News & Press Releases

Nov 25, 2009—RTO & ROI - The Business Case for Disaster Recovery

Tom Hinkel, Director of Compliance

Your ability to recover from an unanticipated business interruption is a direct function of your specific recovery procedures, and according to the most recent FFIEC guidance, "...recovery time objectives (RTOs) are now much shorter than they were a few years ago, and for some institutions, RTOs are based on hours and even minutes." All Business Continuity Plans (BCPs) should begin with a comprehensive business impact analysis, which is designed to identify the most critical processes and functions and establish an RTO for each. Once the RTO is established, resources are allocated and specific procedures can be implemented to assure that the processes (and their interdependencies) are recovered within that RTO. Finally, testing will validate that the recovery procedures are effective.

Once the RTOs have been established by senior management, the BCP committee (or equivalent) will determine the best recovery method for each function. For example, in a traditional money center institution, cash handling functions typically have a lower (shorter) RTO than loan origination, meaning a quicker recovery time requirement. The teller functions rely on multiple interdependencies, such as core connectivity, WAN, LAN, Active Directory user authentication, and application software. All components must function properly in order for the teller functions to operate, and your specific recovery and testing procedures should include all interdependencies.

For example, let's say the business impact analysis has determined the following recovery time objectives for these critical functions:

Using the teller functions as a further example, a work flow analysis has identified the following interdependencies to the teller process:

Teller Function
	Software	Hardware	LAN	Core	Facility
	- OS	- PC	- Server	- WAN	- Security
	- TellerPlus	- Teller Printer	- DHCP
		- Scanner	- AD
		- Laser Printer	- SQL database

Since the RTO of the main Teller function is less than 1 day, software, hardware, LAN, core and facilities must all have an established RTO of less than 1 day. If testing does not validate recovery within the RTO, there are 3 options:

1. Increase the RTO to fit your current recovery capabilities. This could increase risk in other areas, such as regulatory, reputation, operational, or strategic.
2. Allocate additional resources to the recovery process. This could include staging spare equipment, hosting critical servers off-site, and utilizing online data vaulting.
3. Keep RTO's and recovery procedures as is, and hope you never have a disaster (not really an option, but more common than you would think).

Depending on the threat, disasters can affect any or all of the following: people, processes, technology, or facilities. A server hosting solution can potentially eliminate technology and facilities from consideration, thereby shortening the recovery process. Additionally, in the case of teller function, the institution would also require a physical facility for customer access, however, with a server hosting solution, they would not require a server and database rebuild, which is the single most time consuming part of the recovery process. Based on these requirements and FFIEC RTO guidelines, Safe Systems has developed a comprehensive solution to address both server hosting solutions (Continuum), and physical facility recovery through our strategic partnership with Recovery Solutions.

There is generally an inverse relationship between recovery time and cost, i.e. the shorter the RTO, the higher the financial investment. This is only logical, because the most critical functions are those that carry the most significant risk of financial loss to the institution. Considering options such as a Safe Systems' hosted server solution in your recovery planning will help you to assure that your RTOs are achievable. Equally important is that any such solution includes periodic tests in order to validate all recovery assumptions. To learn more about Hosted Services, Disaster Recovery, and our solutions, please contact your Account Manager.

For media inquiries, please contact:

Marketing Department
770.752.0550
info@safesystems.com

All News & Press Releases:

• Nov 26, 2009 – Safe Systems, leading provider of IT and compliance services for financial institutions is awarded two prestigious awards; MSP Overall Best in Class and Best Places to Work
• Nov 25, 2009 – Hosted Solutions
• Nov 25, 2009 – A Virtual Revolution for Aging Servers
• Nov 25, 2009 – Back to the Future
• Nov 25, 2009 – News from the Field
• Nov 25, 2009 – RTO & ROI - The Business Case for Disaster Recovery
• Nov 25, 2009 – NetComply Reporting
• Nov 25, 2009 – Company Announcements
• Aug 14, 2009 – Company Announcements
• Aug 14, 2009 – How Can I Optimize my NetComply Remote Control?
• Aug 14, 2009 – Vendor Management: Policy, Monitoring, and Training
• Aug 14, 2009 – Vendor Management - BITS & Pieces
• Aug 14, 2009 – Vendor Roles and Relationships
• Aug 13, 2009 – News from the Field
• Jul 7, 2009 – Safe Systems Acquiring Division of Total Data Services - Strategic Enhancement for Safe Systems to Further Strengthen Expertise and Service Delivery of IT Solutions to Financial Institutions
• Jul 6, 2009 – Safe Systems National NetComply Users Conference March 22-24, 2010
• Jun 11, 2009 – Strong Business Strategies for a Weak Economy
• Jun 11, 2009 – Jimmy Gets an Assistant
• Jun 11, 2009 – Using AVG
• Jun 11, 2009 – Account Management News
• Jun 11, 2009 – Policies, Procedures, and Practices...in a Perfect World
• Jun 11, 2009 – Educating Your Customers
• Jun 11, 2009 – Announcing Charleston, South Carolina Training Classes
• Jun 11, 2009 – Company Announcements
• Mar 6, 2009 – Safe Systems is pleased to welcome back Mark Clemens
• Feb 24, 2009 – Change Management for the Well Intended Admin
• Feb 24, 2009 – What is a SAN?
• Feb 24, 2009 – Account Management News
• Feb 24, 2009 – Documentation - The Missing Link
• Feb 24, 2009 – Information Security Policies: Keeping an Honest Employee Honest
• Feb 24, 2009 – Why Does My NetComply Patch Score Change So Frequently?
• Feb 24, 2009 – Upcoming Training Opportunities
• Feb 24, 2009 – Company Announcements
• Dec 5, 2008 – Safe Systems Set to Host First Users Group Meetings
• Aug 28, 2008 – Business Continuity Planning Seminar
• Aug 27, 2008 – Emerging Technology Series - Server Virtualization
• Aug 27, 2008 – Safe Systems Introduces Managed Backup/Vaulting
• Aug 27, 2008 – The ID Theft (Red Flag) Rules
• Aug 27, 2008 – Account Management: More than Just a Quarterly Review
• Aug 27, 2008 – Ask Jay
• Aug 27, 2008 – Social Engineering Calls: Paranoia or a Healthy Respect of the Dangers?
• Jun 25, 2008 – Business Continuity Planning Seminar
• May 6, 2008 – Emerging Technology Series - Data Vaulting/Online Backup
• May 6, 2008 – Downtime Tolerance
• May 6, 2008 – Vendor Management
• May 6, 2008 – FFIEC Business Continuity Planning and Examination Handbook, March 2008
• May 6, 2008 – In Case of Emergency:.Do Your Employees Know What to do?
• May 6, 2008 – Announcing Savannah, Georgia Training Classes
• May 6, 2008 – Company Announcements
• Feb 27, 2008 – Letter From the President
• Feb 27, 2008 – Windows Mobile vs. Blackberry: A Lesson in TCO
• Feb 27, 2008 – Symantec Endpoint Protection
• Feb 27, 2008 – Customer Data - The Newest Hot Commodity
• Feb 27, 2008 – Strengthen Your Core
• Feb 27, 2008 – A Few Simple Rules and Policies
• Feb 27, 2008 – Ask Jay
• Feb 27, 2008 – Company Announcements
• Nov 1, 2007 – Endpoints: They Are Out There and Unsecured
• Nov 1, 2007 – Emerging Technology Series - Windows Vista
• Nov 1, 2007 – A Christmas Story
• Nov 1, 2007 – Lower Cost Through Education
• Nov 1, 2007 – Education Services - Vista Training Side Note
• Nov 1, 2007 – Ask Jay
• Nov 1, 2007 – A Lighter Approach to Technology and You
• Nov 1, 2007 – Company Announcements
• Aug 6, 2007 – Budget Season - The Hunt Is On
• Aug 6, 2007 – Emerging Technology Series - Remote Access
• Aug 6, 2007 – What's In a Title?
• Aug 6, 2007 – Ask Jay
• Aug 6, 2007 – FFIEC Information Security Booklet*: Activity Security Monitoring versus Condition Security Monitoring - Which is More Important?
• Aug 6, 2007 – Education Services Announces New Exchange 2007 Class and Webinar
• Aug 6, 2007 – Company Announcements
• Jul 11, 2007 – Safe Systems, Inc. Announces New President
• May 25, 2007 – SAFE SYSTEMS' ADVISORY COUNCIL MEETING A HUGE SUCCESS
• May 11, 2007 – Emerging Technology Series - Citrix Server Information
• May 11, 2007 – Phishing and SPAM
• May 11, 2007 – Ask Jay
• May 11, 2007 – Email and Data Retention Policies - Time to Take a New Approach
• May 11, 2007 – Announcing Savannah, Georgia Training Classes
• May 11, 2007 – Company Announcements
• Feb 27, 2007 – Safe Systems Launches NetGUARD- Managed Service Offering
• Feb 20, 2007 – Safe Systems, Inc. Announces Strong 2006 Results
• Feb 5, 2007 – Emerging Technology Series - Voice Over IP Telephony
• Feb 5, 2007 – Exchange 2007: High Availability with Instant Real-Time Failover
• Feb 5, 2007 – Record Retention Policies - Time to Take a New Approach
• Feb 5, 2007 – Ask Jay
• Dec 1, 2006 – Homeland Security Warns of Cyber-Terrorism Threat
• Nov 30, 2006 – Image-Based Spam Alert
• Nov 6, 2006 – Windows 2007 - Microsoft Releases L.O.V.E.
• Nov 6, 2006 – Emerging Technology Series - Wireless Networking
• Nov 6, 2006 – What is a MSP, and Why Do I Need One?
• Nov 6, 2006 – Implementing WIFI - Is it Worth the Risks?
• Nov 6, 2006 – Ask Jay
• Nov 6, 2006 – Online Security Awareness Training
• Nov 6, 2006 – Education Services Announces North Carolina Classes
• Nov 6, 2006 – December Webinars: Systems Administrator Year in Review
• Nov 6, 2006 – IT Regulatory Compliance Webinar Rebroadcasts
• Nov 6, 2006 – Company Announcements
• Oct 5, 2006 – Jack Henry's National User Group Conference and Technology Showcase
• Aug 23, 2006 – FIL-77-2006: Authentication in an Internet Banking Environment
• Aug 7, 2006 – Company Announcements
• Aug 7, 2006 – Ask Jay
• Aug 7, 2006 – Disaster Recovery Planning: A Proactive Versus Reactive Approach
• Aug 7, 2006 – Introduction of the Emerging Technology Series
• Aug 7, 2006 – Smart Phones featuring Windows Mobile 5.0: Synchronized Outlook on Your Cell Phone
• May 4, 2006 – Internal Email and the Risks that Come with It
• May 4, 2006 – Education Services announces Savannah, Georgia Training Classes
• May 4, 2006 – Company Announcements
• May 4, 2006 – Is Your Institution Prepared to Respond to an Information Security Breach?
• May 4, 2006 – Giving Home Users VPN Access
• Mar 31, 2006 – Letter from the President
• Mar 31, 2006 – Employment Separation Process for IT
• Mar 31, 2006 – Security Breaches: Not Just a Technology Problem
• Jan 23, 2001 – Antivirus 2009 Spyware