank of India understand the differences between the desired and actual state of its information systems. For example, the bank realized that its antivirus and patch management system weren’t functioning as desired. Bank of India’s backup infrastructure faced issues when it came to data restores. It also had to take steps to improve the DR site’s maintenance. Wipro Consulting Services helped the bank through this initial analysis.

Bank of India carried out infrastructural augmentation to mitigate gaps and meet the BS 25999 certification requirements. For instance, the bank replaced single network links in its data center and treasury with dual redundant links. If BIA permits a two hour down time for a specific application, the infrastructure should be able to achieve system availability within that timeframe.”For anti-money laundering, the documented business impact is two days. We accordingly ensure efficient backup and restore of data,” says Ratolikar.

Image goes hereWe calculated the business impact, listed out critical processes, acceptable downtime for each application, and assessed the risks. Accordingly, we drew up a mitigation strategy.

Sameer Ratolikar

CISO & Head - BCP
Bank Of India

Risk assessment

After a thorough GAP analysis and BIA, it was time to assess the potential risks. “We calculated the business impact, listed out critical processes, acceptable downtime for each application, and assessed the risks. Accordingly, we drew up a mitigation strategy,” says Ratolikar. Risk assessment helped Bank of India understand natural as well as man-made risks, which result in business loss.

For Bank of India, risks such as fire, flood and human errors could trigger application unavailability. After the analysis, a report was created (maintained by the business continuity team). The bank leverages the Information Risk Analysis Methodology (IRAM) tool from Information Security Forum (ISF) to conduct risk assessment every six months

BCP Strategy

Pose these analysis exercises, Ratolikar’s team prepared a BCP strategy which focused on three elements: people, processes and technology. The strategy maintains that there should be sufficient people available for the job in case the primary administrators aren’t available.

Today, Bank of India maintains various processes like the crisis management plan, media management plan, business continuity plan and the incident management plan. “The crisis management team that we have formed for each department maintains this plan,” says Ratolikar. The strategy also constitutes information on the technological requirements for backup, restore, patch management and antivirus.

RTO and RPO definition time

Each department had to formally document the permissible RTO and RPO for their respective assets. At Bank of India, the HRMS and email applications have a documented RTO of eight hours. The highly critical core banking system has an RTO objective of 15 minutes.

Since the application and business unit owners were bankers with a little knowledge of IT, it was important to have a coordinated effort between the asset owner and IT department. “We incorporated several training sessions, access to e-learning tools, tabletop testing, walkthrough testing and DR drills for the asset owners. We have also facilitated discussions with the vendors. One such case was when we consulted Thomson Reuters for our treasury,” says Ratolikar

Road ahead

Ratolikar expects external audits for BS 25999 certification to be complete in April 2012. Once Bank of India and Bank of India receives BS 25999 certification, a regular external audit will be conducted every six months by BSI authorized auditor TUV India.

In the near future, Bank of India plans to set up BCP for 3000 odd branches. “Since data is not locally stored at the branch level, we have to only factor in certain environmental risks. We are conducting BIA for branches, which will be followed by risk assessment. This will be drafted into an easy to implement business continuity plan,” says Ratolikar. Bank of India has 11 certified BS 25999 lead auditors who will incorporate BCMS based BCP at the branch level.

Read more on Disaster recovery