Compliance Insight with David Schneier

Business Continuity III: Republic Bank Gets it Right

I no sooner finished my most recent post on Business Continuity Planning, and we (BIS) published the transcript of a podcast conducted with Roger Batsel CISO Interviews: Roger Batsel, Republic Bank, on Business Continuity/Disaster Recovery), SVP, Managing Director of Information Systems at Republic Bank, Louisville, KY about.... Business Continuity Planning.

It was a great read and illuminated many of the very same points I typically cover when working with clients on BCP. The quote that grabbed my attention initially was when Mr. Batsel stated of BCP that it "is very much a business responsibility." That his institution takes such a view is unique; that he, the senior IT person for his bank, subscribes to the same theory, is encouraging. Disaster Recovery is often substituted for BCP, and DR is very much an IT exercise. However it's only a piece of a reliable plan and not the plan itself.

Being able to restore your core banking systems at a remote location is one part of a continuity strategy; ensuring that essential staff knows to travel to that location is another. What about redirecting customers/members to the remote site? How long is the disaster scenario in effect? Are there sufficient telecom services available at the site? How do the relocated staff access the building (e.g. card access, door-lock keys, etc.)?

It's not simply about inserting a backup tape into a device and running restore scripts. There's so much more that needs to be addressed and can only be addressed by the various business owners. And so when Mr. Batsel describes how their approach incorporates the business community to the extent that during testing they "had operations folks actually performing the tests and signing off on the testing sheets," I was taken aback. Users involved in BCP testing? That's unheard of. He went on to offer that in the future he thought "the business really ought to entirely define the scope of those systems to be tested". That's a significant departure from what I've come to consider the standard for the industry. Imagine such a strange concept, the business actually driving critical BCP activities.

I encourage you to take a few minutes and either listen to the podcast or read the transcript CISO Interviews: Roger Batsel, Republic Bank, on Business Continuity/Disaster Recovery. You'll get more useful information on BCP in this quick read than from many white papers.

About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.