In centralized online banking system, a bank has a Data Center (DC) that stores and provides information of a bank necessary to run the business. A data center is a facility used to house computer systems and associated components, such as telecommunications and storage systems. It generally includes redundant or backup power supplies, redundant data communications connections, environmental controls (e.g., air conditioning, fire suppression) and security devices.
Disaster recovery is the processes, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity. While business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive events, disaster recovery focuses on the Information Technology (IT) or technology systems that support business functions.
In the event of a disaster, hardware and networks can be replaced, and facilities can be moved to a new location. In fact, with the exception of data, almost every company asset can be replaced. Therefore, top priority should be given to protect the asset that’s most at risk and hardest to replace: data. Data loss can result from any number of factors, such as: human error, operating system or application software bugs, hardware failure, fire, smoke or water damage, power outages, employee theft or fraud, man-made disasters such as vandalism, sabotage, hacking or viruses and natural disasters such as earthquakes or hurricanes.
IT disaster recovery planning is not an easy task. The complexity of modern information systems and the rapid pace at which technology changes makes it very difficult to ensure that the proper steps are being taken. DC regularly processes thousands of transactions. Internal applications are always being developed, modified, integrated, and retired. Developing IT disaster recovery plans and getting them right is an increasingly difficult task. A Disaster Recovery Site (DRS) is a location where an organization can easily relocate following a disaster, such as fire, flood, terrorist threat or other disruptive events. This is an integral part of the disaster recovery plan and wider business continuity planning of an organization.
Online banks also perform some form of data backup, and these banks don’t always do an adequate job. Because some organizations have limited IT staff to handle backup, they perform bulk server backup sporadically, use traditional tape for backup and typically perform the task after business has closed for the day. That means, if any disaster results in the need to restore data, the most recent data that banks can expect to recover is from the previous night. If a bank loses its funds transfer function for few hours, it could be very damaging to business. Banks tend to run many critical applications simultaneously, so recapturing data lost at the point of failure as quickly as possible is crucial. As a result, a standard DC and DRS is required for continuous backup of data that allows data to be captured as it is changed, essentially in real time, so that whenever there is a change in a file, it is captured and protected immediately.
It is not possible to ignore risks to information technology. IT is such an integral part of banking operations that it has become necessary to conduct disaster recovery planning on an ongoing basis. Though the purpose of disaster recovery planning is to ensure the recovery of IT services following disaster, IT disaster recovery planning is not an easy task.
International Data Corporation (IDC) research determined that 98% of all companies are adversely affected by unscheduled downtime. In addition, Gartner Inc. research found that 93% of organizations that have experienced a significant data loss are out of business within five years. The World Trade Center bombing in 1993 had forced two-thirds of the companies (147) located in the center to go out of business within 1994.
It is also found that most of the 170 disaster recoveries that SunGard has supported since 1978 have taken place in the last 10 years. Of those recoveries, 45 were for banks. One of the banking industry recoveries took place in Grand Forks, N. D. when the Grand Forks Community National Bank found its data center under water as a result of massive flooding that struck the region.
DC and DRS Establishment
In Bangladesh, at the end of 2016, 88% banks were providing centralized database operations through DC. Most of the DCs of commercial banks are developed in last decade. The average ages of DCs and DRSs are 10.5 and 8.5 years, respectively. Minimum 1 to maximum 4 years was required for implementing DCs and DRS successfully in the banking sector.
Size of DC and DRS
It is seen that average area of DC and DRS is 2596 and 957 square feet, respectively. And 65% of CTOs are not satisfied with the size of the DC and DRS. They have been facing problems like setup and movement of equipment, monitoring and even cooling down the system properly for the congestions.
Location of DCs and DRSs
Except some foreign banks, most of the data centers are established in Bangladesh. Near about 66% CTOs claimed that the location of DCs and DRSs are in the right place without any risk. Whereas, 11% and 22% banks are not satisfied with the location having moderate and low risks, respectively. Around 20% data centers have been established at Gulshan, 52% at Motijheel, 8% at Uttara, 10% at Dhanmondi and 10% at Banani. Most of the foreign banks have regional data center in Bangladesh. It has been found that, the risk of establishing DC in high-rise buildings has created alertness in banking sector. About 58% DCs and 18% DRSs have been established in high-rise buildings. Though all banks informed that the buildings are earthquake protected, they failed to show any evidence or document regarding this issue. Around 77% banks even failed to mention the level of shock of an earthquake (in Richter scale) that the building is ensured to absorb. The same is found for DRS. Banks should give more emphasis in this regard. According to our survey, 25% banks have set up additional data center (ADC) and 15% of the ADCs have been set-up in high- rise buildings.
Banks having data center also have disaster recovery sites. It is found that, 23% disaster recovery sites have been set up at Uttara, 17% at Savar, 14% at Dhanmondi, 14% at Mohakhali, 14% at Mirpur, 12% at Gazipur (Tongi) and 6% at Jessore. The lowest, highest and average distances of data center and disaster recovery site are 5 kilometers, 30 kilometers and 11.3 kilometers, respectively. Around 60% DRSs are located within 5 to 9 kilometers from DC. Distance from DC to DRS ranges from 10 to 14 kilometers for 20% banks, 25 to 29 kilometers for 10% banks and more than 100 kilometers for only 10% banks. Among the CTOs of Bangladeshi banks, 38% believe that the distance is standard and 62% strongly agreed that the distance is not enough to avoid natural disaster like earthquake; it should be at least 100 kilometer away from DC in a separate seismic zone. Moreover, 35% banks are planning to shift their DRS far away from data center, at least 100.
kilometers away. Around 44% banks are also planning to setup a second DRS at Gazipur, Comilla or Jessore to reduce risk.
Moreover, it is seen that only 35% banks have Certified Data Centre Design Professional (CDCDP) for effective maintenance of DC and DRS.
Regular and periodic testing of a DRS is an important and crucial issue for a centralized online bank. This type of testing increases confidence and expertise of recovering data in case of any disaster. Only 66% banks test it. Among them only 45% banks test it quarterly, 15% banks half- yearly and 20% banks on yearly basis. They also failed to provide documents regarding this issue (scope, plan and test results). Moreover, 55% of the total banks are afraid of testing the disaster recovery site by shutting down the data center any time. This finding indicates the poor quality and readiness of the technology including proper management of data center and disaster recovery site.
Classification of Data Center
The Uptime Institute has established four levels of fault tolerance for data centers.Tier-1 is the lowest level, and Tier-4 is the highest, with complete multiple-path electrical distribution, power generation and UPS systems. Tier-1 specifies annual outage of up to 28.8 hours; Tier-2 specifies 22 hours; Tier-3 specifies 1.6 hours and Tier-4 specifies only 0.4-hour of annual outage, or 99.995 percent availability. The higher the tier level, the higher the investment level for building construction and environmental equipment.
We found that 57% DCs fall in Tier-1 and rest of the 43% belongs to Tier-2 category. Yet no bank reached either Tier-3 or Tier-4 category.
Database Administration in DC and DRS
A database directly gather, update and supply data through CBS of a bank. It can be considered as the heart of a banking information system. Management of database is a very important and responsible job, as all types of information regarding banking operations are stored in the database of a bank. In case of any technical or security related issues, if database administrators fail to protect data of a bank or reproduce data after any disaster, bank may lose its business due to unavailability of information regarding banking transactions.
In the study, it is found that 44% of the banks are employing technical persons/professionals to manage database without academic background of Computer Science/Engineering or related subjects. But they have professional certificates like OCP DBA, MCP DBA with an average experience of five years. 12% database administrators have only short course training and they have been providing such services in the banks with poor experience. It is also found that rest of the 44% banks has proper database administration team with sound knowledge having professional certificates like OCP DBA/MCP DBA and Computer Science background and adequate experience of technology with minimum 6 to maximum 11 years of experience. 76% CTOs are satisfied about the performance of the team who are maintaining the database but 24% did not reply regarding this issue.
High availability cluster is a group of computers that support applications that can reliably be utilized with a minimum down-time. Clustering provides continued service when system components fail. Without clustering, if a server running a particular application crashes, the application will be unavailable until the crashed server is fixed. Clustering remedies this situation by detecting hardware/software faults, and immediately restarting the application on another system without requiring administrative intervention, a process known as failover. For centralized online banking clustered server provides high availability of data and ensures smooth data services in case of any server failure in the data center.
Replication is the process of sharing information so as to ensure consistency between redundant resources, to improve reliability, fault-tolerance, or accessibility. In case of data replication the same data is stored on multiple storage devices in different places. For example, a data center may replicate its data into a disaster recovery site. At the end of 2016 it is found that only 38% have real-time database replication technology. However, research findings show that, still 62% banks may not be able to provide accessibility of data in case of any technical fault in the production database server.
Log and archive log files are very much important to database when it crashes. In such a critical situation auto recovery process of a database may ensure ‘0-bit’ loss if archive and log files are maintained properly. For a critical disaster or accident, if database crashes along with backup files, the destroyed database can be rebuilt if one can ensure log and archive log files. Generally, log files are stored in different remote places called ‘log multiplexing’ and ‘archiving’ is the process to store all log files from the starting of the database (or since the time of last complete back up), usually in a remote place. Around 46% banks have log multiplexing architecture and only 32% use log archiving/shipping mechanism.
Database backup policy sometimes ensures recovery of lost data. If the backed up data are not properly encrypted, stored into the right device, maintained and tested, there might be some risks for complete recovery of data. Even no data can be recovered in the worst scenario. About 44% banks keep their backed up data inside DC into a vault. Another 22% banks send their backed-up data to DRS and keep it inside a cabinet. Rest of the 33% banks put their backed up data inside branch cabinets. Among the banks, only 21% have fire proof vault where they keep the backed up storage media. However, 15% banks agreed that backed up data is not protected securely in the remote places. Testing of backed up data is a routine work for smooth recovery of data but 44% banks avoid this process and those who follow this process have no proper documentation. Among them 60% banks test it monthly, 20% quarterly and rest of the banks did not mention the scheduling regarding this issue. However, only 22% backed up data are encrypted.
A database administrator is the key person who maintains the data of a bank. Any mistakes or intentional harmful activity done by the DBAs may cause serious loss for the bank. In this regard, monitoring of the activities done by DBAs is an important issue. Only 22% banks reported that they monitor the DBAs properly before doing any activities in the database. But they fail to specify how they monitor the DBAs, indicating a big security hole.
Regular audit of database is an important issue to provide security of a database. Monitoring is a must to know what is happening inside a database and who the actor is. Scanning tools, log records, transaction analysis, traffic analysis, health checking, alert and trace file checking, etc., are very important part of database audit. Professionals are required to check the above mentioned characteristics each and every day through software or reporting tools. Only 45% banks regularly (daily or weekly) do this by their own database experts. 18% banks audit their database by external and internal auditors yearly, whereas 9% banks do not conduct such audit for their database and rest of the 28% banks didn’t respond. 54% of the banks, who audit database system, reported that auditors are qualified enough to audit the database. On the other hand, 46% banks mentioned that auditors are not trained enough to do the job properly. It is clear that poor auditing system of those banks may create another risk for database security, as the auditors are not trained enough to find out the security holes. However, 82% banks regularly monitor anomalous database traffic.
Since 96% banks purchased banking software from different vendors, they are highly dependent on them for any change or modification of the database. In that case, banks generally provide the database administrative password to vendor on faith. 18% banks reported this fact honestly and they are taking high risk of any accidental data change/loss or unethical practices by the vendor. Even they do not monitor vendor’s works properly after connecting to the database. But 82% banks do not provide vendors any direct access to the database. Rather with the help of vendors, they make any change when required.
Physical and Environmental Security
Physical security involves providing environmental safeguards as well as controlling physical access to equipment and data. The appropriate safeguard methods are believed to be practical, reasonable and reflective of sound business practices.
Physical Access Control
To enter into DC and DRS 11% banks use Swipe Card, 33% Proximity Card and 22% Biometric Technique. Around 22% banks use both Proximity Card and Biometric Technique. Moreover, 11% use both Swipe Card and Biometric Technique. Around 22% banks do not escort vendor, service providers, visitors and cleaning crews during their stay in the DC and DRS.
Reliable Power Supply
Around 22% buildings have single generator (set up by the landlords) where DCs are built whereas it is 33% for DRS. Banks have setup additional generator(s) for their own sake. Moreover, 11% banks have no dual/redundant generator of their own in DC. They totally rely on the generators arranged by the landlord of the building. It is 44% for DRS. About 11% banks have power supply setup which is not separated from production servers of DCs. 33% banks have power supply setup inside the DCs but separated by partitions that are not fire proof. Around 44% banks have power supply setup in an open place outside the DC but in the same floor, whereas, 11% power supply units are setup outside the DC but in a separate fire proof room. It is also found that 11% banks have no redundant UPS for DC and DRS.
Fire Protection and Control
According to the guideline of BB, auto fire spray in case of any fire in DC/DRS is a vital security measure. All banks maintain Auto Fire Alarming System, Smoke/Heat-rise Detectors and Auto Fire Protection System. It is found that 63% banks maintain Fire Detector below raised floor and 36% banks conduct periodic testing of auto fire alarming system and drilling. Though DC and DRS of all banks has fire suppression system, only 11% banks mentioned that they tested it. But they failed to submit the scope, plan and test result of the system.
It is also important to protect door, wall and ceiling of DC and DRS from fire. It is found that 77% banks have fire resistant wall, 55% banks have fire resistance ceiling and 77% of the bank’s door is fire resistant. Still, only 55% banks have complete fire control measures for all components (door, wall and ceiling) of DC (Figure-5). Although it is not permitted by BB, we found flammable accessories/products inside DC and DRS of 22% banks.
Other Important Issues
Approximately, 63% banks have water detection system below raised floor. Around 72% banks maintain dual/redundant air conditioners. Among them 12% have set up precision cooling systems and maintain proper Hot-Aisle/Cold-Aisle configuration for DC. Only 45% banks have appropriate emergency exit door for prompt and safe removal of high cost sensitive equipment due to any disaster. Moreover, around 33% banks do not have any dedicated vehicle for DC and DRS operations and 22% DCs have no emergency lighting arrangements whereas it is 33% for DRS.
Business Continuity (BC) and Disaster Recovery Plan (DRP)
Recovery is the process of restoring operations and specifically, data, after an outage or disaster. It’s an obvious point, but often overlooked: Being able to immediately recover data is critical to ensuring business continuity. When most companies formulate business continuity plans, the first concern is typically how fast they can get their business running again. While this is a critical concern, it’s only half of the recovery equation. The second part of a recovery plan needs to focus on the amount of data the organization can afford to lose.
In case of any disaster, disaster recovery plan plays an important role. Only 64% banks reported that they have proper disaster recovery plan. Among them 66% DRPs are approved by the highest authority. Though 64% banks have DRP, among them 77% banks has no separate DR team. The team size of the rest of the 23% banks ranges from 8 to 13 and they are not properly trained, according to the CTOs.
The majority of IT disaster recovery planning guidelines is either inconsistent or complicated. In either case, the results are the same: the organization is not prepared to cope with IT-related disasters. Neither IT budget nor number of IT employees were found with adequate IT disaster recovery plans for most of the banks. However, the well-prepared banks perform some variation of the following seven activities: conduct IT service analysis, provide employee training, select methods of IT disaster identification and notification, define backup procedures, determine offsite storage locations, determine recovery procedures, and perform ongoing maintenance. Around 55% banks test their DRP regularly. Among them 20% banks test it quarterly, 20% half yearly and 60% yearly. But no document is found related to testing in this regard.
Experiences of Disaster and It’s Impact
Around 44% banks informed that they have experiences of small and mid-range disaster. On the other hand 33% have no such experience and 23% banks did not respond. Fire (22% banks), equipment failure (22% banks), power outage (55% banks), network failure (55% banks), software failure (22% banks), operational error by users (11% banks), extreme weather (11% banks), loss of professionals (11% banks), disk failure (55% banks) and virus attacks (11% banks) are mentionable disasters.
On an average, 2 to 72 hours were needed to resolve the problems. Certainly, business was hampered seriously. 55% banks did overcome the problems with the help of local/foreign vendors, 22% banks with the help of their own experts and 11% with both. Tk. 24 lac to Tk. 2 crore was needed to overcome the problem.
Banks having experiences of disaster had serious impact on banking business. Figure-7 shows various impacts of disaster in banking sector.
Data loss is a severe problem for online banks and 33% banks have experience of data loss. In our study, it is found that 64% cases of data loss occurred due to the technical persons, either for their mistakes or lack of proper knowledge. Figure-8 shows the details.
To provide secured data services from DC and DRS, CTOs were asked to rank the factors: people, policies, practice, support system, network, hardware and facilities, with respect to security risk from the lowest to highest category. They ranked the factors and accordingly we have built the following security building block that can be followed to minimize the risk of DC and DRS operations of bank (Figure-9). Here, area of each block of the security pyramid denotes the risk associated with each factors (people, policies,…, facilities)
It’s important to stay updated when working in IT. To keep up with the competition in regards to IT, training is vital to a bank’s survival. The goal of IT training is to empower a bank to effectively manage information storage, retrieval and flow. Each year, more advanced technology systems are developed. Computers, software and networks have to be updated regularly. The technology department must constantly be aware of these changes. Also, security may be hampered due to the lack of latest technological knowledge. It is the duty of the bank to upgrade their employees regularly providing training in home and abroad. But this is much more ignored by the most of the banks. Near about 3% budget goes to training purpose and 66% IT Heads are not satisfied regarding this issue. About 44% CTOs said that, though highly needed, they were not able to provide enough training to the people operating DC and DRS.
Role of BB
Regarding the opinion about the overall role of Bangladesh Bank to minimize risks of data services through DC and DRS, 45% banks said very good and 55% rated as good, demanding additional and quality roles of Bangladesh Bank. Bangladesh Bank generally visits the DC and DRS of different commercial banks once in a year. All CTOs feel that it is not enough; frequency should be increased for tight and better monitoring to minimize data service risks by including more technical experts in the team to monitor/audit the DC and DRS.
Major Challenges of DC and DRS Management and Expectations
CTOs of sampled banks gave their opinion regarding the challenges, expectations from top level management, Bangladesh Bank and BIBM. The opinions are categorically summarized as follows.
1. Proper budget allocation for infrastructure development of DC and DRS.
2. Proper training for professionals.
3. Implementation of business continuity plan.
4. Availability of qualified IT professionals and auditors.
5. Accomplishment of proper IT Security in DC and DRS.
6. Management of IT Risks.
7. Power management.
8. Network connectivity and security.
9. Weaknesses in quick policy and decision making.
10. Availability of system vulnerability accessing tool and operating guidelines.
11. Standardization of DC and DRS (as per guidelines of ISO, BS, etc.).
12. Real-time availability of DRS 13. Risks of earthquake and Fire.
14. Increasing ICT security awareness among employees.
Expectations from Bangladesh Bank (BB)
1. Central bank may update “Guideline on Information and Communication Technology for Scheduled Banks and Financial Institutions” regularly and release new version.
2. Under the supervision of BB, a common data center and disaster recovery site can be developed and shared by all banks.
3. Close monitoring of BB is required to be ensured.
4. Bangladesh Bank may arrange workshop regarding current/emerging topics on DC and DRS management.
5. Professional knowledge of IT auditors of BB is necessary to be improved.
6. A detailed guideline for risk-based IT audit is required to be made available.
7. Things are improving but not at the pace it should be. The central bank should find out ways to improve.
8. A specialized e-banking training institute like “Institute for Development and Research in Banking Technology (IDRBT, www.idrbt.ac.in)” which is developed by Reserve Bank of India for conducting high quality IT training and research in banking technology can be set up for all of the commercial banks
Expectations from Top-Level Management
1. The management of all banks may be very open and liberal in IT investments/expenses mainly for up gradation of DC and DRS with latest technology and equipment.
2. Management should ensure general leave facilities in holidays and vacations including recreation leave.
3. Quick decision making and policy formulation is required.
4. Banks should ensure sufficient manpower and provide required training.
5. Corrective measures should be taken as per recommendations of audit report.
6. Banks should invest a portion of profit for DC and DRS development.
7. Management may recognize the activities of IT department and give reward where necessary.
Expectations from BIBM
1. More research, training, workshop, seminar on DC and DRS management in banks can be conducted.
2. Policy inputs can be provided to the regulatory body regularly.
3. Awareness can be created among top management and board of directors to improve DC and DRS management in banks.
4. Specialized training and certification program for IT professionals of banks may be conducted by BIBM like M. Sc. in Electronic Banking or Certified Electronic Banker.
Observations and Recommendations
One, we found that DC of all banks are built in Dhaka. Average size of DCs and DRSs are found to be 2596 and 957 square feet, respectively. And 65% of CTOs are not satisfied with the size of the DC and DRS. About 58% DCs and 18% DRSs have been established in high-rise buildings having risk of earthquakes and fire. On the other hand DRSs of maximum banks are also established in Dhaka within an average air distance of 11.3 kilometers from the DC, showing very high risk of natural disaster, like earthquake. Among the CTOs of Bangladeshi banks 38% believe that the distance is scientifically standard and 62% strongly agree that the distance is not enough to avoid natural disaster like earthquake. Moreover, 35% banks are planning to shift their DRS far away from DC in a separate seismic zone. Around 44% banks are also planning to setup a second DRS to reduce risk.
Special decision can be taken by all banks including Bangladesh Bank in this regard.
Two, it is seen that testing of DRS is not satisfactory. Only 66% banks test it periodically and 55% of the total banks are afraid of testing the disaster recovery site by shutting down the data center any time. All banks testing DRS periodically failed to provide proper documents regarding this issue. This finding does not support high availability of data in case of any disaster.
By increasing the frequency of testing, regular testing should be ensured by banks. The central bank and banks themselves can increase the frequency of audit and inspection in this regard.
Three, Log Multiplexing and Archiving are very much important to database when it crashes. In such a critical situation auto recovery process of a database may ensure ‘0-bit’ loss if archive and log files are maintained properly. Moreover, those who have no database replication and clustering technology may not be able to recover their data in case of any disaster like fire or earthquake, showing a high risk for data recovery. It is found that only 46% banks ensured Log Multiplexing technology and 32% banks have Archiving mechanism.
CTOs of centralized online banks should ensure Log Multiplexing and Archiving technology to ensure ‘0-bit’ loss of data.
Four, regarding the opinion about the overall role of Bangladesh Bank to minimize risks of data services through DC and DRS, 45% banks said very good and 55% rated as good, demanding additional and quality roles of Bangladesh Bank. Bangladesh Bank generally visits the DC and DRS of different commercial banks once in a year. All CTOs feel that it is not enough; frequency should be increased.
Bangladesh Bank should update its audit quality by including experts having updated knowledge regarding new technology. ICT guidelines of Bangladesh Bank should be updated regularly, releasing new version, ensuring proper implementation of it.
Five, CTOs of all banks demanded to set up a cell/wing including a data bank for all of the commercial banks. That will help to collect and share, up-to-date information regarding current status, growth, and problems of DC and DRS of the banking sector of Bangladesh. It is mentionable that Reserve Bank of India has setup an institute named “Institute for Development and Research in Banking Technology (IDRBT, www.idrbt.ac.in)” as an autonomous center for conducting high quality IT training and research in banking technology.
Bangladesh can set up a task force to look into the relevant issues for establishing this type of institute. Bangladesh Bank and BIBM can take initiatives in this regard. An electronic banking research cell can be set up at BIBM.
Six, it is found that training on IT is neglected by the banks, though it is a vital issue. Near about 3% IT budget goes to training purpose and 66% IT Heads are not satisfied regarding this issue. About 44% CTOs mentioned that they failed to provide enough training to the employees operating DC and DRS against huge demand.
Banks should provide required budget for this purpose. Blending program can be arranged jointly by vendors (IBM, Oracle, Microsoft, Cisco, etc.), expert IT professionals of different banks and academicians from different institutes. Specialized training and certification program for IT professionals of banks may be conducted by BIBM like M. Sc. in Electronic Banking or Certified Electronic Banker.
Seven, Uptime Institute categorized DCs in four categories. Tier-1 specifies annual outage up to 28.8 hours; Tier-2 specifies 22 hours; Tier-3 specifies 1.6 hours and Tier-4 specifies only 0.4 hour of annual outage, or 99.995 percent availability. We found that 57% DCs fall in Tier-1 and rest of the 43% belongs to Tier-2 category. Yet no bank reached either Tier-3 or Tier-4 category.
Lack of long term vision, planning and initiatives; shortage of manpower, poor IT budget, power crisis, late response of vendors, delay in procurement process and lack of advanced training are the main problems for the banks. To overcome these problems, every bank should have an ICT budget of certain portion of their annual profit. This budget may be spent for DC infrastructure development and manpower training.
Eight, in case of any disaster, DRP plays an important role. Only 64% banks reported that they have proper disaster recovery plan. Among them DRPs of 66% banks are approved by the highest authority and 33% banks have separate DR team. Though the team size of the banks ranges from 8 to 13, team members are not properly trained. CTOs are not also satisfied with the quality of the team. The majority of the DRPs are either inconsistent or complicated. It is seen that, most of the DRPs are nothing but a complete list of IT professionals with phone numbers only to show that the bank has DRP according to the guidelines of BB. Though 55% banks reported that they test DRP regularly, among them 20% banks test it quarterly, 20% half yearly and 60% yearly. But no document/evidence related to testing is found in this regard.
Banks should give more emphasis in this regard. Auditors of BB should not compromise the negligence of banks in this special case. Though many clauses are included in BB guidelines, if needed more clear and additional clauses can be included.