Chapter 8

Question 0

Name the categories of KPIs

Answer 0

KPIs are often categorised into areas of supportability, recoverability, durability, performance, reliability, functionality, scalability, and flexibility.

Question 1

Name the typical sections in an SLA.

Answer 1

1. Introduction (parties, signatures, service description)
2. Scope of work (service hours, support)
3. Performance
4. Tracking and reporting (content, frequency)
5. Problem management (change procedures, escalation)
6. Compensation and service credits
7. Customer duties and responsibilities
8. Warranties and remedies
9. Security
10. Intellectual property rights and confidential information
11. Legal compliance and resolution of disputes and
12. Termination and signatures

Question 2

What is SLM?

Answer 2

Service Level Management (SLM) is the management of SLAs to ensure that they are up-to-date and current. The goal of SLM is to maintain and gradually improve the services that are being provided through a continuous cycle of monitoring, reporting and agreeing new targets during periodic reviews.

Question 3

What are the objectives of DRP?

Answer 3

The planning process should minimise the disruption of operations and ensure some level of organisational stability and an orderly recovery after a disaster.
Other objectives of disaster recovery planning include:
1. Providing a sense of security
2. Minimising the risk of delays
3. Guaranteeing the reliability of standby systems
4. Providing a standard for testing the plan
5. Ensuring there is a clear communicative plan in the event of an issue, and
6. Minimising decision-making during a disaster

Question 4

Outline the methodology of DRP?

Answer 4

1. Obtain top management commitment - commit adequate time and resources
2. Establish a planning committee - should define scope of plan and frequency of tests
3. Perform a risk assessment for a range of possible disasters also analyse costs related to minimising potential exposures
4. Establish priorities for processing and operations - establish critical needs of each department
5. Determine recovery strategies - establish practical alternatives for recovery
6. Perform data collection - using pre-formatted firms due to the volume abc diversity of data required
7. Organise and document a written plan - standard format for consistency - start with outline and develop detail
8. Develop testing criteria and procedures
9. Test the plan
10. Approve the plan
11. Update the plan

Question 5

What needs to be considered for each department when assessing risk during the creation of a DRP?

Answer 5

1. Functional operations
2. Key personnel
3. Information
4. Processing systems
5. Service
6. Documentation
7. Vital records, and
8. Policies and procedures

Question 6

How are critical needs defined as part of DRP?

Answer 6

Critical needs are defined as the necessary procedures and equipment required to continue operations should a department, computer centre, main facility or a combination of these be destroyed or become inaccessible.

Question 7

As part of the ‘determine recovery strategy phase’ of DRP, what needs to be considered in selecting alternative recovery options?

Answer 7

1. Contract duration
2. Termination conditions
3. Testing
4. Costs
5. Special security procedures
6. Notification of systems changes
7. Hours of operation
8. Specific hardware and other equipment required for processing
9. Personnel requirement
10. Circumstances constituting an emergency
11. Process to negotiate extension of service (including clear roles and responsibilities)
12. Guarantee of compatibility
13. Availability
14. Non-mainframe resource requirements
15. Priorities, and
16. Other contractual issues

Question 8

As part of the ‘perform data collection phase’ of DRP, what needs to be considered/collected?

Answer 8

1. Back-up position listing
2. Critical telephone numbers
3. Communications inventory
4. Distribution register
5. Documentation inventory (covering recovery procedures as well as normal BAU
   procedures)

Question 9

What are the responsibilities of top management in DRP?

Answer 9

Establishing policies, procedures and responsibilities for comprehensive contingency planning, and
2. Revising and approving the contingency plan annually, documenting such reviews in writing
If the organisation receives information processing form a service bureau, management must also:
1. Evaluate the adequacy of contingency plans for its service bureau
2. Ensure that its contingency plan is compatible with its service bureau’s plan
3. Approve the budget for the DR test

It is top managements ultimate responsibility that the organisation has a written and tested DRP.

Question 10

Who reports to the CIO?

Answer 10

Head of production support
Head of development and implementation 
Head of testing
Head of change
Head of business recovery
Head of information security

Question 11

Who typically reports to the head of production support?

Answer 11

DBAs

Help desk / support staff

Question 12

Who reports to the head of development and implementation?

Answer 12

BAs
App designers systems analysts
Programmers

Question 13

Who reports to the head of testing?

Answer 13

Test analysts

Question 14

Who reports to the head of change?

Answer 14

Programme managers

Project managers

Question 15

What are other names for applications?

Answer 15

Logic engine or business rules - will validate a trade, create a customer etc

Question 16

Describe the middleware/ real time messaging layer?

Answer 16

Products that distribute and obtain real time data to and from other parties.

Question 17

What are the benefits of a distributed system?

Answer 17

1. To ensure that processing power is as close to the users as possible
2. To ensure a high degree of robustness, for example via the use of data replication
3. To enable hardware to be easily added as the resource demands of the applications running
   on the distributed system start increasing.

Question 18

What is data replication?

Answer 18

Data replication is the process of sharing information so as to ensure consistency between redundant resources, such as software or hardware components, to improve reliability, fault tolerance, or accessibility. Data replication can be implemented either by storing the same data on multiple storage devices, or by executing the same computing task many times on different devices, in which case it is known as ‘computation replication’.

Question 19

What are the seven operational risk events?

Answer 19

1. Internal fraud – misappropriation of assets, tax evasion, international mismarking of positions and bribery. These activities can be facilitated by practices that allow, inter alia unauthorised access to applications and underlying data. They may be mitigated by the use of application password control and the deployment of systems that support the concept of segregation of duties.
2. External fraud – theft of information, hacking damage, third-party theft and forgery. As for (1) above, but in addition, these problems can be mitigated by the deployment of anti- virus software, anti-spyware, firewall, etc.
3. Employment practices and workplace safety – discrimination, workers, compensation, employee health and safety. There are no specific IT-related issues to this event; it is a company-wide issue.
4. Clients, products, and business practice – market manipulation, anti-trust, improper trade, product defect, fiduciary breaches and account churning. ‘Product defects’ in this context includes defects in the software and hardware that is used to process the firm’s data. Good IT practice involves the use of standardised, reliable methodologies to discover and document business requirements, select software vendors and packages, build, test and deploy software and manage projects. It also involves the use of configuration management and change control procedures to ensure that the right software versions are deployed.
5. Damage to physical assets – natural disasters, terrorism and vandalism
6. Business disruption and systems failures – utility disruptions, software failures and
   hardware failures. These risks may be mitigated by proper ‘business recovery plans’.
   Software failures may also arise as a result of product defects (Basel II event no 4).
7. Execution, delivery, and process management – data entry errors, accounting errors, failed mandatory reporting, and negligent loss of client assets. These events, in turn may be caused by product defects.

Question 20

Generally what are the two categories of risk management governance for IT departments with securities companies?

Answer 20

1. Maintaining ‘business as usual’ activity
2. Introducing business change

Question 21

Name some areas of risk management within BAU activity

Answer 21

1. Ensuring that business applications and the configurations that run them are stable and are able to cope with normal business volumes.
2. Recording deficiencies in the design or operation of systems that support the firm’s activities and maintaining documentation of the workarounds to keep the process in control.
3. Protecting the organisation from system security issues such as unauthorised access
4. Ensuring system development keeps pace with rapidly evolving user requirements
5. Ensuring the systems integrate effectively, minimising manual intervention and data integrity
   issues.

Question 22

What are the risks that need to be managed when introducing business change within IT?

Answer 22

1. Aligning the IT strategy with the business strategy
2. Aligning the solution to the strategic business drivers
3. Managing and monitoring risks of introducing the change on the business
4. Providing visibility of risks and issues to responsible stakeholders
5. Risk of over – (and under - ) spend
6. Risk of ‘re-inventing the wheel’ – i.e. implementing duplicate systems
7. Delivery risk – i.e. delivering late, or not delivering what is required
8. Complexity risk – i.e., the end solution becomes so complex that it increases costs and
   impacts delivery
9. Scope expansion risk – i.e., the scope grows and grows (‘scope creep’)
10. Managing external parties, e.g., clients or suppliers

Question 23

What is benefits realisation?

Answer 23

1. The intended benefits of that project must be documented and clearly understood at the outset, and agreed by senior management
2. They should be expressed in financial terms, if possible, i.e. the expected return on investment should be measurable or, better still, quantified
3. The identities of the business units that will enjoy those benefits must be known at the outset; and
4. As part of the change plan, time and resources must be set aside to measure whether these intended benefits were, or were not, in fact achieved

Question 24

What are the components of an infrastructure catalogue?

Answer 24

1. Users the desk supports – key details include:
   a. Name, department, telephone number, email address and physical location
   b. Normal working hours and working days
2. Applications the desk supports – key details include:
   a. Name of the application
   b. Details of its role in the business
   c. Name and full contact details of the organisation that is responsible for supporting
   it. Note that this may be the firm’s it department or an external vendor. Technical details – is it a PC application such as Word or Excel, or is it a web-based application that does not require installation in a user PC, or is it a client-server application employing a database? If it is it a client-server application, what database is used and what specific servers does it run on?
   e. Any requirements for specific version numbers for database and operating system software
   f. Hours during the day and days of the week on which there is expected to be activity. If there is a great deal of night-time activity in this application, then the desk will need to hold out-of-hours contact details and perhaps rotas for support staff who may need to be contacted at home
   g. An assessment as to how critical the loss of this application for an extended period would be to the business
   h. Licence details – the number of simultaneous users, scope of use, volume limits etc.
3. Hardware the desk supports – key details include:
   a. Locations of all servers and routers
   b. Whether they are used for production, testing or disaster recovery
   c. Which applications are running on each server

Question 25

What are the options for help desk structures to provide extended cover?

Answer 25

. ‘Follow the Sun’ – this model is widely used by firms that have operations in more than one time zone, and users accessing the same application and servers from different countries. During normal European working hours, support for all users worldwide is provided from a European location. When Europe closes, support moves to a North American support centre, and when North America closes, support is handled by an Asian support centre
2. Extended working hours – this model is widely used when a firm is doing business in a single time zone, but is using applications that are working throughout the day and night. A single help desk works in shifts, one shift coincides with normal working hours for the majority of the users and is more heavily manned that the other shift, which deals only with emergency calls
3. Partial outsourcing – if the number of out-of-hours calls are expected to be very few in number but may be critical then overnight manning of the help desk could be outsourced to a third party specialist firm

Question 26

What two fundamental types of SLAs exist?

Answer 26

External and internal

Question 27

What are the three levels of support personnel?

Answer 27

Help desk
Analyst
Service specialist

Escalate to management

Question 28

What is the primary objective of DRP?

Answer 28

To protect the organisation.

Question 29

What are the benefits of initially outlining the DRP written plan?

Answer 29

1. Helps to organise the detailed procedures
2. Identifies all major steps before the writing begins
3. Identifies redundant procedures that only need to be written once;
4. Provides a road map for developing the procedures

Question 30

How is the contingency organisation structured?

Answer 30

Teams being responsible for major functional areas, such as :

1. Administrative functions
2. Facilities
3. Logistics
4. User support
5. Computer back-up
6. Restoration, and
7. Other important areas

Question 31

Who co-ordinaries the recovery process?

Answer 31

The management team, the team should assess the disaster, activate the recovery plan ad contact team managers and third- party suppliers. The management team also oversees, documents and monitors the recovery process. Management team members should be the final decision-makers in setting priorities, policies and procedures.

Question 32

How often should the DRP be tested and evaluated?

Answer 32

At least annually

Question 33

List some reasons for testing the DRP.

Answer 33

1. Determining the feasibility and compatibilities of back-up facilities and procedures
2. Ensuring the plan is realistic
3. Identifying areas in the plan that need modification
4. Providing training to the team managers and team members
5. Demonstrating the ability of the organisation to recover and
6. Providing motivation for maintaining and updating the DRP

Question 34

What does a structured walk through of a DRP provide?

Answer 34

The test will provide additional information regarding further steps that may need to be included, changes in procedures that are not effective, and other appropriate adjustments.

Question 35

When should DRP testing be carried out?

Answer 35

Initially testing of the plan should be done in sections and after normal business hours to minimise disruption to the overall operation of the organisation.

Question 36

Name types of testing that may be carried out on the DRP?

Answer 36

1. checklist tests
2. simulation tests
3. full interruption tests, and
4. cross industry tests involving suppliers and customers

To facilitate these recommendations, most exchanges and clearing houses offer their customers facilities to test whether their back-up facilities are able to communicate successfully with the providers’ own systems.

Question 37

What are the the key recommendations about testing in the FSAs BCMP Guide

Answer 37

1. critical suppliers are involved in tests at least annually
2. The firm should be prepared to supply evidence of its testing to its own customers, suppliers
   and regulators

Question 38

Who should approve the DRP?

Answer 38

Top management

Question 39

Who’s responsibility is if that an organisation has a documented and tested plan?

Answer 39

Top management

Question 40

What is management responsible for in the discipline of BCM?

Answer 40

1. Establishing policies, procedures and responsibilities for comprehensive contingency planning, and
2. Revising and approving the contingency plan annually, documenting such reviews in writing
   If the organisation receives information processing form a service bureau, management must also:
3. Evaluate the adequacy of contingency plans for its service bureau
4. Ensure that its contingency plan is compatible with its service bureau’s plan
5. Approve the budget for the DR test

Question 41

Name the two aspects of change management.

Answer 41

1. Use of version control

2. Development of procedures to ensure that only authorised changes are made

Question 42

What are change control practices designed to facilitate?

Answer 42

are designed to:
1. Allow changes to accepted work products to be proposed and evaluated, schedule and quality impact assessed, and the changes approved or rejected for release into production systems in a controlled manner
2. Provide a mechanism for management to accept and sign off changes that improve the product overall while rejecting those that degrade it.
3. Notify all parties materially affected by a proposed revision of the need to accept the new version
4. Notify all interested parties on the periphery of development regarding change proposals, their assessed impact, and whether the changes were approved or rejected
5. Facilitate efficient deployment of changes to environments where they are required