Chapter 8 Flashcards
Name the categories of KPIs
KPIs are often categorised into areas of supportability, recoverability, durability, performance, reliability, functionality, scalability, and flexibility.
Name the typical sections in an SLA.
- Introduction (parties, signatures, service description)
- Scope of work (service hours, support)
- Performance
- Tracking and reporting (content, frequency)
- Problem management (change procedures, escalation)
- Compensation and service credits
- Customer duties and responsibilities
- Warranties and remedies
- Security
- Intellectual property rights and confidential information
- Legal compliance and resolution of disputes and
- Termination and signatures
What is SLM?
Service Level Management (SLM) is the management of SLAs to ensure that they are up-to-date and current. The goal of SLM is to maintain and gradually improve the services that are being provided through a continuous cycle of monitoring, reporting and agreeing new targets during periodic reviews.
What are the objectives of DRP?
The planning process should minimise the disruption of operations and ensure some level of organisational stability and an orderly recovery after a disaster.
Other objectives of disaster recovery planning include:
1. Providing a sense of security
2. Minimising the risk of delays
3. Guaranteeing the reliability of standby systems
4. Providing a standard for testing the plan
5. Ensuring there is a clear communicative plan in the event of an issue, and
6. Minimising decision-making during a disaster
Outline the methodology of DRP?
- Obtain top management commitment - commit adequate time and resources
- Establish a planning committee - should define scope of plan and frequency of tests
- Perform a risk assessment for a range of possible disasters also analyse costs related to minimising potential exposures
- Establish priorities for processing and operations - establish critical needs of each department
- Determine recovery strategies - establish practical alternatives for recovery
- Perform data collection - using pre-formatted firms due to the volume abc diversity of data required
- Organise and document a written plan - standard format for consistency - start with outline and develop detail
- Develop testing criteria and procedures
- Test the plan
- Approve the plan
- Update the plan
What needs to be considered for each department when assessing risk during the creation of a DRP?
- Functional operations
- Key personnel
- Information
- Processing systems
- Service
- Documentation
- Vital records, and
- Policies and procedures
How are critical needs defined as part of DRP?
Critical needs are defined as the necessary procedures and equipment required to continue operations should a department, computer centre, main facility or a combination of these be destroyed or become inaccessible.
As part of the ‘determine recovery strategy phase’ of DRP, what needs to be considered in selecting alternative recovery options?
- Contract duration
- Termination conditions
- Testing
- Costs
- Special security procedures
- Notification of systems changes
- Hours of operation
- Specific hardware and other equipment required for processing
- Personnel requirement
- Circumstances constituting an emergency
- Process to negotiate extension of service (including clear roles and responsibilities)
- Guarantee of compatibility
- Availability
- Non-mainframe resource requirements
- Priorities, and
- Other contractual issues
As part of the ‘perform data collection phase’ of DRP, what needs to be considered/collected?
- Back-up position listing
- Critical telephone numbers
- Communications inventory
- Distribution register
- Documentation inventory (covering recovery procedures as well as normal BAU
procedures)
What are the responsibilities of top management in DRP?
Establishing policies, procedures and responsibilities for comprehensive contingency planning, and
2. Revising and approving the contingency plan annually, documenting such reviews in writing
If the organisation receives information processing form a service bureau, management must also:
1. Evaluate the adequacy of contingency plans for its service bureau
2. Ensure that its contingency plan is compatible with its service bureau’s plan
3. Approve the budget for the DR test
It is top managements ultimate responsibility that the organisation has a written and tested DRP.
Who reports to the CIO?
Head of production support Head of development and implementation Head of testing Head of change Head of business recovery Head of information security
Who typically reports to the head of production support?
DBAs
Help desk / support staff
Who reports to the head of development and implementation?
BAs
App designers systems analysts
Programmers
Who reports to the head of testing?
Test analysts
Who reports to the head of change?
Programme managers
Project managers
What are other names for applications?
Logic engine or business rules - will validate a trade, create a customer etc
Describe the middleware/ real time messaging layer?
Products that distribute and obtain real time data to and from other parties.
What are the benefits of a distributed system?
- To ensure that processing power is as close to the users as possible
- To ensure a high degree of robustness, for example via the use of data replication
- To enable hardware to be easily added as the resource demands of the applications running
on the distributed system start increasing.
What is data replication?
Data replication is the process of sharing information so as to ensure consistency between redundant resources, such as software or hardware components, to improve reliability, fault tolerance, or accessibility. Data replication can be implemented either by storing the same data on multiple storage devices, or by executing the same computing task many times on different devices, in which case it is known as ‘computation replication’.
What are the seven operational risk events?
- Internal fraud – misappropriation of assets, tax evasion, international mismarking of positions and bribery. These activities can be facilitated by practices that allow, inter alia unauthorised access to applications and underlying data. They may be mitigated by the use of application password control and the deployment of systems that support the concept of segregation of duties.
- External fraud – theft of information, hacking damage, third-party theft and forgery. As for (1) above, but in addition, these problems can be mitigated by the deployment of anti- virus software, anti-spyware, firewall, etc.
- Employment practices and workplace safety – discrimination, workers, compensation, employee health and safety. There are no specific IT-related issues to this event; it is a company-wide issue.
- Clients, products, and business practice – market manipulation, anti-trust, improper trade, product defect, fiduciary breaches and account churning. ‘Product defects’ in this context includes defects in the software and hardware that is used to process the firm’s data. Good IT practice involves the use of standardised, reliable methodologies to discover and document business requirements, select software vendors and packages, build, test and deploy software and manage projects. It also involves the use of configuration management and change control procedures to ensure that the right software versions are deployed.
- Damage to physical assets – natural disasters, terrorism and vandalism
- Business disruption and systems failures – utility disruptions, software failures and
hardware failures. These risks may be mitigated by proper ‘business recovery plans’.
Software failures may also arise as a result of product defects (Basel II event no 4). - Execution, delivery, and process management – data entry errors, accounting errors, failed mandatory reporting, and negligent loss of client assets. These events, in turn may be caused by product defects.
Generally what are the two categories of risk management governance for IT departments with securities companies?
- Maintaining ‘business as usual’ activity
- Introducing business change
Name some areas of risk management within BAU activity
- Ensuring that business applications and the configurations that run them are stable and are able to cope with normal business volumes.
- Recording deficiencies in the design or operation of systems that support the firm’s activities and maintaining documentation of the workarounds to keep the process in control.
- Protecting the organisation from system security issues such as unauthorised access
- Ensuring system development keeps pace with rapidly evolving user requirements
- Ensuring the systems integrate effectively, minimising manual intervention and data integrity
issues.
What are the risks that need to be managed when introducing business change within IT?
- Aligning the IT strategy with the business strategy
- Aligning the solution to the strategic business drivers
- Managing and monitoring risks of introducing the change on the business
- Providing visibility of risks and issues to responsible stakeholders
- Risk of over – (and under - ) spend
- Risk of ‘re-inventing the wheel’ – i.e. implementing duplicate systems
- Delivery risk – i.e. delivering late, or not delivering what is required
- Complexity risk – i.e., the end solution becomes so complex that it increases costs and
impacts delivery - Scope expansion risk – i.e., the scope grows and grows (‘scope creep’)
- Managing external parties, e.g., clients or suppliers
What is benefits realisation?
- The intended benefits of that project must be documented and clearly understood at the outset, and agreed by senior management
- They should be expressed in financial terms, if possible, i.e. the expected return on investment should be measurable or, better still, quantified
- The identities of the business units that will enjoy those benefits must be known at the outset; and
- As part of the change plan, time and resources must be set aside to measure whether these intended benefits were, or were not, in fact achieved
