Symantec Business Continuity Solutions for Operational Risk Management Manage key elements of operational risk across your enterprise to keep critical processes running and your business moving forward. Introduction Planning for technology failures is nothing new to financial services firms. Backups have been a matter of course for the last 50 years and disaster recovery planning has been required since 1983 when the OCC began asking for banks to file their plans with the US Treasury. Banks have long been targets for external attacks and given the need for banking services in a crisis, natural disaster has never been a good excuse for the branch to be closed. What has changed is the focus of these efforts and the tools available. The financial industry s complexity and dependence on technology has driven general discussions around the closely related issues of operational risk management and corporate governance. The overall result has been to shift the attention from disaster recovery to business continuity across all areas. In this context business continuity becomes a way to proactively anticipate exposures before failures occur so that measures can be taken to mitigate the losses or prevent their occurrence. There has also been a shift in technologies to allow for seamless environments that are not location dependent creating an opportunity to reexamine the more passive approach and changing the focus to resiliency of business through Business Continuity Planning. Symantec can help institutions across the entire spectrum of activities from planning to implementation to monitoring of business continuity strategies within a continuous improvement cycle. Whether the need is for point solutions to solve an immediate need or analysis and planning around a total business continuity program, Symantec stands ready to be your strategic partner in solving these challenges. Overview The past decade has seen an overwhelming focus on risk management practices across industries and geographies. In financial services, each industry segment has had a slightly different approach dictating which risk discipline was given priority and how methodologies were applied or adopted. The turn of the century has brought about a shift in attention to credit and operational risk management. The motivations for focusing on operational risk, particularly, seem too numerous to count: including financial scandals, fraud, internet security concerns, terrorism and natural disasters. Figure 1: Seven Categories of Operational Risk as defined by the Bank for International Settlements Page 1 of 5
Figure 2: Financial Services Technology Evolution The overall goals of operational risk management efforts are fairly clear at this point: to reduce losses due to unexpected operational failures in people, processes, technologies or external events. These guidelines have been clarified greatly by the regulators over the past 5 years the Bank for International Settlements (BIS) categories are illustrated in Figure 1. Most institutions, however, are still working on defining internally their comfort level around operational risk exposures created by a broader range of business scenarios, looking at a variety of potential disruptions, rather than just disasters. The desire to be prepared is balanced by disparate opinions on the objectives and the cost. Complex operational environments threaten increased frequency and severity of security and systems failures and disruptions at precisely the time when the negative brand impact of such events is at its highest. Bank executives and regulators, anxious to stay off the front page are putting pressure on operational risk and IT staff, even as resources and budgets are constrained. As financial services institutions confront greater complexity across their technology environments the issues around disaster recovery planning has moved beyond being solely an IT concern. Figure 2 illustrates the challenge at both the business, and IT, level to move from a recovery status ultimately to an enterprise level, business continuity preparedness state. Different institutions are at different points along this continuum, with most continuing to evolve their approach beyond availability management. The Solution Symantec s involvement can begin by taking firms through a methodology that includes, definitions and analysis to strategy and architecture to implementation to testing and validation, and finally to maintenance and continuous improvement. Symantec consultants with expertise in both financial services and business continuity management, work with you to prioritize requirements to help meet compliance mandates and cost effectiveness. Page 2 of 5
Symantec's Business Continuity Management approach provides state of the art security, high availability, monitoring, recovery, and reporting software tools giving customers the ability to augment their current environment incrementally or in a full suite as needed. Financial services institutions addressing elements of business continuity from assessment to prevention to remediation to recovery, as well as continuous improvement can rely on Symantec to support all of their efforts to: Assess the current environment to determine availability-continuity-recovery priorities and identify precedent and antecedent business processes and applications. Assess the current IT environment. Develop business continuity and high availability strategies consistent with a business continuity management approach. Identify a technology plan to meet the defined business continuity approach, including explicit determination of the infrastructure implications of linking security policies with availability-continuity-recovery priorities. Identify technology options, including but not limited to Symantec products and services, to meet the desired IT plan and infrastructure environment. Implement the Symantec technology solutions. Integrate and test in support of implementation activities. Oversee ongoing maintenance and continuous improvement of the technology plan to respond to the changing demands of the marketplace and new developments in technology. Key Components Symantec can offer the following approach to implement within a financial services institution s business continuity strategy: Consulting Services Symantec Business Continuity Management Methodology Symantec provides deep industry expertise through their Symantec Consulting Services to deliver customized assessments and plan development for financial services firms in support of their business continuity efforts (see Figure 3). Technology to ensure systems availability and mitigate business disruptions VERITAS Cluster Server The industry s leading clustering solution for reducing both planned and unplanned downtime. VERITAS Volume Replicator Provides a world-class foundation for continuous data replication, enabling reliable recovery of critical applications at remote recovery sites. VERITAS Storage Foundation A standard set of integrated tools to centrally manage explosive data growth, maximize storage hardware investments, provide data protection, and adapt to changing business requirements. Page 3 of 5
Figure 3: Symantec Consulting Services: Business Continuity Management Methodology VERITAS NetBackup - The recognized leader for enterprise-class backup and recovery for complete data protection in all environments, from desktop to datacenter to vault. VERITAS Enterprise Vault - Provides a flexible archiving framework to enable the discovery of content held within email, file system and collaborative environments, while helping to reduce storage costs and simplifying management. VERITAS i 3 - An end-to-end application performance management solution that monitors, measures, analyzes, and tunes critical business applications all the way from the end user to the storage. Technology to ensure security and mitigate fraud: Symantec DeepSight Threat Management/Alert Services Monitors security policies and events across the IT environment to provide early warnings on emerging security threats. Symantec Enterprise Security Manager Assesses and automates the discovery of vulnerabilities and deviations in the security policies of mission critical e-business applications and servers across the enterprise from a single location. Symantec Security Information Manager Correlates and prioritizes threat information to provide early warning remediation guidance and arm IT staff with the information required to effectively respond to security threats. Symantec LiveState Recovery - Protects, restores, and recovers computer systems with non-intrusive, real-time backups and rapid disaster recovery on workstations and servers. These products and services are part of the comprehensive support that Symantec provides for your operational risk management regime. Whether the need is for a point software solution, or for strategic planning, Symantec is ready to discuss with you the issues your institution faces in achieving business continuity. Page 4 of 5
More information Visit our Web site http://enterprisesecurity.symantec.com/industry/finance/ To speak to an industry solutions specialist in the U.S. Call toll free 800-745-6054 for more information about Symantec Security Services. To speak to an Enterprise Security Services specialist outside the U.S. Symantec has operations in more than 40 countries. For specific country offices and contact numbers, visit our Web site. About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com. Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA 408 517 8000 800 721 3934 www.symantec.com Symantec and the Symantec logo are registered trademarks of Symantec Corporation and/or its subsidiaries in the United States and elsewhere. LiveState and Symantec Discovery are trademarks of Symantec Corporation and/or its subsidiaries in the United States and elsewhere. All other brands and products are trademarks of their respective holder(s) 2006 Symantec Corporation. All rights reserved. 05/06 10323006 Page 5 of 5