Jonathan G. Katz, Secretary
Subject: Interagency Concept Release: Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U. S. Financial System.
Dear Mr. Katz,
CNT provides the following comments in response to the Sound Practices outlined in the draft white paper.
Recommended Distance Considerations
CNT believes the agencies should consider a two-zone solution approach: Zone 1 being under 60 miles suitable for synchronous data replication, and Zone 2 involving distances over 60 miles where asynchronous data replication solutions are available. We also refer to Zone 1 as Metropolitan Area Networks (MAN) and Zone 2 as Wide Area Networks (WAN). Typically, Zone 1 solutions will involve synchronous disk mirroring. Zone 2 solutions can include asynchronous disk mirroring and asynchronous remote tape vaulting. This two-zone approach ensures that you have a data copy with complete consistency at a nearby "hot site", ensuring business continuity, and a remote copy located outside the reach of a region-wide disruption, possibly using a "warm site" configuration.
New software tools are available to manage multiple data copies under this approach, and new asynchronous data replication software is available that maintains full recovery and data consistency. New WAN data networking systems support the asynchronous data replication and tape backup/recovery environment over extended distances, using high-speed network links that are more affordable than ever before.
To minimize the risk that a primary and a backup site are both impaired by a single wide-scale regional outage, Zone 2 sites for core clearing and settlement organizations and other firms that play significant roles in critical financial markets should be encouraged to be 200 miles apart (at a minimum). This distance should ensure that companies are not subject to a regional or geographic event that would affect their network, phone system, electrical grid and personnel.
For other financial institutions, defining a minimum distance between the primary and backup sites should take into consideration several factors, including the state or location the business resides (80+% of all disasters have taken place in a handful of states), the types of disasters that typically occur in that region and the severity or impact of those disasters, the cost of downtime for that organization and the potential impact on the overall financial market. Some disruptions, viruses for instance, can span all geographic boundaries. To protect against viruses and other "soft" errors, financial institutions should use policy-based snapshot technologies that allow them to quickly revert to a previous good copy of the data.
Extent of Data Protection
CNT believes that agencies need to carefully evaluate the environment, applications, and data to be protected. Many companies remotely mirror their data, but not the application environment and IT infrastructure to enable immediate recovery. Agencies should conduct a thorough Business Impact Analysis (BIA) and Infrastructure Assessment to establish the technology solution required to meet defined recovery time and recovery point objectives.
Problems with Outsourcing
One of the challenges from September 11 was the number of companies attempting to get disaster recovery services from a few service providers. Because of the sheer numbers of companies impacted by a single event, these service providers weren't able to live up to their contracted Service Level Agreements. Some precautions should be taken when considering the use of a remote outsourced facility to ensure that these facilities have the servers, the applications and the people available to take over production. When outsourcing, companies should demand a level of priority that will meet the necessary regulatory guidelines for recovery.
Affordability of Bandwidth for Extended Distance Solutions
Traditional disaster recovery networks have utilized ATM, SONET, and dedicated leased lines. Those continue to be viable network infrastructures. For many companies, however, the cost of wide area bandwidth using those networks has been prohibitive to date. New technological advances, like IP storage networking and data compression technologies, and new IP-based telecom services, allow companies to cost-effectively deploy business continuity and disaster recovery solutions using IP WAN networks. In many cases, companies can use existing IP network infrastructures to support multiple applications, performing real-time data replication by day, and doing asynchronous backups during evenings and weekends, when excess bandwidth is available.
Technologies exist to ensure complete data integrity and security over IP networks, making it a viable, cost-effective alternative for business continuity and disaster recovery within the financial services industry.
CNT would be happy to provide additional information on any of the topics covered above. Please contact Patty Barkley at 763-268-6377 or via e-mail firstname.lastname@example.org if we can be of further assistance.