From: Mark Silverman [MarkS@bocada.com] Sent: Thursday, October 17, 2002 7:53 PM To: 'regs.comments@federalreserve.gov'; 'regs.comments@occ.treas.gov'; 'rule-comments@sec.gov' Cc: Mark Silverman; Kim Chen Subject: File No. S7-32-02 (Release No. 34-46432) Subject: Comments on (Release # 34-46432; File # S7-32-02) Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the US Financial System (the "White Paper") To Whom It May Concern, In reviewing the White Paper as requested, we applaud the proposed policies as an absolute necessity. We encourage you to add to your current proposals in Article II, Section B.4., a recommendation for the adoption of an independent audit and reporting solution to ensure system reliability and compliance with established policies. The recommendation also applies to the corresponding summary sections relating to the implementation of systems that meet the reliability and performance criteria specified in the White Paper. Reasons for the Recommendation 1. Data Protection Systems Fail Data backups are the last line of defense against data loss, and often the backbone of any business continuity plan. Yet according to leading market research firms, an estimated 40% to 60% of backups fail. [1] If data is not backed up correctly, it cannot be recovered. 2. No Visibility into Data Protection Operations Perhaps more disconcerting than the frequency of failures, is the fact that few IT professionals know whether their backups are successful, or whether they are backing up everything they should (until they try to recover their data, which is of course to late). In a recent poll by a leading enterprise storage magazine, 36% of all IT professionals polled said that not knowing whether they were adequately backing up their data was their biggest problem.[2] 3. The Cause The principal cause of backup reliability issues is the enormous complexity and volatility of the IT environment, not the quality of the underlying backup and recovery products. The typical enterprise backs up numerous applications, blocks and files residing in a mixture of Windows, Unix and Linux network operating systems, across heterogeneous networks to multiple tape devices using backup management software from multiple vendors. The result is a complex, volatile network of heterogeneous backup and storage technologies that can quickly degrade without proactive day-to-day management. 4. Ensuring Integrity with Continuous Evaluation With regards to the second paragraph on page 12, policies and specific operational and recovery objectives as outlined are critical to the integrity and continued operations of our financial infrastructure (as well as many other critical businesses such as telecommunications, transportation, healthcare, etc.). Unfortunately, articulated policies and objectives are rarely sufficient. It is also necessary to continuously evaluate actual performance against policies and objectives as indicated in #4 on page 7 and also in the second paragraph in section C on page 13. Recommendation We recommend the addition of a requirement to implement a solution that maintains auditable track records of data protection activity in order to enable those responsible for system maintenance to ensure the protection of critical data and systems, and validate compliance with policies. Specific items/activities should be identified for full clarification and understanding. Please feel free to contact me with any questions or to obtain further information about the issues raised or the requirements for the solution proposed. We would be happy to collaborate in any way. Sincerely, Mark Silverman CEO BOCADATM marks@bocada.com 425.985.5885 The Storage Intelligence CompanyTM -------------------------------------------------------------------------------- [1] The Enterprise Storage Group and Enterprise Management Associates [2] InfoStor, "IT's dirty little secret: Users raise concerns about backup and recovery." August 2002.