[ISN] Financial Firms Create Disaster Recovery Standards

InfoSec News isn at c4i.org
Tue Sep 20 04:06:57 EDT 2005


By Lucas Mearian 
SEPTEMBER 19, 2005

Driven by a number of disasters in recent years, several financial
services firms and IT vendors have joined forces to create disaster
recovery and business continuity standards.

The Resiliency Maturity Model Project, overseen by the New York-based
Financial Services Technology Consortium, will create benchmarks and
define terms for business continuity planning across all areas of a
financial enterprise, said Charles Wallen, managing executive of
FSTC's Business Continuity Standing Committee and the project's

Plans to create the standards, which will also be available to
companies in other industries, were announced last week by the FSTC.

Wallen said recent disasters like Hurricane Katrina reaffirm the need
for "strong business continuity plans and a road map for third-party
providers to understand what's needed. We have to do a better job at
raising the bar."

Financial services companies involved in the project include CitiBank,
J.P. Morgan Chase & Co., Bank of America Corp. and MasterCard
International Inc. IBM, Carnegie Mellon University and Disaster
Recovery Institute International are also participating.

A Measure of Resiliency

A MasterCard spokeswoman said her company hopes the project can help
other organizations move beyond disaster recovery into organizational
sustainability. "We're looking at models to measure the resiliency of
an organization," she said.

Wallen said the project, slated to be completed next spring, should
give companies a road map to plan and measure their resiliency against
a set of industry standards.

Brian Finley, chief technology officer at PSSD/World Medical Inc., a
$1.5 billion medical equipment supply company in Jacksonville, Fla.,
agreed with the need for such standards but predicted that few
companies will use them to prepare for disasters.

"I've seen and heard of customers that never test [disaster recovery
plans]," Finley said. "Even if you create a set of standards,
somebody's got to buy into those standards, and someone has to
financially back the testing and documentation and the process and
controls around it."

PSSD is not involved in the standards project.

The Resiliency Maturity Model Project is being carried out in two
phases. The first, expected to be completed this month, will identify
a list of disaster recovery capabilities that companies need.  
Pittsburgh-based Carnegie Mellon is providing the project with some
maturity modeling methodologies that can identify different levels of
preparedness organizations can reach.

The second phase, to be completed next spring, will include benchmarks
and maturity models that will let companies compare their preparedness
against some 40 standard capabilities.

Guillermo Kopp, an analyst at TowerGroup in Needham, Mass., said he
believes the effort could lead to more business adoption of disaster
recovery standards, because such frameworks can prove return on

"The challenge is to keep the level of attention high," he said.  
"These projects are not a slam-dunk. It's more of a journey."

More information about the ISN mailing list