BME CLEARING s Business Continuity Policy

Transcription

1 BME CLEARING s Business Continuity Policy

2 Contents 1. Introduction 1 2. General goals of the Continuity Policy 1 3. Scope of BME CLEARING s Business Continuity Policy 1 4. Recovery strategies 2 5. Distribution of backup capacities 2 6. Clearing Services Functions supported 3 7. Clearing Information Technology Infrastructure Central system infrastructure Clearing machines and application Telecommunication and security equipment Central communication servers Access point infrastructure Telecommunication lines Telecommunication equipment Member Infrastructure Telecommunication lines and equipment Access servers Corporate services 5 8. Environment and physical installations 5 9. Training Plan and Continuity Tests Continuity Plans Revision Audit plans 6 Annex I. Options of redundancy in member infrastructure 7 ii

3 1. Introduction According to current regulations, this Business Continuity Policy has been approved by the BME Clearing board meeting held on 26 February The CEO is responsible for the general coordination of Business Continuity. Our company has three locations, two in Madrid and the other in Barcelona. In the preparation of the BCP, every effort has been made to provide those centres with the necessary capacity and resources so that in the event of a disaster in one centre the majority of functions can be assumed from another one. This document describes the main areas of the plan providing an overview of the strategies used in order to achieve the continuity of services. It does not contain personal details of the employees or specific names of resources. 2. General goals of the Continuity Policy The global objectives of the Business Continuity Policy at BME Clearing are: Ensure the safety and physical integrity of the employees. Minimise the impact of the emergency situation on the service to our members and clients. Faced with a disaster situation in either of the two central locations, obtain a rapid recovery of the critical services in the other location. Whenever viable, protect the equipment and other partially damaged or undamaged assets from greater harm. Return to normal operations in the affected location once the disaster situation has been dealt with. Achieve effective communication both in the procedure of notifying its employees and in notifying clients and members. Comply with the requirements of current legislation. 3. Scope of BME CLEARING s Business Continuity Policy The main business processes at BME Clearing are Margin Management and Daily Settlements. For both processes, BME Clearing analyses the risks, including their impact and probability. The result of the corresponding Business Impact Analysis is a key element to develop the specific Recovery Plans of the company. The Business Continuity Policy includes actions and procedures defined in detail in the specific recovery plans for the areas of the company. For each of these areas there is a plan manager and one or more recovery plans. The areas covered in this document are: Área Responsible Clearing Services COO Information Technology Infrastructures of UNIX Systems Responsible the Clearing Department Environment and Physical installations General Services Manager - Maintenance Some of the backup capacities envisaged are automatic, whilst others require manual intervention. In the latter case, minimising the time without service is essential aim of the plan. Several disaster situations are considered. For each scenario the triggering events are defined, as well as specific protection actions and measures for each level. When defining the emergency situations we have also taken into consideration the time period in which the contingency occurs. 1

4 4. Recovery strategies The recovery strategies at BME Clearing include: Alternative premises in the same geographical area, immediately accessible. Diversified Data Processing Centers, located in zones with different geographical risk profile, supporting the recovery of all critical infrastructures and services in an objective time of 15 minutes, and always under 4h as required by the corresponding regulations. Remote access for most of the staff. Personnel trained in critical business tasks. 5. Distribution of backup capacities The central systems are replicated in two locations, Barcelona and Madrid, which are separated by more than 500 kilometres. Other systems, with less criticality are replicated in two locations in the Madrid area, separated by 15 kilometres. The following table displays the distribution of the back-up capacity and the roles of each location normally, as well as the RPO (Recovery Point Objective) and RTO (Recovery Time Objective: Service of access point (communications with clients and members) Clearing Application Services Barcelona Madrid_1 Madrid_2 RPO RTO Active Active Active T Immediate Passive Active Not available Simulation Environment Not available Active Not available T 15 <4h - - Corporate Services Not available Active Passive T 4h Web Services Not available Active Passive T 4h Technical Service Helpdesk) Clearing Service Helpdesk) Support (Technical Support (Clearing Development of Applications Department Not available Active Passive T 2h Active Active Not available Active Passive Not available - - D-1 1 day In the above context, the term passive means that in normal conditions functionality is not implemented but the necessary infrastructure is in place for it to be implemented in the case of disaster. In the cases where the role of several centres is active, the capacity exists for automatic recovery in case of disaster. For the other services, a situation of disaster would imply a period without service during which actions would be carried out until operations have been re-established. 2

5 6. Clearing Services The contingency plan for the Clearing services is conceived so that in the case of disaster in BME CLEARING main location the critical functions can be done from the passive location during the period required to get back to normal. It is envisaged the transfer of personnel from one centre to the other in case it is required. 6.1 Functions supported Confirmation of margins Communication with Banco de España Management of daily risk in real time Management of transfers Consultation of clearing from previous day Management of expirations (deliveries) Management of splits Telephonic technical support The plan includes an inventory of technical equipment (hardware, applications and data) which have been duplicated in another location. In addition the tasks are defined and the frequency with which they would have to be executed to achieve that the plan functions correctly. The plan is reviewed each year. It is updated with each entry of new services or modification. 7. Clearing Information Technology Infrastructure The recovery plan for Clearing Information Technology covers the procedures of supervision, detection, notification, restoration and reestablishment after a disaster situation arises that can have an impact on hardware, telecommunication services and critical applications. As part of the program, training has also been included of technicians that manage the lines and communication equipment, the security systems and market applications. As general criteria, duplication of all elements is sought to avoid single points of failure, be it in the Member installations, in the access points or in the central locations. The most important components to protect are listed below and the mechanisms that would be implemented in the case of partial or complete disaster: 7.1 Central system infrastructure In the central installations automatic redundancy has been configured taking advantage of the duplication of equipment, in many cases with high availability configurations Clearing machines and application The hardware on which the clearing application runs is made up of the system hosts of clearing, the disk arrays and the removable storage units. The disk arrays are configured for tolerance to failures and maximum velocity in access using the RAID 5 system. At the Madrid site there are two of these machines with a local replication mechanism. In a normal state, the clearing application that runs in the machines in Madrid is the application that has the active role. The Barcelona machine is passive. Clearing information is stored in a database on a cluster in Madrid. An additional hot-standby replica of the database is located in Barcelona Telecommunication and security equipment Switches, routers and central firewalls. Systems duplicated on site and equipped with options 3

6 of automatic redundancy with additional backup at the other geographical location. The failure of an individual component would be completely transparent for the services. A contingency situation in one of the locations would trigger the switch to the equipment of the other central site Central communication servers They are the communication servers for systems used by members, quote vendors and internal personnel of the clearing support department. They have redundant connections with the clearing machines at both geographical locations, being able to switch from one to the other in the event of a hardware failure. 7.2 Access point infrastructure There are two access points in each one of the following cities: Barcelona, Bilbao, Madrid. The location of one of those nodes in Barcelona and one of the nodes in Madrid are those of the central hosts Telecommunication lines The two nodes in each city are interconnected. They are also connected with one of the nodes in Madrid, so that there are always two paths to access from any node to the central hosts. The telecommunication providers have been combined in order to avoid the dependence on a single provider for both paths Telecommunication equipment The routers use redundancy mechanisms based on HSRP whereby, should a fault occur in one of them, the other will take over the former s functions to ensure continuity of service. Switches are also replicated. The connections of access servers to the switches are distributed so that the failure of one of the switches does not imply a severe impact on the service as the servers connected to the other continue to function normally. Each member is assigned several access servers for third-party applications (API GATE) in different access points. The client application can implement automatic switchover mechanisms in case of problems accessing a node. 7.3 Member Infrastructure The components of the standard Member installation are duplicated, whereby in the event of failure of any device or line the Member can continue the operation without the need for intervention Telecommunication lines and equipment Two telecommunication lines are connected to two different access points and are contracted using distinct service providers whenever possible. Each line is connected to one of the routers. The routing protocol is configured so that the situations of a line failure are automatically solved. Switches and routers at the members sites have the same redundancy options as an access node Access servers The communications server Access establishes a TCP/IP connection with the access points through which it exchanges messages with the central systems. The Access server maintains a list of access points with a preference of connections associated to each one. The software of this communications server has the capacity to detect connection problems with its main access point and, if necessary, use the next access point on its list. 4

7 7.4 Corporate services In the context of this document, corporate services are those which, although they cannot be classified as extremely critical for the operation of the Clearing processes, could have an impact on the efficient response of employees to Members and clients if they were affected. Examples of these services would be: system Antivirus systems Access to corporate file servers Access to Internet navigation Access to databases and corporate programs Internal computer services: DNS, DHCP, Intranet The corporate network of BME has a single internal domain with various servers that act as domain controllers (DCs) and which are found in the central sites. The domain services like the Active Directory, DNS, DHCP and WEB are also distributed. The Contingency Plan for corporate services contains the events and conditions of failure that would trigger the procedures of actions under the specific continuity plan for this area, as well as information on the employees assigned management functions and responsible for activating the recovery program. 8. Environment and physical installations The facilities security group maintains the Emergency and Evacuation Plan and manages the technical means necessary to detect a disaster situation. The staff in charge of the Facilities Security maintains the control of the procedures describing the procedures to be done in case of a disaster situation, including the mechanisms for notifying the other plan managers and the links with the public authorities (police, fire service and local government). 9. Training Plan and Continuity Tests Conducting regular continuity tests helps ensure that the contingency plans are updated and effective whilst ensuring that all members of the recovery team are familiar with the plans. The testing program sets out how and when to test each element of the plan. Training in continuity procedures and execution of continuity tests follow the following criteria: The staff must be appropriately trained before executing the tests. Staff should rotate so that all members of the departments involved participate in the tests. Contingency tests cannot put at risk the normal operation of the systems. There will be a documented Contingency Test Plan. The contingency tests will be done at least once a year for all elements supporting critical business components. The test results will be appropriately documented. The test program covers the following: Individual components. They are tested with greater frequency. Examples: Electrical systems, central firewall equipment. Simulations to train personnel that manage the crisis in their respective roles. Tests of resources and service providers. Example: Tests with telecommunication lines. 5

8 10. Continuity Plans Revision The continuity plan in BME CLEARING is a continuous process that develops with the introduction of new technologies, the results of disaster simulations, the experience of its technical personnel and management, and through the on-going training of employees involved in the plan. The plans must be reviewed: Every time there is a significant change in any of the Business Critical Services. When new risks are identified in the Business Impact Analysis. At least once a year a review of the recovery plans will be performed. After Continuity Plan audits, in case there are recommendations. The responsible for the plan will report to the CEO any revision made to the plans. 11. Audit plans The administrative aspects of the processes included in BME CLEARING S BCP such as the structure, content, measures and the documentation concerning control procedures are audited each year. These reviews are carried out by an independent firm. 6

9 Annex I. Options of redundancy in member infrastructure Access Point 1 Prefered: BAS 1 Backup: BAS 2 MEFF Site 1 6 Member Site 1 Member Network MEFF Network at Member Premises 5 Exchange Clients Ethernet Link Router A Leased Line Access Point Server 1 (APS 1) Backend Access Server 1 (BAS 1) Exchange Clients HSRP Protocol (Virtual IP Address) Ethernet Link Router B Leased Line Access Point 2 Prefered: BAS 2 Backup: BAS 1 MEFF Site 2 Access Point Server 2 (APS 2) Backend Access Server 2 (BAS 2) 1. Redundant links with the Member network and only one virtual IP address as port of link to the MEFF network 2. Routers duplicated 3. Lines duplicated, different suppliers and connected to different access points 4. Line between access points allows communication with the backup central system in the case of failure on the line that connects with the main centre 5. The Exchange Clients in Member installation can connect to any of the servers of the access points 6. The Back-end servers are replicated in separate central sites 7. Duplicated high speed lines provided by different suppliers between the central sites. 7