Bank Data Center and Disaster Recovery Management Assessment
In a centralized online banking system, the bank has a data center (DC) that stores and provides the banking information needed to operate the
business. Data centers are facilities used to accommodate computer systems and related components such as telecommunications and storage systems. It usually includes redundant or backup power supplies, redundant data communication connections, environmental controls (such as air conditioning, fire extinguishing), and safety equipment.
Disaster recovery is a preparation process, strategy and procedure related to the recovery or continuation of the technical infrastructure that is
crucial to the organization after natural or man-made disasters. Disaster recovery is a subset of business continuity. Business continuity involves
plans to keep all aspects of the business functioning in an outage event, while disaster recovery focuses on information technology (IT) or technology
systems that support business functions.
In the event of a disaster, the hardware and network can be replaced and the facilities can be moved to a new location. In fact, almost all company
assets can be replaced except for data. Therefore, we should attach great importance to protecting assets with the greatest risks and the most difficult
to replace: data. Data loss can be caused by a variety of factors, such as: human error, operating system or application software error, hardware failure,
fire, smoke or flood, power outage, employee theft or fraud, human disasters such as vandalism, sabotage, hacking, viruses and natural disasters
such as earthquakes or hurricanes.
IT disaster recovery planning is not easy. The complexity of modern information systems and the rapid pace of technological changes make it difficult
to ensure appropriate measures are taken. DC processes thousands of transactions regularly. Internal applications are always being developed,
modified, integrated and eliminated. Developing an IT disaster recovery plan and making it correct is an increasingly difficult task. A Disaster Recovery
Site (DRS) is a location where organizations can easily migrate after disasters such as disasters, fires, floods, terrorist threats, or other destructive events. This is an integral part of the disaster recovery program and the organization’s broader business continuity program.
Online banks also perform some form of data backup, and these banks don't always do well. Because some organizations' IT staff have limited ability to
handle backups, they occasionally perform large-capacity server backups, use traditional tapes for backups, and usually perform tasks after a day's
shutdown. This means that if any disaster causes data to be restored, the latest data banks can expect to recover is the data from the previous night.
If a bank loses hours of fund transfer function, it can cause great damage to the business. Banks tend to run many critical applications simultaneously,
so it is crucial to recover data lost at the point of failure as soon as possible. As a result, standard DC and DRS are required to continuously back up
the data so that the changed data is captured essentially in real time, so that the file can be captured and protected immediately as soon as it changes.
The risks of information technology cannot be ignored. IT is an integral part of banking, so it is necessary to continue disaster recovery planning.
Although the purpose of a disaster recovery plan is to ensure the recovery of IT services after disaster, IT disaster recovery plans are not an easy task.
Research by International Data Corporation (IDC) determines that 98% of all companies are adversely affected by unplanned downtime. Additionally,
Gartner Inc.'s research found that 93% of organizations suffering from major data loss went bankrupt within five years. The 1993 World Trade Center
bombing forced two-thirds of the companies (147) to close their businesses in 1994.
It was also found that most of the 170 disaster recovery that SunGard has supported since 1978 have occurred in the past decade. Of these recycling,
45 are banks. A recovery in the banking industry occurred in Great Forks, North Carolina when the National Bank of Great Forks, North Carolina
discovered its data center due to a major flood.
Establishment of DC and DRS
In Bangladesh, as of the end of 2016, 88% of banks provided centralized database operations through DC. Most DCs in commercial banks have been
developed over the past decade. The average age of DC and DRS was 10.5 and 8.5 years, respectively. It will take at least 1 to 4 years to successfully
implement DC and DRS in the banking sector.
DC and DRS size
It can be seen that the average area of DC and DRS is 2596 and 957 square feet, respectively. 65% of CTOs are not satisfied with the size of DC and
DRS. They have been facing problems such as installation and movement of equipment, monitoring and even proper cooling systems for congestion.
Locations of DC and DRS
Except for some foreign banks, most data centers are established in Bangladesh. About 66% of CTOs claim that DC and DRS are in the correct position
without any risk. By comparison, 11% and 22% of banks were dissatisfied with the moderate and low risk of the location, respectively. About 20% of
the data center was established in Gulshan, 52% was established in Motijheel, 8% was established in Uttara, 10% was established in Dhanmondi, and
10% was established in Banani. Most foreign banks have regional data centers in Bangladesh. It has been found that the risk of establishing DCs in
high-rise buildings has attracted the alertness of the banking sector. About 58% DC and 18% DRS have been established in high-rise buildings.
Although all banks informed the buildings were seismically protected, none of them provided any evidence or documentation on the issue. About
77% of banks do not even mention the earthquake magnitude (as Richter magnitude) that ensures the building absorbs. The same situation was
found for DRS. Banks should pay more attention to this. According to our survey, 25% of banks have established additional data centers (ADCs),
while 15% of ADCs have been established in high-rise buildings.
Banks with data centers also have disaster recovery sites. It was found that 23% of disaster recovery sites were set up in Uttara, 23% of Savar, 14% of
Dhanmondi, 14% of Mohakhali, 14% of Mirpur, 12% of Gazipur (Tongi) and 6% of Jessore. The lowest, highest and average distances for data centers
and disaster recovery sites are 5 km, 30 km and 11.3 km, respectively. About 60% of DRS is within a range of 5 to 9 kilometers from DC. For 20% of
banks, the distance from DC to DRS is between 10 and 14 kilometers; for 10% of banks, the distance is between 25 and 29 kilometers; for only 10%
of banks, the distance is more than 100 kilometers. Among the CTOs of Bangladesh Bank, 38% believed that the distance was standard, while 62%
firmly believed that the distance was not enough to avoid natural disasters such as earthquakes. In separate seismic zones, it should be at least 100
kilometers away from the DC. Additionally, 35% of banks plan to move their DRS away from data centers and at least 100 are required to transfer.
About 44% of banks also plan to set up a second DRS in Gazipur, Comilla or Jessore to reduce risk.
In addition, it can be seen that only 35% of banks have certified data center design experts (CDCDPs) that effectively maintain DC and DRS.
DRS testing
For centralized online banking, regular and regular testing of DRS is an important and critical issue. Such testing enhances confidence and expertise
in recovering data in the event of a disaster. Only 66% of banks tested this. Of these, only 45% of banks test quarterly, 15% test half a year, and 20%
test every year. They have not provided documentation (scope, plan and test results) on this issue. Moreover, 55% of the total banks are afraid to test
disaster recovery sites by shutting down data centers at any time. This finding suggests poor quality and readiness of the technology, including proper
management of data centers and disaster recovery sites.
Data Center Classification
Uptime Institute has established four levels of fault tolerance for data centers, with Level 1 being the lowest level and Level 4 being the highest level,
with complete multipath distribution, power generation and UPS systems. The maximum annual interruption time specified in the first floor is 28.8
hours; the second floor specifies 22 hours; the third floor specifies 1.6 hours, and the fourth floor specifies an annual interruption of only 0.4 hours, i.e.
99.995% availability. The higher the grade, the higher the investment level in construction and environmental equipment.
We found that 57% of DCs belong to Level 1 and the remaining 43% belong to Level 2. However, no bank has reached the third or fourth level
category.
Database management in DC and DRS
Databases are collected, updated and provided directly through the bank's CBS. It can be regarded as the core of the banking information system.
Database management is a very important and responsible task because all types of information about banking are stored in the bank's database.
If any technical or security-related issues occur, if the database administrator fails to protect the bank’s data or fails to reproduce the data after the
disaster, the bank may lose business due to lack of access to information about the bank’s transactions.
In the study, 44% of banks found that hiring technicians/professionals to manage databases without academic background in computer
science/engineering or related disciplines. But they have professional certificates such as OCP DBA, MCP DBA, etc., with an average experience of 5
years. 12% of database administrators receive only short-term course training and they have been providing such services in under-experienced banks.
We also found that the remaining 44% of banks have proper database management teams that have extensive knowledge and professional certificates
such as OCP DBA/MCP DBA and computer science background, and have at least 6 to 11 years of experience. 76% of CTOs were satisfied with the
performance of the team that maintained the database, but 24% did not respond to this question.
A high availability cluster is a group of computers that support applications that can be reliably utilized with minimal downtime.The cluster can
provide continuous service when system components fail.If there is no cluster, if the server running a particular application crashes, the application
will not be available until the crashed server is fixed.The cluster corrects this by detecting hardware/software failures and immediately restarting the
application on another system without administrative intervention (this process is called failover).For centralized online banking, clustered servers
provide high data availability and ensure smooth data service in the event of any server failure in the data center.
Replication is the process of sharing information to ensure consistency between redundant resources, thereby improving reliability, fault tolerance,
or accessibility.If data copying is performed, the same data will be stored on multiple storage devices in different locations.For example, a data center
can copy its data to a disaster recovery site.By the end of 2016, it was found that only 38% of users had real-time database replication technology.
However, the research results show that if a production database server experiences a technical failure, 62% of banks may still be unable to provide
data accessibility.
Logs and archive log files are very important to the database when crashes.In such an emergency, if archive and log files are maintained correctly,
the automatic recovery process of the database may ensure that "0 bits" is lost.For major disasters or accidents, if the database crashes together with
the backup file, the corrupted database can be rebuilt as long as the log and archive log files are ensured.Usually, log files are stored in different
remote locations, called "log multiplexing", and "archiving" is the process of storing all log files from the database (or since the last full backup),
usually in a remote location.About 46% of banks have a log multiplexing architecture, and only 32% use a log archive/send mechanism.
Database backup policies sometimes ensure that lost data is restored.If the backup data is not properly encrypted, stored in the correct device for
maintenance and testing, there may be a risk of fully recovering the data.Data cannot be recovered even in the worst case.About 44% of banks keep
their backup data inside DC to vault.Another 22% of banks send their backup data to the DRS and save it in the cabinet.The remaining 33% of banks
put their backup data into branches.Among banks, only 21% have fire vaults that hold backup storage media.However, 15% of banks agree that
backup data is not protected by security in remote areas.Testing backup data is a daily routine that can restore data smoothly, but 44% of banks
avoid this process and those who follow it do not have proper documentation.Of these, 60% of banks are tested monthly, 20% are tested quarterly,
and the rest are not mentioning a timeline on this issue.However, only 22% of the backup data is encrypted.
Database administrators are key people in maintaining bank data. Any wrong or intentional harmful activities carried out by the DBA can cause
serious losses to the bank. In this regard, monitoring the activities completed by the DBA is an important issue. Only 22% of banks report that they
have properly monitored the DBA before doing any activity in the database. But they cannot specify how to monitor the DBA, which indicates a large
security vulnerability.
Regular audit of databases is an important issue in providing database security. Monitoring must be done to know what is happening inside the
database and who the participants are. Scanning tools, logging, transaction analysis, traffic analysis, health checking, alerting and tracking file
checking, etc. are important components of database audits. Professionals are required to check the above characteristics through software or
reporting tools every day. Only 45% of banks do this regularly (daily or weekly) by their own database experts. 18% of banks audit the database
annually by external and internal auditors, while 9% do not perform such audits on their databases, while the remaining 28% do not respond. 54% of
banks that audit database systems report that auditors are eligible to audit databases. On the other hand, 46% of banks mentioned that auditor
training is not enough to do the job correctly. Obviously, as auditor training is not enough to detect security vulnerabilities, the poor audit system
of these banks may pose another risk to database security. However, 82% of banks regularly monitor abnormal database traffic.
Since 96% of banks purchase banking software from different vendors, any changes or modifications to the database depend heavily on them. In
this case, the bank will usually provide the seller with a database management password based on confidence. 18% of banks report this fact honestly
and they take high risk for any unexpected data changes/losses or unethical conduct by the seller. Once connected to the database, they can't even
monitor the work of the vendor. But 82% of banks do not provide suppliers with any direct access to the database. Instead, with the help of the
supplier, they can make any changes when needed.
Physical and environmental security
Physical security involves providing environmental protection measures and controlling physical access to devices and data. Appropriate safeguards
are considered practical, reasonable and reflect good business practices.
Physical access control
To access DC and DRS, 11% of banks need to use swipe cards, 33% of induction cards and 22% of biometrics. About 22% of banks use both proximity
cards and biometrics. In addition, 11% of people use card swiping and biometric technology at the same time. About 22% of banks do not accompany
suppliers, service providers, visitors and cleaning staff during their DC and DRS stays.
Reliable power supply
About 22% of buildings have a single generator with DC (set by the landlord) while DRS is 33%. The bank has set up other generators for itself.
Furthermore, 11% of banks do not have their own dual/redundant generators in DC. They rely entirely on generators arranged by the building
landlord. DRS is 44%. About 11% of banks have a power setting that is not separate from DC's production server. 33% of the groups have power
settings inside the DC, but are separated by non-fireproof partitions. About 44% of banks have power supply set up in vacant areas outside DC
but located on the same floor, while 11% of power supply units are outside DC but located in separate fire rooms. It was also found that 11% of banks
do not have redundant UPS for DC and DRS.
Fire fighting and control
According to BB's guidelines, automatic fire spurt in the event of any fire in DC/DRS is a crucial safety measure. All banks maintain an automatic fire
alarm system, a smoke/heat rise detector and an automatic fire protection system. 63% of banks found to keep fire detectors below elevated floors,
while 36% of banks regularly test the car fire alarm system and drilling. Although all banks have fire extinguishing systems for DCs and DRSs, only
11% of banks mentioned that they have tested it. But they do not submit the scope, plan and test results of the system.
It is also important to protect the doors, walls and ceilings of DC and DRS from fire. It was found that 77% of banks had firewalls, 55% had fire-
resistant ceilings, and 77% of bank doors were fire-resistant. However, only 55% of banks have complete fire protection measures for all DC
components (doors, walls and ceilings) (Figure 5). Although BB does not allow it, we found that flammable accessories/products inside DC
and DRS account for 22% of the library.
Other important issues
About 63% of banks have water detection systems under the mobile floor. About 72% of banks maintain dual/redundant air conditioning. 12% of
these have established precision cooling systems and maintained the correct hot/cold aisle configuration for DCs. Only 45% of banks have
appropriate emergency exit doors to quickly and safely remove high-cost sensitive equipment in the event of any disaster. In addition, about 33% of
banks do not have dedicated vehicles for DC and DRS operations, while 22% of DCs do not have emergency lighting, compared to 33% for DRS.
Business Continuity (BC) and Disaster Recovery Planning (DRP)
Recovery is the process of recovering operations (especially data) after a failure or disaster. This is an obvious point, but often overlooked: being
able to recover data immediately is essential to ensure business continuity. When most companies develop business continuity plans, the first
thing to consider is how quickly they can usually get the business back on. Although this is a crucial question, it is only half the way to restore
the equation. The second part of the recovery plan requires attention to the amount of data loss the organization can afford.
In the event of any disaster, disaster recovery plans will play an important role. Only 64% of banks report that they have appropriate disaster
recovery plans. Of these, 66% of DRPs were approved by the highest institutions. Although 64% of banks have DRP, 77% of them do not have
independent disaster recovery teams. According to the CTO, the remaining 23% of banks have team sizes of 8 to 13 and have not received proper
training.
Most IT disaster recovery planning guidelines are either inconsistent or complex. In both cases, the results are the same: the organization is
not ready to deal with IT-related disasters. For most banks, there is not enough IT disaster recovery plans to address the IT budget and IT staff.
However, well-prepared banks conduct some variations of the following seven activities: perform IT service analysis, provide employee training,
select methods for IT disaster identification and notification, define backup programs, determine off-site storage locations, determine recovery
programs, and perform ongoing activities. maintainance. About 55% of banks test their DRP regularly. Of these, 20% of banks conduct tests once
a quarter, 20% conduct tests half a year, and 60% conduct tests every year. However, no documentation was found for testing in this regard.
The experience of disaster and its impact
About 44% of banks informed them that they had experienced small and medium-sized disasters. On the other hand, 33% of people have no such
experience, while 23% of banks have not responded. Fires (22% group), equipment failure (22% group), power outages (55% group), network
failures (55% group), software failures (22% group), user operation errors (11% group), extreme weather (11% bank), professional loss (11% bank),
disk failure (55% bank) and virus attacks (11% bank) are mentioned disasters.
It takes an average of 2 to 72 hours to solve the problem. Of course, business is seriously hindered. 55% of banks did overcome these problems
with the help of local/foreign suppliers, 22% overcome them with the help of their own experts, and 11% and experts overcome them with the help
of both. k 24 lac is Tk. It takes 20 million carats to solve this problem.
Banks that have experienced disasters have had a serious impact on banking business. Figure 7 shows the various impacts of the disaster on the
banking industry.
Safety pyramid
To provide secure data services from DC and DRS, CTOs are required to sort factors from lowest to highest categories: people, policies, practices,
support systems, networks, hardware and facilities. They sorted the factors, so we built the following security building blocks that can be followed
to minimize the risk of DC and DRS operation of the bank (Figure 9). Here, the area of each block of the security pyramid represents the risks
associated with each factor (personnel, policy,…, facility)
train
It is important to stay up to date while working in the IT department. To keep up with the competition about IT, training is crucial to the survival of
banks. The goal of IT training is to enable banks to effectively manage information storage, retrieval and processes. Every year, more advanced
technology systems are developed. Computers, software and networks must be updated regularly. The technology sector must be constantly aware
of these changes. Additionally, security may be hampered due to the lack of the latest technical knowledge. Banks have the responsibility to regularly
upgrade their employees to provide domestic and international training. But most banks ignore this. About 3% of the budget is used for training
purposes, while 66% of IT supervisors are not satisfied with the issue. About 44% of CTOs said they were unable to provide adequate training
for those operating DC and DRS, despite the great need.
The role of BB
On the overall role of Bangladesh banks in reducing the risk of data services through DC and DRS, 45% said it was very good and 55% were rated as
“good”, which required Bangladesh banks to play a more and high-quality role. Bangladesh banks usually visit DCs and DRSs of different commercial
banks once a year. All CTOs believe this is not enough; frequency should be increased for rigorous and better monitoring to minimize data service
risks by including more technical experts in the team.
Key challenges and expectations of DC and DRS management
The CTO of Sample Bank commented on the challenges and expectations of senior management, Bangladesh Bank and BIBM. The opinions are
summarized as follows.
General Challenges
1. Allocate appropriate budgets for infrastructure development of DC and DRS.
2. Provide appropriate training for professionals.
3. Implement business continuity plan.
4. Availability of qualified IT professionals and auditors.
5. Implement appropriate IT security in DC and DRS.
6. IT risk management.
7. Power management.
8. Network connectivity and security.
9. Lack of rapid policy and decision-making capabilities.
10. Availability of system vulnerability access tools and operating guides.
11. Standardization of DC and DRS (according to the guidelines of ISO, BS, etc.).
12. Real-time availability of DRS 13. Earthquake and fire risks.
14. Improve employees’ ICT safety awareness.
Bangladesh Bank (BB) expectations
1. Central banks can regularly update the "Regular Information and Communication Technology Guidelines for Banks and Financial Institutions"
and release new versions.
2. Under the supervision of BB, a common data center and disaster recovery site can be developed and shared by all banks.
3. It is necessary to ensure that the BB is closely monitored.
4. Bangladesh Bank can arrange workshops on current/emerging topics for DC and DRS management.
5. It is necessary to improve the professional knowledge of BB's IT auditors.
6. Detailed guidance on risk-based IT audits is required.
7. The situation is improving, but not at the speed it should be. Central banks should find ways to improve.
8. Specialized e-banking training institutions developed by the Reserve Bank of India, such as the Institute of Banking Technology Development
and Research (IDRBT, www.idrbt.ac.in)”, for high-quality banking technology IT training and research, can be established for all commercial banks.
The expectations of senior management
1. All banks’ management may be very open and free in terms of IT investments/fees, mainly to upgrade DC and DRS using the latest technologies
and equipment.
2. Management should ensure general vacation facilities for holidays and vacations (including leisure vacations).
3. Quick decision-making and policy development are needed.
4. Banks should ensure sufficient manpower and provide necessary training.
5. Corrective measures should be taken based on the recommendations of the audit report.
6. Banks should invest part of their profits in the development of DC and DRS.
7. Management can recognize the activities of the IT department and give rewards if necessary.
BIBM's expectations
1. More research, training, workshops, and seminars on bank DC and DRS management can be carried out.
2. Policy opinions can be provided to regulatory agencies regularly.
3. Awareness can be established between senior management and the board of directors to improve the bank's DC and DRS management.
4. BIBM may be like M. Sc. It also provides specialized training and certification programs for bank IT professionals. Electronic banking or registered
electronic banker.
Comments and suggestions
One, we found that all banks' DCs are built on Dhaka. The average sizes of DC and DRS are 2596 and 957 square feet, respectively. 65% of CTOs
are not satisfied with the size of DC and DRS. In high-rise buildings with earthquake and fire hazards, about 58% DC and 18% DRS have been
established. On the other hand, DRS, the largest embankment, was also established in Dhaka, with an average aerial distance of 11.3 kilometers
from the Capital Region, indicating a high risk of natural disasters such as earthquakes. Among the CTOs of Bangladesh Bank, 38% believe that the
distance is scientifically standard, while 62% firmly believe that the distance is not enough to avoid natural disasters (such as earthquakes).
Additionally, 35% of banks plan to keep their DRS away from DC in separate seismic zones. About 44% of banks also plan to set up a second DRS
to reduce risk.
In this regard, all banks, including the Bank of Bangladesh, can make special decisions.
Second, it can be seen that the DRS test is not satisfactory. Only 66% of banks test it regularly, while 55% of the total banks are afraid to test disaster
recovery sites by shutting down data centers at any time. All banks testing DRS have been regularly unable to provide appropriate documentation
on this issue. If any disaster occurs, this discovery does not support high availability of data.
By increasing the frequency of testing, banks should ensure that tests are conducted regularly. Central banks and banks themselves can increase the
frequency of audits and inspections in this regard.
Third, log multiplexing and archiving are very important to the database during crashes. In such an emergency, if archive and log files are maintained correctly, the automatic recovery process of the database may ensure that "0 bits" is lost. In addition, those users without database replication and clustering technology may not be able to recover their data in the event of a disaster such as a fire or earthquake, which shows a high risk of data recovery. It was found that only 46% of repositories ensured log multiplexing technology, while 32% had archive mechanisms.
CTOs of centralized online banking should ensure log multiplexing and archiving techniques are adopted to ensure data "zero" is lost.
Fourth, on the overall view of the overall role of Bangladesh Bank in reducing data services through DC and DRS, 45% of banks said it was very
good and 55% were rated good, requiring Bangladesh Bank to play a more and high-quality role. Bangladesh banks usually visit DCs and DRSs
of different commercial banks once a year. All CTOs think this is not enough; the frequency should increase.
Bangladesh Bank should hire experts with new technical knowledge to update its audit quality. Bangladesh Bank’s ICT guidelines should be updated
regularly with new versions released to ensure proper implementation.
5. The CTO of all banks requires the establishment of a department/department for all commercial banks, including databases. This will help collect
and share the latest information on the status quo, growth, and DC and DRS issues in Bangladesh’s banking industry. It is worth mentioning that the
Reserve Bank of India has established a research institute called "Banking Technology Development and Research Institution (IDRBT, www.idrbt.ac.in)"
as an autonomous center for high-quality IT training and research in the banking industry.
Bangladesh can set up a task force to study the issues related to the establishment of such institutes. Bangladesh Bank and BIBM can take the initiative
in this regard. An electronic banking research team can be set up at BIBM.
Sixth, it was found that the banking industry ignored IT training, although it was a crucial issue. About 3% of IT budgets are used for training
purposes, while 66% of IT supervisors are not satisfied with the issue. About 44% of CTOs mentioned that they failed to provide adequate training
for employees operating DC and DRS when facing huge demand.
Banks should provide the required budget for this. Mixed plans can be arranged jointly by suppliers (IBM, Oracle, Microsoft, Cisco, etc.),
professional IT professionals from different banks, and academicians from different institutions. Specialized training and certification programs
for IT professionals in banks may be made by BIBM like M. Sc. conduct. Electronic banking or registered electronic banker.
Seventh, Uptime Institute divides DC into four categories. The annual interruption time specified in the first floor is up to 28.8 hours; the second
floor specifies 22 hours; the third floor specifies 1.6 hours, and the fourth floor specifies an annual interruption of only 0.4 hours, i.e. 99.995%
availability. We found that 57% of DCs belong to 1
尘 湖南机房除尘 江西机房除尘 武汉机房除尘
请拨打全国免费咨询热线:400-160-6690,联络我们的专业销售人员,其他更多信息,请浏览公司官网(www.cd-estt.com)
