SMBL Policy IT DR Plan Mar 2022 BOD Final - v0.1
Uploaded by
fa21msse0019SMBL Policy IT DR Plan Mar 2022 BOD Final - v0.1
Uploaded by
fa21msse0019INFORMATION TECHNOLOGY
DISASTER RECOVERY (IT - DR)
PLAN
Classification: Internal Document
Disclaimer:
THIS IS A CONFIDENTIAL & PROPRIETARY DOCUMENT
This policy document is solely for the internal use of the staff of Summit Bank Limited and
should be accorded the same level of secrecy as is done to other confidential documents of
the bank. The intent of this policy document is to assure that confidential information
remains confidential and will be used only as necessary to accomplish the Banks’s business
objectives. Any unauthorized amendment, reproduction, copying, photocopying is ground
for disciplinary action up to and including termination of appointment, contract or
employment to legal liability.
Information Technology – Disaster Recovery (IT-DR) Plan
Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Document Information
Document Title SMBL – Information Technology- Disaster Recovery (IT- DR) Plan
Document Version 2.0
Issue Date April, 2021
Document Author
Document Author(s) Designation
Ariz Maqbool Senior Executive Risk Management Division
Document Reviewer
Operational Risk Management - Risk Management Division Page 2 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Document Reviewer
Operational Risk Management - Risk Management Division Page 3 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Document Approver
Operational Risk Management - Risk Management Division Page 4 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Document Revision History
Version Author Date Revision
1.0 15 June 2006 Draft to be reviewed
1.0 13 March 2008 Personnel change
1.0 17th Nov 2010 Personnel change
th
1.0 18 Apr 2011 Personnel change
1.0 17th Aug 2011 Personnel change
th
1.0 19 July 2017 Updation
th
2.0 Mr. Junaid Siddiqui 7 January Section 1. Plan Overview
Mr. Mahmood Iqbal 2021 (Updated – Page – 8)
Mr. Safdar Raza INTRODUCTION New
Naqvi Addition – Page 8
Mr. Arshad GOALS AND OBJECTIVES
Mehmood New Addition – Page 8
APPROACH New Addition –
Page 9
ASSUMPTIONS New
Addition – Page
DISASTER DEFINITION New
Addition – Page 12
CLASSIFICATION OF IT
DISASTERS New Addition –
Page 12
RTO New Addition – Page
12
IT RECOVERY STRATEGY
New Addition – Page 17
INTERDEPENDENCIES OF
THE SYSTEMS New
Addition – Page 43
Disaster Recovery Teams
Ariz Maqbool
with their role and
responsibilities – Page 19
Operational Risk Management - Risk Management Division Page 5 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Table of Contents
SECTION 1. PLAN OVERVIEW...........................................................................................................8
1.1 Purpose......................................................................................................................................8
INTRODUCTION...............................................................................................................................8
GOALS AND OBJECTIVES..................................................................................................................8
ASSUMPTIONS.................................................................................................................................9
1.2 Plan Scope...............................................................................................................................10
1.3 Intended Users.........................................................................................................................10
SECTION 2. DOCUMENT CONTROL................................................................................................11
2.1 Purpose....................................................................................................................................11
2.2 Plan Distribution......................................................................................................................11
SECTION 3: DISASTER DEFINITION, CLASSIFICATION & PLAN GUIDELINES.........................................12
DISASTER DEFINITION....................................................................................................................12
CLASSIFICATION OF IT DISASTERS..................................................................................................12
RTO – 1 TO 4 HOURS (CRITICAL)......................................................................................................12
RTO – 4 TO 24 HOURS (ESSENTIAL)..................................................................................................14
RTO – 24 TO 72 HOURS (NECESSARY)...............................................................................................15
PLAN GUIDELINES..........................................................................................................................16
3.1 Purpose....................................................................................................................................16
3.2 Plan Flowchart / Role Hierarchy..............................................................................................16
SECTION 4: IT RECOVERY STRATEGY..................................................................................................17
ASSUMPTIONS...............................................................................................................................17
STRATEGY......................................................................................................................................17
HP C7000 CHASIS SERVERS.............................................................................................................17
REPLICATION AND DATA BACKUP.......................................................................................................17
HPLUS.........................................................................................................................................17
CONNECTIVITY................................................................................................................................18
FG-1200D CORE ROUTER...............................................................................................................18
IT RECOVERY TEAMS TO ACT DURING THE DISASTER:.......................................................................19
COMMAND & CONTROL (EMERGENCY MANAGEMENT) TEAM:........................................................19
INCIDENT RESPONSE TEAM:..............................................................................................................19
IT SECURITY TEAM:............................................................................................................................19
OFFSITE STORAGE TEAM:...................................................................................................................20
NETWORK RECOVERY TEAM:.............................................................................................................20
ADMINISTARTIVE & HR SUPPORT TEAM:...........................................................................................20
LEGAL AFFAIRS TEAM:........................................................................................................................20
SECTION 5: INVOCATION PROCEDURES.............................................................................................21
4.1 Purpose....................................................................................................................................21
4.2 Invocation Authority................................................................................................................21
4.3 Invocation during Office Hours................................................................................................21
4.4 Invocation outside Office Hours...............................................................................................21
SECTION 6: NOTIFICATION STRUCTURE.............................................................................................22
5.1 Purpose....................................................................................................................................22
5.2 Initial Disaster Notification......................................................................................................22
5.3 Notification within IT Division..................................................................................................22
5.4 Notification of SMBL Management..........................................................................................22
5.5 Notification of External Contacts.............................................................................................23
5.6 Useful Contact Numbers..........................................................................................................23
5.7 Notification Logs......................................................................................................................23
Operational Risk Management - Risk Management Division Page 6 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 7: RECOVERY TEAMS...........................................................................................................24
6.1 Purpose....................................................................................................................................24
6.2 Disaster Recovery Site Team....................................................................................................24
6.3 MACHS (DR &BCP Site) Recovery Team...................................................................................24
6.4 Incident Command Centre Team.............................................................................................24
SECTION 8: TEAM MEETING LOCATIONS...........................................................................................25
7.1 Purpose....................................................................................................................................25
7.2 Disaster Recovery Site Team....................................................................................................25
7.3 MACHS (DR & BCP Site) Recovery Team..................................................................................25
7.4 Incident Command Centre Team.............................................................................................25
SECTION 9: ESSENTIAL DOCUMENTATION.........................................................................................26
8.1 Purpose....................................................................................................................................26
8.2 At Disaster Recovery Site(s).....................................................................................................26
8.3 At Incident Command Centre Location....................................................................................26
8.4 At Business Continuity Site......................................................................................................26
SECTION 10: INVENTORIES.................................................................................................................27
9.1 Purpose....................................................................................................................................27
9.2 Hardware Inventory.................................................................................................................27
9.3 Software Inventory..................................................................................................................27
SECTION 11: OFFSITE STORAGE DETAILS............................................................................................28
10.1 Purpose..................................................................................................................................28
10.2 Offsite Storage Arrangements...............................................................................................28
SECTION 12: PLAN MAINTENANCE.....................................................................................................29
11.1 Purpose..................................................................................................................................29
11.2 Details Updation....................................................................................................................29
SECTION 13: PLAN TESTING...............................................................................................................30
12.1 Purpose..................................................................................................................................30
12.2 Responsibility.........................................................................................................................30
APPENDIX A: CALL TREE INFORMATION.............................................................................................31
APPENDIX A1: Initial Disaster Notification.....................................................................................31
APPENDIX A2: Notification Within IT Division to the following functional titles............................31
APPENDIX A3: Notification to SMBL Management........................................................................32
APPENDIX A4: List of External Contacts.........................................................................................33
APPENDIX A5: Useful Contact Numbers........................................................................................38
APPENDIX B: Team Personnel Lists....................................................................................................38
APPENDIX B1: Disaster Recovery Site Team..................................................................................38
APPENDIX C: CHECKLISTS...................................................................................................................39
APPENDIX C2: Incident Command Centre......................................................................................40
APPENDIX E: Third Party Contract(s).......................................................................................41
APPENDIX F: Interdependencies of the System(s)...................................................................43
APPENDIX G: Interdependencies of the System(s) – IT Development.....................................44
APPENDIX H: Roles & Responsibilities – IT Team.....................................................................46
ADC services Shutdown Process........................................................................................................47
ADC Services Restoring Process.........................................................................................................48
Operational Risk Management - Risk Management Division Page 7 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 1. PLAN OVERVIEW
1.1 Purpose
This Disaster Recovery Plan (DRP) documents the strategies, procedures and resources that
will be used by the Disaster Recovery Team (DRT) to respond to any short or long-term
business interruption affecting the Summit Bank (SMBL) Head Office buildings located in
Karachi, Pakistan. It will guide the DRT in responding successfully to the business disruption
event.
This plan should be carefully followed during periodic testing exercises in order to
thoroughly train recovery personnel and ensure that strategies and actions accurately
reflect current business recovery requirements.
This is important in order to have a clear picture of the level of planning in place, without
creating a false impression of having catered for every possible disaster scenario because
of the existence of a Plan.
INTRODUCTION
The DRP document is focused on recovering the IT setup of Summit Bank after an incident
is classified as disaster. It addresses the scope of disaster recovery as outlined in the
circular of State Bank of Pakistan, Enterprise Technology Governance and Risk
Management Framework (ETG&RMF)BPRD Circular No. 05 of 2017. It supports the BCP
document and is focused towards giving a systematic approach to recover the IT setup of
Summit Bank.
GOALS AND OBJECTIVES
The goal of the IT DRP is to provide a level of assurance that the critical systems at the Data
Centre will continue in the event of an incident.
The objectives of the DRP are to:
Ensure preliminary incident assessment information has been evaluated and
reported accurately;
Allow for the detailed and efficient resumption of critical applications and
servers in the wake of any incident rendering the Data Centre or the systems
inaccessible;
Ensure partially damaged or undamaged equipment and data have been pro-
tected from further damage, if possible;
Minimize the impact an incident will have on the ongoing services provided by
IT Unit.
Operational Risk Management - Risk Management Division Page 8 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
APPROACH
BCP Disaster Recovery Disaster Recovery
Identification of Recovery Time Objectives
BIA & Risk Identification Strategies Plan
Stage 1: Risk Identification
As part of the Business Continuity Plan development, Business Impact Analysis and Risk
Identification were performed to identify specific events and threats that can adversely
affect the IT resources with disruption as well as disaster, and the impact of such events.
Stage 2: Recovery Point and Time Objectives
During this stage, the team established the specific recovery time objectives (RTO) and
recovery point objectives (RPO) for the DRP. This exercise assisted in identifying time-
critical systems and applications, recovery priorities, and inter-dependencies so that
recovery time objectives can be met.
Stage 3: Disaster Recovery Strategy
Having defined the critical systems/applications along with associated recovery time
objectives, the focus of this stage was to identify a viable recovery strategy and make
recommendations to ensure the recovery of systems/applications within the recovery time
objectives, while maintaining the organization’s critical functions.
Stage 4: Disaster Recovery Plan Development
The final stage of this exercise was to develop the overall Disaster Recovery Plan based on
the selected strategy options in order to provide continuity within the recovery time
objectives.
ASSUMPTIONS
The following are the common assumptions that have been used in the development of the
Disaster Recovery Plan:
The incident may occur at the worst possible time;
The incident may be a ‘worst case’ scenario, or it may be a lesser incident (e.g. loss of
computer systems, temporary loss of access to the Data Centre, telecommunications
failure);
Some or many of your staff may be unavailable for work following the incident;
An alternate location would be available; and
Staff might have to work from this location for up to several weeks.
The following are some specific assumptions used in the development of the IT Dis-
aster Recovery Plan:
Formal IT Disaster Recovery Team structure is in place; and
Command & Control Team is functional.
Operational Risk Management - Risk Management Division Page 9 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
1.2Plan Scope
This document defines the activities to be carried out by members of IT Division to recover
the service of pre-determined critical computer applications to business user departments
following the loss of (or loss of access to) IT Primary Site at Summit Tower, 10th Floor, G-2
Building, Clifton Block-2, Karachi, Pakistan.
Although this Plan is designed for the worst case scenario (i.e. complete loss of the site), it
is structured in such a way as to be useable should any lesser incident occur such as loss of
a single floor or department. This can be done by referring to those sub sections of the
Plan, which relate to the incident concerned.
The detailed contents of this Plan are limited to those activities to be carried out by IT
Division only, with references made to other areas of responsibility where appropriate (e.g.
building evacuation procedures are not included in this document but need to be kept in
line with it to ensure that invocation of the Plan is done in a timely manner).
The Plan is also designed to be flexible in terms of the reason for invocation. It is possible
that an incident at Summit Bank Limited, Summit Tower, 10th Floor, G-2 Building, Clifton
Block-2, Karachi, Pakistan,could affect the IT Division area only thereby requiring
invocation by IT Division, or that an incident could affect a business unit’s area only
requiring them to invoke their Business Continuity Plan (BCP). This latter example would
require initial notification from the business unit concerned to IT Division who would then
follow the recovery activities specified in this document.
IT DISASTER RECOVERY SITE:
An IT disaster site located at Muhammad Ali Society Branch, Karachi is operational with
real time systems back up services and equipped with all the necessary systems,
applications, networking, hardware and softwares, fully capable of operating as IT Primary
site. This IT Disaster Site is also used as BCP site for the IT Division. IT DR Tests are
conducted regularly to ensure readiness towards providing core banking, other applications
and services under extreme disruptions and contingencies.
1.3Intended Users
This document is intended for use by all members of the IT Division, Information Security
Unit, Risk Management Group, Country Operations, Administration, involved in any
recovery exercise following an incident resulting in staff having to relocate Summit Tower,
10th Floor, G-2 Building, Clifton Block-2, Karachi, Pakistan. Use of the document will be
under the strict control of IT management& RMD who will allocate responsibilities and
maintain records pertaining to the recovery process.
Operational Risk Management - Risk Management Division Page 10 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 2. DOCUMENT CONTROL
2.1Purpose
It is vital that this document is kept up to date and that all responsible parties are in
possession of the latest version. Careful control and distribution must therefore be
maintained and this section's purpose is to facilitate this process by providing an update
history together with a detailed distribution list.
2.2Plan Distribution
Copies of the plan in this table (i.e. those held at individual’s homes as well as those held in
office locations).
Copy Owner Location
01 IT IT Division, Summit Tower, 10th Floor
02 Internal Audit Audit Division, Summit Tower, 13th Floor
03 Country Operations Operation Division, Summit Plaza, 10th Floor
04 Risk Management Risk Management Group, Summit Tower 11th Floor
05 Compliance Compliance Division, Summit Tower 13th Floor
06 IT Security Unit Summit Plaza 12th Floor
07 Administration Summit Tower 11th Floor
Operational Risk Management - Risk Management Division Page 11 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 3: DISASTER DEFINITION, CLASSIFICATION &PLAN GUIDELINES
DISASTER DEFINITION
A Disaster is an incident that results in interruption to Summit Bank IT processing
capabilities and has significant impact on the business critical functions. Critical functions
get affected if required systems are unavailable beyond their Recovery Time Objective
(RTO) timeframes.
CLASSIFICATION OF IT DISASTERS
During its day to day operations SMBL will be faced with different types of disruptions,
priority of each disruption will vary based on impact of the equipment to business process
determined in term of RTO during business impact analysis (BIA). To allow for a systematic
approach to recovery, the following list serves to categorize each infrastructure component
based on its RTO. Following list indicate the different RTO categories and failure
classification based on RTOs. This will allow the organization to give an appropriate
response suitable to the identified classification.
Categories to prioritize recovery objectives
Critical Applications/IT Infrastructure requiring recovery within 1 – 4 hours.
Essential Applications/IT Infrastructure requiring recovery within 4 – 24 hours.
Necessary Applications/IT Infrastructure requiring recovery within 24 - 72 hours.
Desirable Applications/IT Infrastructure requiring recovery whenever possible.
RTO – 1TO 4 HOURS (CRITICAL)
Failure Type Details Services / Users Affected
Network Failure of Core Switch − Head Office building users
− Banking & Peripheral application users
at Head office
− Banking & Peripheral application users
at all Branches
− Internet users
Failure of Core Router − Branches connectivity from Head Office
− Banking & Peripheral application users
at all branches
− DR site connectivity from Head Office
− Internet users
1Link Network - ATM Shared Network, UBPS, POS,
MasterCard, UPI
eOcean Network SMS and Short code Services
Operational Risk Management - Risk Management Division Page 12 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Failure Type Details Services / Users Affected
Applications hPLUS Core Banking Application
iMAL (Database) Core Banking Application
iMAL (Weblogic – OHSBranches) Core Banking Application
iMAL (Weblogic – Branches) Core Banking Application
iMAL (Weblogic – ATMs) Core Banking Application
Avanza Core DB of ADC
ESS HR Portal DB
Amanat Cash Amanat Cash DB
Rendezvous Middleware − Core ESB ADC Middleware
Nimbus ATM Controller ATM Controller Application
Mobile Banking App Mobile App – Digital Banking
SQL Server Database Core Avanza App Database
Ambit Internet Banking Retail internet banking, Digital Banking
hPLUS gateway Core Middleware for trxn processing
Summit Middleware Core Middleware for trxn processing
Vision Card Management Card Management System
Call Center Application Call Center Application, Digital Banking
Voice Recording − Voice recording or Treasury deals
− Treasury Front Office dealers
Payroll − Disbursement of Salaries
IBM Notes − Internal & External E-mail of all depart-
ments
Proxies − Internet access of all departments
CIB − For CIB reporting
CIMS −
DNS Server − Domain Translator for all users
EMV − EMV Card
Etopup − Topup services
File Sharing Server − All users data sharing
Fortimail − Threat Protection solution
FortiSandbox − threat prevention
HRIBFT − Interbank fund transfer
HRPaperless − HR application
Intranet − Inhouse applications portal
Isuite − ATM Monitoring
kaspersky − Antivirus
MIS Scheduler − Scheduler
Nadra − Nadra Services
Qradar − Even logger
Reverse Proxy − Proxy
RTGS − Real Time Gross Settlement
Operational Risk Management - Risk Management Division Page 13 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Failure Type Details Services / Users Affected
SWIFT Alliance Access − SWIFT Application
Western Union − Home Remittance
WSUS − Windows Patch Update
−
Hardware SAN Storage Unit − Storage area for all servers in the SAN
rack. Includes hPLUS, etc.
HUSVM Storage and Controller
SAN Switches SAN Switch to Connect FC
FCIP Switch Copying at DR Site via Hitachi
Hardware Security HSM for Card, OTP, FPIN generation &
Module (HSM) Validation for ATM, Mobile App, IB.
C7000 Chassis Blade servers for Virtual Machines
(servers)
Failure of UPS / Generators failure Power for server and communication rack
supporting
infrastructure Air conditioner failure in Environmental control for IT equipment
Server Room
RTO – 4 TO 24 HOURS (ESSENTIAL)
Failure Type Details Services Affected
Application LMMS Lease Management
iSuite Application ATM monitoring
Biometric Application Biometric Application for A/C opening
hPLUS web Banking Corporate web banking
Home Remittance IBFT Home remittance
KuickPay Application eDivident Payments
Active Directory Domain Controller
Benchmatrix An online training module system
Bio Metric Verification Biometric verification
Clearing Clearing Solution
cognos MIS reporting
Solid Core Suite firewall
TIS-Server Time server
File Sharing Server All users data sharing
ITRS Trade Reporting
Hardware SVN-A
Voice Recording Voice recording
Machine
Networks 1Link FRM Services Card & IBFT transaction monitoring
Ufone USSD Ufone USSD services
NADRA NADRA UBPS, Biometric Services
VRG IBFT Services to UBank
Operational Risk Management - Risk Management Division Page 14 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Failure Type Details Services Affected
1Link FTDH Fraudulent transaction reporting
1Link SDRS Switch Dispute Resolution Services
SBP MPG Micro Payment Gateway Services
NetConnect eCommerce Payments
NAFA Debit Card Transactions
APPS Mobile Payments & QR Services
RTO – 24 TO 72 HOURS (NECESSARY)
Failure Type Details Services Affected
HP data protector Tape Backup/Restore
Applications
HP data protector Tape Backup/Restore
Hardware
RPO – FOR APPLICATIONS
Application RPO Method
Real-time Replication
hPLUS 30 Seconds
(Sync Mode)
iMAL
Database 300 Seconds
Weblogic – OHS 300 Seconds Real-time Replication
Weblogic – Branches 300 Seconds (A-Sync Mode)
Weblogic – ATMs 300 Seconds
Real-time Replication
Avanza (DB Data) 30 Seconds
(Sync Mode)
Real-time Replication
ESS (DB Data) 30 Seconds
(Sync Mode)
Real-time Replication
AmanatCash (DB Data) 30 Seconds
(Sync Mode)
Application RPO Method
Avanza 24 Hours VMWare / Veeam Backup
ESS 24 Hours VMWare / Veeam Backup
Amanat Cash 24 Hours VMWare / Veeam Backup
Rendezvous Middleware 24 Hours VMWare / Veeam Backup
Nimbus ATM Controller 24 Hours VMWare / Veeam Backup
Mobile Banking App 24 Hours VMWare / Veeam Backup
SQL Server for Database 24 Hours VMWare / Veeam Backup
Operational Risk Management - Risk Management Division Page 15 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Ambit Internet Banking 24 Hours VMWare / Veeam Backup
hPLUS gateway 24 Hours VMWare / Veeam Backup
Summit Middleware 24 Hours VMWare / Veeam Backup
Vision Card Management 24 Hours VMWare / Veeam Backup
Call Center Application 24 Hours VMWare / Veeam Backup
Voice Recording 24 Hours Hardware - BCP site
Payroll 24 Hours VMWare / Veeam Backup
IBM Notes 24 Hours VMWare / Veeam Backup
Proxies 24 Hours VMWare / Veeam Backup
kaspersky 24 Hours VMWare / Veeam Backup
Reverse Proxy 24 Hours VMWare / Veeam Backup
Active Directory 24 Hours VMWare / Veeam Backup
DNS Server 24 Hours VMWare / Veeam Backup
Fortimail 24 Hours VMWare / Veeam Backup
FortiSandbox 24 Hours VMWare / Veeam Backup
HP data protector 24 Hours Hardware
CIB 24 Hours VMWare / Veeam Backup
CIMS 24 Hours VMWare / Veeam Backup
EMV 24 Hours VMWare / Veeam Backup
Etopup 24 Hours VMWare / Veeam Backup
HRIBFT 24 Hours VMWare / Veeam Backup
HRPaperless 24 Hours VMWare / Veeam Backup
Intranet 24 Hours VMWare / Veeam Backup
Isuite 24 Hours VMWare / Veeam Backup
MIS Scheduler 24 Hours VMWare / Veeam Backup
Nadra 24 Hours VMWare / Veeam Backup
RTGS 24 Hours VMWare / Veeam Backup
SWIFT Alliance Access 24 Hours Separate appliance
Western Union 24 Hours VMWare / Veeam Backup
WSUS 24 Hours VMWare / Veeam Backup
LMMS
iSuite Application 24 Hours VMWare / Veeam Backup
Biometric Application 24 Hours VMWare / Veeam Backup
hPLUS web Banking 24 Hours VMWare / Veeam Backup
Home Remittance IBFT 24 Hours VMWare / Veeam Backup
KuickPay Application 24 Hours VMWare / Veeam Backup
Benchmatrix 24 Hours VMWare / Veeam Backup
Bio Metric Verification 24 Hours VMWare / Veeam Backup
Clearing 24 Hours VMWare / Veeam Backup
cognos 24 Hours VMWare / Veeam Backup
Solid Core Suite 24 Hours VMWare / Veeam Backup
TIS-Server 24 Hours VMWare / Veeam Backup
ITRS 24 Hours VMWare / Veeam Backup
Operational Risk Management - Risk Management Division Page 16 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
PLAN GUIDELINES
3.1Purpose
It is the nature of Disaster Recovery Plans that they are not in everyday use, and therefore
the people for whom they are intended lose familiarity with the content. This section is
intended as a reminder of the plan’s structure and how the information contained in each
section is meant to be used.
3.2 Plan Flowchart / Role Hierarchy
A flowchart of how the Plan is designed to be used is probably the best way to achieve the
above. It is helpful to include references to Plan sections within the flowchart to make this
process clearer. An example is given below: -
President & CEO
BCP / DR
Administrator
Head of RMD
Command and
Control Team
Administrat IT IT IT Offsite Emergenc Incident
ion Human Security Network Storage y Response
Resource Team Team and Team Managem Team
and Legal IT Data ent Team
Division Base
Administr
ator
Operational Risk Management - Risk Management Division Page 17 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 4: IT RECOVERY STRATEGY
ASSUMPTIONS
Following assumptions are given for achieving a consistent infrastructure at the redundant
DR site located at Muhammad Ali Society, Karachi with the main data center that will help
in ensuring an efficient recovery and avoiding unexpected surprises:
Server machines should be available to host all the applications discussed in previous
section of this document. Best would be to have an identical server rack, else a clear
mapping of application to host server should be developed considering the load bal-
ancing exercise;
Communication rack equipment like router and telecomm interface devices should
preferably be identical;
Appropriate bandwidth should be available between DR site and main data centre for
ensuring proper replication activities;
Connectivity between DR site and all the branches is similar to the original data
centre; and
All application and system backups should be available.
STRATEGY
The disaster recovery strategy is used by Summit Bank to resume operation in case of
materialization of threat. It requires that processing to be shifted to a DR site located at
Muhammad Ali Society, Karachi if disruption is estimated to exceed the determined RTOs.
The different components of this strategy are as follows:
HP C7000 CHASIS SERVERS
It is used at the DR site location as the machines to host all the major applications. There
are total 6 blades in chassiswith the same hardware specification in the SAN rack, which
collectively serves as the main processing engine. This server configuration has raid level 5
and redundant power supplies to meet high availability requirement.
REPLICATION AND DATA BACKUP
Replication between Head Office data center and DR site ensures that application at both
the location are maintaining a consistent data state, thus providing a low RPO (recovery
point objective). The recovery mechanism uses replication mechanism available within
different application and where not provided third party tool is used. Also the daily data
backup from Head office center is transferred electronically to the DR site for storage.
HPLUS
hPLUS is the main banking application that caters for the banking operations and has the
highest priority in SMBL IT environment, in case of any disruption hPLUS will be recovered
first. hPLUS runtime components are hosted on SUN M5000 server machine / Hitachi
Storage on main server racks. The availability of ADC Services requires the ADC Database /
Operational Risk Management - Risk Management Division Page 18 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
middle wares which are hosted in VM environment.
CONNECTIVITY
Connectivity is ensured though service provider infrastructure and with bindings identified
through SLAs. The service providers are Cybernet, Wateen, Supernet, Mobilink, Sharptel
and Multinet etc. The different media types Fiber, Radio, WiMax/LTE and Satellite are being
used for ensuring redundancy. In case of failure at main Data center all media connections
available will be shifted to the data center located at DR site in a seamless manner, no
configuration changes required at provider network.
FG-1200D CORE ROUTER
A core router is placed at the DR site in auto failover mode (cluster environment) for the
connecting the data center on SMBL backbone. The router has the provision for 10Gig and
1Gig Ethernet interfaces, to provide appropriate media connectivity. Router is only
connected to the service provider through External Link Switches using VLANs, which
provides further routing to all the branches subnet. Routers are also configured for
automatic shifting of traffic to backup media in case of failure of the designated main
media of the site.
Operational Risk Management - Risk Management Division Page 19 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
IT RECOVERY TEAMS TO ACT DURING THE DISASTER:
Following Recovery Teams will activate as soon as an IT disaster is declared in the Bank by
the Command & Control Team and make all the necessary emergency arrangements in an
coordinated manner on their part and functional areas to assess, control and mitigate the
effects of the disaster and take recovery and restoration measures to resume the systems,
applications, banking services & operations as soon as possible.
COMMAND & CONTROL (EMERGENCY MANAGEMENT) TEAM:
Team will take all critical decisions and guide the various teams during the disaster.
Designation
President & CEO
Head of Risk Management
Head of IT Division
Head of Country Operations
Head of Administration
Head of Human Resources
INCIDENT RESPONSE TEAM:
Team will take all emergent decisions in coordination with the Emergency Management
Team for the provision of necessary equipment, machines, and services internally and
externally through various vendors required for the restoration.
Designation
Head of Information Technology
Head of Digital Banking & Service Quality
Head-Data Centre Operations & Help Desk
Head-Network Infrastructure & DR
Database Administrator
Head of Country Operations
Head of Administration
Head of Human Resources
Head of Risk Management
IT SECURITY TEAM:
Team will take measures for the safety & security of IT assets.
Designation
Head of IT Security
Head of IT Division
Head of Administration
CFO
Data Base Administrator
OFFSITE STORAGE TEAM:
Team will ensure that data back is stored remotely at the IT Data backup site and through
Operational Risk Management - Risk Management Division Page 20 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Data Back Up Tapes etc.
Designation
Head of IT
Head Data Center
Data Base Administrator
Head of IT Security
CFO
NETWORK RECOVERY TEAM:
Team will be responsible for the restoration of network connectivity from IT Primary and
secondary sites to the head offices, branches and BCP sites.
Designation
Head of Information Technology
Head-Data Centre Operations & Help Desk
Head-Network Infrastructure & DR
Database Administrator
Manager and Staff in Data Network Unit
ADMINISTARTIVE & HR SUPPORT TEAM:
Administration and HR Team will be
Restoration of premises
Arrangement of equipment, furniture and other supplies and services
HR will staff related matters like staff transfers, insurance, compensation etc.
Designation
Head of Administration
Manager Administration & General Services
Manager Branch Expansion & Engineering
Services
Head of Human Resources Division
Unit Head HR Operations
Unit Head Compensation & Benefits & HR
System Administration
LEGAL AFFAIRS TEAM:
Team will be taking care of legal matters or issues arising out of the disaster.
Designation
Head of Legal Affair Division
Senior staff in Legal division
SECTION 5: INVOCATION PROCEDURES
Some pre-determined guideline on when the plan should be invoked is often helpful,
especially when the incident is of a lesser nature and the primary site (Summit Tower G2
Operational Risk Management - Risk Management Division Page 21 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Building) recovery time is unclear.
4.1 Purpose
It is imperative that following a disaster occurrence, detailed comprehensive procedures
are defined regarding the invocation of any recovery plans, be they for business units or for
systems service restoration.
4.2 Invocation Authority
Invocation of this plan will be the responsibility of SMBL management consisting of the
following people: -
President & CEO
Head of Risk Management
Head of IT Division
Head of Country Operations
Head of Administration
4.3 Invocation during Office Hours
Notification Received Via Alarms
Follow “normal” evacuation as directed by security or emergency services personnel. The
Building Emergency Officer, for the building and/or the Floor Emergency Officers must
assemble staff at the pre-determined assembly point and conduct a roll call.
4.4 Invocation outside Office Hours
This section should contain a set of emergency instructions, usually held by building
security (or even an emergency call centre), who should have details of the relevant SMBL
Senior Management for the location concerned as follows: -
Business Continuity Manager: Head of IT Division
Head of Risk Management
Head of Country Operations
Head of Administration
The SMBL Senior Management listed above will then be responsible for notifying
Departmental Continuity Co-ordinators (DCC’s) of the incident and instruct them to take
one of the following actions: -
Instruct DCC’s to report to a pre-defined Incident Command Centre or
If a disaster is to be declared, activate the call tree before reporting to the Incident
Command Centre
Operational Risk Management - Risk Management Division Page 22 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Further notification will then be carried out as per section 5 below (Notification Structure).
SECTION 6: NOTIFICATION STRUCTURE
5.1Purpose
In a disaster situation, it is vital that there is a clear definition of the structure of initial
personnel notification, so that confusion is avoided and notification is comprehensive. This
section sets out the notification structure which has been pre-agreed by IT Division
management for such an eventuality, defining the levels of responsibility (i.e. who contacts
whom).
The Notification Structure below is for example purposes only and should be tailored to
meet the needs of the location concerned when documenting individual plans. It is
recommended that notification lists are contained in tables in Appendices to the plan,
which can then be used as logs in order to keep a record of events during the incident.
5.2Initial Disaster Notification
This would usually be the responsibility of the IT Head (or designees) who are authorised to
invoke the plan and who will have been notified of the incident through pre-defined Crisis
Management Procedures. Typically, they will then inform the IT personnel who will head
up the Recovery Teams (as specified in Section 6), who in turn would inform their individual
team members of the incident and of the action now to be taken.
The personnel informed here should hold their own copies of this document (at home and
in the office), and therefore will be familiar with what to do once notified.
Contact details to be made are contained in APPENDIX A1.
5.3Notification within IT Division
Responsibilities and contacts are contained in APPENDIX A2.
5.4Notification ofSMBL Management
Responsibilities and contacts are contained in APPENDIX A3.
5.5Notification of External Contacts
Responsibilities and contacts are contained in APPENDIX A4.
5.6Useful Contact Numbers
Operational Risk Management - Risk Management Division Page 23 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Details contained in APPENDIX A5.
5.7Notification Logs
Notification logs provide a recording mechanism of who has been informed and when.
These will assist in keeping track of progress and ensure no duplication of effort is made.
Each notification list defined in APPENDIX A will also form the notification log for the
contact names contained within it, and should be initialled by the person carrying out the
notification when successful contact has been achieved. Any unsuccessful attempts should
also be recorded in order that further attempts can be made if necessary or appropriate
procedures can be set in motion to locate the person or persons concerned.
The designated person(s) responsible for each group must therefore ensure that they
complete the Notification Log for their assigned list and return it to the designated Incident
Command Centre at DR Site as soon as is possible.
Operational Risk Management - Risk Management Division Page 24 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 7: RECOVERY TEAMS
6.1Purpose
In a disaster situation people will need to take on special responsibilities to effect the
recovery. Such responsibilities need to be defined clearly, and the assignments can then be
made from the pool of staff available at the time. Provisional allocations have been made
but will be confirmed at the time with the personnel available.
Records should be kept of personnel assigned to specific teams in order that the recovery
process is controlled in an orderly manner and that a record of staff not actively involved
on-site is maintained (this can then be used if required to call on extra resource as/when
necessary).
APPENDIX B contains tables for this purpose.
Additionally, checklists are also included in APPENDIX C detailing the tasks to be carried out
by each of the teams.
Exact details of team personnel and responsibilities will vary from plan to plan and should
be given careful consideration. It is suggested that a team is put together for each physical
location where recovery activities will take place (whether for systems recovery or business
unit recovery). This will enable separate checklists to be defined (in APPENDIX C) for each
location and thus make the plan more flexible in the event of smaller scale incidents.
6.2Disaster Recovery Site Team
The Disaster Recovery Site Team will be drawn from available personnel present at the IT
Incident Command Centre. Details of requirements are contained in APPENDIX B1.
6.3MACHS (DR &BCP Site) Recovery Team
The IT DR & BCPSite Recovery Team at Mohammad Ali Society Branch, Karachi will be
formed and could consist of the same personnel as above. Details of requirements are
contained in APPENDIX B2.
6.4 Incident Command Centre Team
Once the recovery process is underway, a IT representative(s) will be required to remain at
the Incident Command Centre Location (as defined in any associated Crisis Management
Procedures and Business Continuity Plans). This area should act as a central reference
point to be contacted for latest status regarding the overall recovery process.
Personnel assigned to this team should be recorded as per APPENDIX B4.
All IT records and logs should therefore be forwarded and held at this location.
Operational Risk Management - Risk Management Division Page 25 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 8: TEAM MEETING LOCATIONS
7.1 Purpose
This section should define the location(s) to be used for controlling the recovery process. It
is important that people know where they are to go once notified in order to avoid
confusion at the time of crisis so that recovery can begin without delay.
Please note that the following sub-sections should correspond with the Recovery Teams
defined above in section 6.
7.2Disaster Recovery Site Team
Include directions/instructions of how to get to the pre-defined meeting location.
It would be advantageous to also include a map or diagram of the agreed meeting area to
assist in the recovery process.
7.3MACHS (DR &BCP Site) Recovery Team
Include directions/instructions of how to get to the pre-defined meeting location.
It would be advantageous to also include a map or diagram of the agreed meeting area to
assist in the recovery process.
7.4Incident Command Centre Team
Pre-defined meeting location: Plot# 4-C Commercial Area Muhammad Ali Co-Operative
Housing Society
Operational Risk Management - Risk Management Division Page 26 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 9: ESSENTIAL DOCUMENTATION
8.1Purpose
This section identifies essential documents stored at the Disaster Recovery sites listed
below. These will be required following a disaster occurrence in order to facilitate a timely
recovery in line with business requirements.
8.2At Disaster Recovery Site(s)
Server Room Filing Cabinet
Standard Build Documentation
Application Restore Procedures
Technical Manuals
Disaster Recovery Plan copy
8.3At Incident Command Centre Location
IT Division Filing Cabinet
Disaster Recovery Plan copy
8.4At Business Continuity Site
IT Division Filing Cabinet
Disaster Recovery Plan copy
Application Restore Procedures
Operational Risk Management - Risk Management Division Page 27 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 10: INVENTORIES
9.1 Purpose
Following loss of Data Centre at Head Office, it will be necessary to set insurance claims
processing in motion. To assist in this process inventories of hardware and software should
be maintained (usually by IT Division). This section gives details of where these inventory
lists are located.
9.2 Hardware Inventory
Soft Copy: SMBL, Intranet
Hard Copy: Locker, Head Office
9.3 Software Inventory
Soft Copy: SMBL, Intranet
Hard Copy: Locker, Head Office
Operational Risk Management - Risk Management Division Page 28 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 11: OFFSITE STORAGE DETAILS
10.1 Purpose
In order to expedite the recovery process, it is essential that backup and recovery
arrangements are pre-defined within this plan. This section therefore contains details of
offsite storage arrangements and associated procedures for backup and restoration.
OFFSITE STORAGE TEAM:
Team will ensure that data back is stored remotely at the IT Data backup site and through
Data Back Up Tapes in the designated locker etc.
Designation
Head of IT
Data Base Administrator
IT Systems Team
Head of IT Security
CFO
10.2 Offsite Storage Arrangements
Tape Storage
Series of backup tapes (see Backup & Restore Procedure for detail) located in in-
house locker
Storage in DRP Server
Backup is restored on periodic basis on DRP Server where database status isup and
running all the time.
For Backup & Restore Procedure please see Backup & Retention Procedure document.
Operational Risk Management - Risk Management Division Page 29 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 12: PLAN MAINTENANCE
11.1 Purpose
It is vital that this plan is kept current to ensure that delays do not occur after invocation. A
schedule of suggestedrecord maintenance tasks is given below to enable this to take place.
11.2 Details Updation
Frequency Task
Quarterly Personnel changes
Applications
Verify Contact List
Annually Update after annual full DR Test
Check off site copies of DR document are in place
Ad Hoc Configuration changes
Application changes
New vendor agreements
New outsource agreements
Operational Risk Management - Risk Management Division Page 30 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
SECTION 13: PLAN TESTING
12.1 Purpose
It is imperative that detailed testing plans are produced to support the Disaster Recovery
document. The plan is not a working document until it has been fully tested and proven.
12.2Responsibility
It is recommended that testing is treated as a separate entity to the Disaster Recovery plan
itself and be managed by the Risk Management Group.
The Risk Management Division would conduct the IT DR TEST annually at the IT DR Site
thereby ensuring the readiness towards handling the contingencies causing the operational
disruptions of low to extreme high degrees.
RMD will prepare and communicate for each testing slot;
1) Pre-test documentation defining test scope, personnel involved, success criteria and
timings and
2) Post-test reviews documenting results against expectations and any remedial activity
required. Appropriate signoffs would be obtained for each test and the results kept for
audit purposes and for a minimum period of 5 years.
Operational Risk Management - Risk Management Division Page 31 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
APPENDIXA: CALL TREE INFORMATION
APPENDIX A1: Initial Disaster Notification
Name Tel (Office) Tel (Mobile)
Head of IT 35316178 0320 2220618
Head Risk Management 32463604 0322-2009121
Head of Operations 32467723 0322 2009165
Head of Administration 32468585 0300 3625513
Please enter details of all attempts made whether successful or unsuccessful. Pass
completed forms to the Incident Command Centre.
APPENDIX A2:Notification Within IT Division to the following functional titles.
Name Tel (Office) Tel (Mobile)
Head of Information Technology 021 3531 6178 0320 2220618
Head of Digital Banking & Service Quality 021 35316 185 0320 2220437
Head-Data Centre Operations & Help Desk 021 3531 7779 0345 2960201
Head-Network Infrastructure & DR 021 3531 6188 0322 2009168
Database Administrator 021 3531 6188 0320 2220134
Team Lead Networks 021 3531 6179 0320 2220117
Manager-Systems Administration & Data Centre 021 3531 6186 0320 2220440
Head of ADC 021 3531 6183 0322 2009172
Please enter details of all attempts made whether successful or unsuccessful. Pass
completed forms to Incident Command Centre at.
Instruct as appropriate for initial meeting depending on nature of disaster.
Operational Risk Management - Risk Management Division Page 32 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
APPENDIX A3: Notification to SMBL Management
Tel Ext.
Name Tel (Mobile)
(Office)
President & CEO 32463570 0333-3901005
Head of IT 35316178 0300-8234577
Chief Risk Officer 32463602 0321-2011191
Group Head HR 35316180 0300-8229647
Country Head of Administration Services and
32463562 0300 3625513
Establishment
Head of Internal Audit 32468439 0322 2009083
Chief Compliance Officer 32463604 0322 2009120
Group Head Operations, Islamic & Consumer Banking 35792010 0302-8286699
Operational Risk Management - Risk Management Division Page 33 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
APPENDIX A4:List of External Contacts
S# Vendor Description / Contact Postal Address &
Name Remarks Information Email Address
1 Cybernet Data & Internet 111-44-55-66 A-904, 9th Floor, Lakson
Communication Square Building No 3,
Fiber Me- Sarwar Shaheed Road, Khi.
dia
WiMAX [email protected]
Media
Satellite
Media
RF Media
2 Access Data 111-111-974 First Floor, Block F, Meharsons
Communication 38679804 Estate, Talpur Road, Khi.
Satellite
Media [email protected]
3 Fariya Internet 38691557 SB-25, Block# 13-C, Gulshan-e-
Communication Iqbal, Khi.
Fiber Me-
dia Inter- [email protected]
net
4 Multilynx G2 Building LAN 111-704-111 Suite 316, 3rd Floor,
Switches Provider Continental Trade Centre,
Block 8, Clifton, Karachi
[email protected]
5 Multinet Data & Internet 111-021-021 239 Staff Lines Fatima Jinnah
Communication Road, Khi.
Fiber Me-
dia [email protected]
RF Media
6 Pakdataco Data 111-735-735 PDL House, 225/C, Block 2,
m Communication PECHS, Khi
DXX Media
[email protected]
7 Supernet Data 3587-7184-67 10th Floor, World Trade
Communication Center,10 Khayaban e Roomi,
Fiber Me- Block 5, Clifton, Khi.
dia
WiMAX [email protected]
Media
YahClick
Media
RF Media
8 Wateen Data & Internet 3431-2171-80 KN Building Housing Society
Communication Main Shahrah-e-Faisal, Khi.
Operational Risk Management - Risk Management Division Page 34 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
S# Vendor Description / Contact Postal Address &
Name Remarks Information Email Address
Fiber Me-
dia [email protected]
WiMAX
Media
9 Augere/ Data 35871171 10 Floor World Trade Center
Sharptel Communication Khayaban-e-Roomi Clifton 5,
WiMAX Khi.
Media
[email protected]
10 LINKdotNE Data & Internet 111-600-222 44-A Main Shahrah-e-Faisal
T Communication Block-6 PECHS Khi.
(Mobilink) Fiber Me-
dia
WiMAX [email protected]
Media
PMP Me-
dia
11 Synergy Servers & Storage 3454-0908, 3454- 56-D, K D A Scheme # 1,
Computers Provider 7068 Main Miran Muhammad Shah
SUN Road, Khi.
M5000
Servers
SUN M7-8
Server
[email protected]
SUN T5120
Servers
Hitachi
Storages
SAN
Switches
FCIP
Switches
Oracle
Web Logic
Oracle
HTTP
(OHS)
MySQL
Subscrip-
tion from
Oracle/SLA
12 Pronet Network 35822401-4 Horizon Tower Plot#
Equipment’s Commercial 2/6 Block 3 Clifton,
Provider Khi.
Juniper
ISG-2000
Operational Risk Management - Risk Management Division Page 35 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
S# Vendor Description / Contact Postal Address &
Name Remarks Information Email Address
SLA with [email protected]
Juniper
Fortigate
(IPS) SLA
with
Fortinet
13 Premier HP Datacenter 32456400- 2nd Floor, Business Plaza,
Systems Switches Provider 32429051 Mumtaz Hasan Road, Khi
HP 5700
SLA with [email protected]
HPE
14 Commtel Network 0333-2133911 A-21 UK Plaza Block 7 FB Area
Network Equipment’s Khi
SBSOL Provider
Juniper
SSG5/20
(Local SLA) [email protected]
Cisco
Switches
(Local SLA)
15 Future Network 343110908-9 403-Pak Avenue Shahrah-e-
Tech Equipment’s Faisal, Khi.
Provider
Cisco [email protected]
Switches
Smartnet
SLA Cisco
16 PRTG Network www.paessler.com [email protected]
Management
Software
17 Host Network www.ks-soft.net [email protected]
Monitor Management
Software
18 Aqua Fold Query Tool to www.aquafold.com [email protected]
connect Databases
19 Premier 02132456455 2nd Floor, Business Plaza,
Systems Mumtaz Hasan Road, Karachi
20 Haseen Fire Alarm System 02134526240-41 7,8 & 9, Shaheen View, Block-6,
Habib P.E.C.H.S, Shahrah-e-Faisal,
Karachi
21 AA Services UPS Maintenance 02132316082 , C-1, Sultan Center, 11-West
02132316180 Wharf Road, Karachi-74000
Operational Risk Management - Risk Management Division Page 36 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
S# Vendor Description / Contact Postal Address &
Name Remarks Information Email Address
22 Infotel HSM Device & 02134320008 4, 10th Floor, Jason Trade
Pakistan Matica Card 02134523016 Centre 39-A-1, Block
Private Production 6,P.E.C.H.S. Shahrah-e-Faisal,
Limited Machine Karachi-75400, Pakistan
Maintenance
23 eOcean 92.21.37188880 29-C, Sunset Street 1
Private SMS and Shortcode Phase II extension, D.H.A
Limited Services Karachi, Pakistan
24 Telecard Call Center Inbound 111-222-123, Telecard Limited 7th floor,
Private and outbound line + 021-38330000 Tower A, World Trade Center,
Limited UAN 10, Khayaban-e-Roomi Block 5,
Clifton, Karachi-75600
Pakistan.
25 Avanza UAN: 111-AVANZA Avanza Solutions (Karachi)
Solutions Core ADC (282-692) Office # 14-B, Fakhri Trade
applications Tel: +92 21 Centre SR 6/10,
Support 32601440 – 41, 42 Shahrah-e-Liaquat New Challi,
Karachi-74200, Pakistan.
26 NCR ATM and Biometric
Pakistan Solution Support
27 Innovarge Kuickpay Transfer 922134680217 Innovarge Technologies (PVT.)
Pvt Limited Application Support LTD., C-4, Block B, Gulshan-e-
Jamal, Rashid Minhas Road,
Karachi, Pakistan.
28 1Link MasterCard, CUP, +92 21 11 11 1LINK 1LINK (Private) Limited
Private Shared ATM, UBPS, (15465) Suite 211 – 212, Office Wing,
Limited POS, FRM, FTDH, Park Towers,
SDRS application Clifton, Karachi, Pakistan
support
29 APPS Mobile Payment +92 21 37132793 Office # 7-B9, Fakhri Trade
Private Services Center SR 6/10, Shahrah-e-
Limited Liaquat New Challi, Karachi-
74200, Pakistan.
30 Innv8 Fonepay app +92 322 8181818 4th Floor, New Auriga Centre,
Private Support Main Boulevard,
Limited Gulberg II, Lahore
31 IDEMIA Debit Card +92 21 3506 4016 Plot # 189, Sector 23 Korangi
Pakistan Personalization and Industrial Area Karachi Karachi-
Packaging. 74900 Pakistan
32 State bank Micro Payment 111-727-111 State Bank of Pakistan
of Pakistan Gateway Support I.I. Chundrigar
Road Karachi Pakistan.
33 Bilogic Inc Summit +92 3009202860
Middleware
Support
Operational Risk Management - Risk Management Division Page 37 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
S# Vendor Description / Contact Postal Address &
Name Remarks Information Email Address
34 NADRA Biometric & UBPS +92 3077770892 NADRA State Bank of Pakistan
Support Building, Shahrah-i-Jamhuriat,
G-5/2, Islamabad, 44000,
Pakistan
35 Ufone Ufone Short code 033-11-333-100 Ufone Tower, Blue Area,
USSD Services support Islamabad , Pakistan
36 Virtual VRG IBFT Services
Remittance
gateway
Operational Risk Management - Risk Management Division Page 38 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
APPENDIX A5:Useful Contact Numbers
Company Name Contact Name
Ambulance 115, 1020, 1021
Bomb Disposal ( 92-21) 99212674
Fire Brigade Center 16, 99215007-8
Civil Hospital (Casualties) (92-21) 99215740
Police Emergency 15, 99212652-53
Rangers Helpline 1101, 32032629
APPENDIXB:Team Personnel Lists
APPENDIX B1:Disaster Recovery Site Team
Please hand this form to the Incident Command Centre once completed.
Disaster Recovery Site Team
“Enter Names of Personnel Assigned”
Non-IT Staff
1. Head of Country Operations
2. Head RMD
IT & ADC Staff
1. Head of IT Division
2. Head of Digital Banking& SQ
3. Head of Networks & DR
4. DBA
5. Network Team Lead
6. Head of Data Centre
7. Manager Systems
8. Head of ADC
Operational Risk Management - Risk Management Division Page 39 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
APPENDIX C:CHECKLISTS
APPENDIX C1:Disaster Recovery Site Team
DISASTER RECOVERY SITE TEAM
DEPENDENCIES OBJECTIVES/RESULTS ACTION STEPS COMMENT
S
Decision taken Establish Disaster Locate /Install BCP
to invoke this Recovery site environment Server(s)
Plan Contact third party
suppliers for addi-
tional equipment
Equipment Install and test Business Connect up HUB(s)
available at BCP Continuity equipment and and Server(s)
site connectivity Test all network
points
Install/Test work-
stations
BCP site Restore application(s) Recover latest cop-
established ies of system and
data backups
Restore operating
system environ-
ment
Restore application
Restore data files
Notify user man-
agement of avail-
ability and status
Restoration Hand over to business Obtain user accept-
complete units. ance
Leave contact de-
tails for support.
Business Operate from DR site until Set up alternate
acceptance further notice offsite storage loc-
obtained ation(s)
Operational Risk Management - Risk Management Division Page 40 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
APPENDIX C2:Incident Command Centre
INCIDENT COMMAND CENTRE TEAM
CHECKLIST
DEPENDENCIES OBJECTIVES/RESULTS
Establish IT representative at Incident Command
Plan invoked
Centre
Incident Command Centre
Maintain all IT DR Plan related records and logs
established
Recovery process begun Liaise with Business units
Await Further Instructions from Incident Command Centre
At all emergency locations, await advice from Incident Command Centre, that all staff
may return to affected building or that longer-term Disaster Recovery plan is to be
invoked.
Note: The Off-site storage location for this department’s hard-copy records, special
stationery and other supplies is:
STORAGE LOCATION: Location or Reference to Section 8 above
Operational Risk Management - Risk Management Division Page 41 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
APPENDIX E: Third Party Contract(s)
Company Name &Contact Details
NCR Corporation
State Life Building # 1-A Off,
I I Chundrigar Road,
Karachi.
021-242-6920,-22-23-25.
Wateen Telecom
KN Building Housing Society
Main Shahrah-e-Faisal,
Karachi.
021-431-2171-80
Multinet
Adnan Hameed
239 Staff Lines,
Fatima Jinnah Road,
Karachi.
Synergy Computers (Pvt) Ltd
56-D, K D A Scheme # 1,
Main Miran Muhammad Shah Road,
Karachi.
021-454-0908, 021-454-7068.
Infotel Pakistan
4, 10th Floor, Jason Trade Centre 39-A-1,
Block 6, PECHS
Shahrah-e-Faisal,
Karachi.
021- 34320008, 021-34523016
eOcean Private Limited
29-C, Sunset Street 1
Phase II extension, D.H.A
Karachi, Pakistan
Telecard Limited
7th floor, Tower A, World Trade Center,
10, Khayaban-e-Roomi Block 5,
Clifton, Karachi-75600 Pakistan.
Avanza Solutions (Karachi)
Operational Risk Management - Risk Management Division Page 42 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Office # 14-B, Fakhri Trade Centre SR 6/10,
Shahrah-e-Liaquat New Challi,
Karachi-74200, Pakistan.
Innovarge Technologies (PVT.) LTD.
C-4, Block B, Gulshan-e-Jamal,
Rashid Minhas Road,
Karachi, Pakistan.
1LINK (Private) Limited
Suite 211 – 212, Office Wing, Park Towers,
Clifton, Karachi, Pakistan
Avanza Premier Payment Services (Pvt.) Limited
Office # 7-B9, Fakhri Trade Center SR 6/10,
Shahrah-e-Liaquat New Challi,
Karachi-74200, Pakistan.
Innov8 Private Limited
4th Floor, New Auriga Centre,
Main Boulevard,
Gulberg II, Lahore
IDEMIA Pakistan Private Limited
Plot # 189, Sector 23 Korangi Industrial Area
Karachi-74900 Pakistan
State Bank of Pakistan
I.I. Chundrigar Road
Karachi Pakistan.
NADRA
State Bank of Pakistan Building,
Shahrah-i-Jamhuriat,
G-5/2, Islamabad, 44000, Pakistan
Ufone
Ufone Tower, Blue Area,
Islamabad, Pakistan
APPENDIX F: Interdependencies of the System(s)
Operational Risk Management - Risk Management Division Page 43 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Applications Inter Dependency Matrix
Operational Risk Management - Risk Management Division Page 44 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Task Inter-dependen-
Application Readiness Magnitude
# cies
1 BCP Plan & System Readiness Critical
2 Network Infrastructure at DR site Activated Critical 1
3 hPLUS Core Banking Application Critical 1,2
4 hPLUS Middleware Critical 3
5 Avanza SQL Server Database Critical 1
6 Rendezvous Application Critical 1,4,5
7 Vision Card Management Application Critical 5
8 Hardware Security Module Critical 1,2
9 Nimbus ATM Controller Application Critical 5,7,6
10 Internet Banking Application Critical 5,7,6
11 Mobile Banking App Critical 5,7,6
12 eOcean SMS Gateway Critical 3,6,8
13 1Link Services ATM Shared ATM High 1,6,7,8
14 1Link Services UBPS High 1,6,7,8
15 1Link FRMS Services High 2,6
16 1Link SDRS Services High 2
17 NADRA UBPS Services Medium 2,6
18 NADRA Biometric Services High 2
19 SBP Micro Payment Gateway Medium 2,6
20 Virtual Remittance gateway Medium 2,6
21 APPS QR and Mobile Payment Services High 2,6,11
22 Call Center Services Critical 2,3,23,6
23 Summit Middleware Critical 2,3
24 NAFA Cobranded Card Services Medium 2,6
25 uFone USSD Services Medium 2,6
26 NetConnet eCommerce Payments Medium 2,6,10
27 1Link MasterCard & CUP Services High 2,6
28 1Link FTDH Services Medium 2
29 iSuite Database Readiness Medium 2,5,9
30 iSuite Application Medium 2,5,9
31 Kuickpay Transfer DB Readiness Medium 6
32 Kuickpay Transfer Application Medium 6
33 Solid Core NCR Low 9
Operational Risk Management - Risk Management Division Page 45 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
APPENDIX G: Interdependencies of the System(s) – IT Development
Applications Inter Dependency Matrix
Task
# Application Readiness Magnitude Inter-dependencies
1 BCP Plan & System Readiness Critical
2 Network Infrastructure at DR site Activated Critical 1
3 NADRA UBPS Services High 2
4 RTGS MySQL Database Critical 2
5 Avanza SQL Server Database Critical 2
6 hPLUS Core Banking Sybase Database Critical 2
7 Amanat Cash MySQL Database Critical 2
8 SMBL Meetings MySQL Database Critical 2
9 HR SQL Server Database Critical 2
10 BINation Sybase Database Critical 2
11 AHBData Sybase Database Critical 2
12 Clearing Portal MySQL Database Critical 2
13 Meeting Management MySQL Database Critical 2
14 Intranet MySQL Database Critical 2
15 1Link Services UBPS Critical 1,2
16 1Link Title Fetch Service Critical 1,2
17 hPLUS Middleware Critical 6
18 Hplus Gateway Critical 6
19 eVoice Gateway Critical 6
20 AHBL Gateway Critical 11
21 Avanza Gateway Critical 5
22 Query Server Gateway Critical 10
23 Cluster Management Gateway Critical 6,10
24 B2B Transaction Gateway Critical 17
25 VMS Gateway Critical 9
26 RTGS Critical 2,4
27 RTGS – Integration Software Critical 2,4,6
28 RTGS – Integration Software for Non Pri Critical 2,4,6
29 RTGS-STP Pri Cron Critical 2,4,6
30 Xpress Money Integration Critical 2,7
31 Malik Exchange Integration Critical 2,7
32 Amanat Cash Critical 18,24,20
33 SMS SMPP Critical 2,20
34 SMS Pull Service Critical 18,20
35 SMS Client Critical 2,20
36 ShortCode Critical 18,24
37 IBFT Title Fetch Critical 16
38 Utility Bill Payment System Critical 14,15,24
39 Customer Complain Management Critical 14,18,19,21
40 Service Escalations System Critical 14,18,25
41 e-Accounts High 14,18,21
Operational Risk Management - Risk Management Division Page 46 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
Applications Inter Dependency Matrix
Task
# Application Readiness Magnitude Inter-dependencies
42 goAML High 6
43 SMBL API Integration High 2,3,7
44 CAD Application High 14,18
45 BancAssurance Critical 24
46 Corporate Directory High 14,57
47 FX CRS Low
48 eCMS High 14,25
49 Clearing Portal Critical 12
50 Card Capture Module Critical 14,18,25
51 Admin Asset Maintenance High 14,25
52 Admin Complain Center High 14,25
53 IT Asset Maintenance High 14,25
54 eRequisition Portal High 14,25
55 SMBL Meetings Management Critical 13
56 RTGS-STP Batch Utility Low
57 Employee details Sync Cron Low 9,14
58 Birthday Alerts Cron Low 14
Operational Risk Management - Risk Management Division Page 47 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
APPENDIX H: Roles & Responsibilities – IT Team
Name Description
Faisal Wahid Khan, Mahmood Iqbal Responsible for readiness of hPLUS
Server Farm, Core Storage & Databases
Kashif Liaquat/Team, Mahmood Iqbal Responsible for readiness of All Net-
works / connectivity related tasks.
Asim Khan/Team, Arshad Jafri Responsible for the readiness the data
center related applications and hard-
ware
Waseem Ahmed Responsible for the readiness of Cognos
BI Tool
Muhammad Talha Responsible for the readiness of in-
Paras Lal house applications
Syed Muhammad Safdar Raza Naqvi Responsible for the readiness of ADC
Syed Muhammad Kamran Alavi related applications and services
Syed Muzammil Enam
Asif Khan
Kashif Saleem
Operational Risk Management - Risk Management Division Page 48 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
ADC services Shutdown Process
ADC team take prior approval for higher management before taking any downtime.
Sends email to all relevant stakeholders (NAFA, NIT, VRG, Ufone, eOcean, NADRA, APS and 1-
Link).
Inform call center team before for the downtime activity.
Stops 1-Link, ATM and short code services.
Stop nimbus Services.
AMBIT & Ambitwiz Internet Banking and mobile banking App services are stopped
Stop RDV services.
Stops hPLUS middleware services.
Stops SMPP/SMS services.
Avanza Gateway/hPLUS Gateway/AHBL Gateway are stopped
Information is shared with relevant stakeholders and 1-Link.
Operational Risk Management - Risk Management Division Page 49 of 50
Information Technology – Disaster Recovery (IT-DR) Plan
- Policy Document
Document Owner: ORM - RMD Release Date: 2021 Next Revision Date: 2023
ADC Services Restoring Process
Avanza Rendezvous/hPLUS Gateway/AHBL Gateway are started.
Summit & hPLUS Middleware Services are started.
ATM services are started.
1Link Sign on and services resumed.
Short Code services are started.
AMBIT and Ambitwiz services are started.
SMPP/ SMS services are started.
All services are checked and verified respectively.
Call Center Team is intimated about startup.
Information is shared with relevant stakeholders.
Operational Risk Management - Risk Management Division Page 50 of 50
You might also like
- Business Continuity & Disaster Recovery PlanNo ratings yetBusiness Continuity & Disaster Recovery Plan19 pages
- A Proposed Model For IT Disaster Recover PlanNo ratings yetA Proposed Model For IT Disaster Recover Plan11 pages
- Disaster Recovery Plan Template Uniserve IT Solutions 1No ratings yetDisaster Recovery Plan Template Uniserve IT Solutions 129 pages
- IMS656 Chapter 6-3 ISD OPERATIONAL - DISASTER RECOVERYNo ratings yetIMS656 Chapter 6-3 ISD OPERATIONAL - DISASTER RECOVERY31 pages
- IT Disaster Recovery Policy: Policy Statement Reason For PolicyNo ratings yetIT Disaster Recovery Policy: Policy Statement Reason For Policy8 pages
- IT Disaster Recovery Planning: A TemplateNo ratings yetIT Disaster Recovery Planning: A Template36 pages
- Disaster Recovery Planning Template Revised100% (1)Disaster Recovery Planning Template Revised36 pages
- It Disaster Recovery Workbook and Template100% (8)It Disaster Recovery Workbook and Template37 pages
- Business Continuity & Disaster Recovery Guide100% (2)Business Continuity & Disaster Recovery Guide69 pages
- Title: Disaster Recovery Plan: Document Information Sheet100% (1)Title: Disaster Recovery Plan: Document Information Sheet17 pages
- Disaster Recovery Planning Template RevisedNo ratings yetDisaster Recovery Planning Template Revised40 pages
- Information Assurance and Security (SDisaster Recovery and Business Continuity Plan Module 7)No ratings yetInformation Assurance and Security (SDisaster Recovery and Business Continuity Plan Module 7)4 pages
- Edc It Disaster Recovery Workbook and TemplateNo ratings yetEdc It Disaster Recovery Workbook and Template37 pages
- 8.information System Controls: 8.3 The Disaster Recovery PlanNo ratings yet8.information System Controls: 8.3 The Disaster Recovery Plan29 pages
- Makana Municipality Disaster Recovery Manual0% (1)Makana Municipality Disaster Recovery Manual11 pages
- Edc It Disaster Recovery Workbook and TemplateNo ratings yetEdc It Disaster Recovery Workbook and Template37 pages
- Disaster Recovery and Incident ResponseNo ratings yetDisaster Recovery and Incident Response37 pages
- Disaster Recovery Plan What Is A Disaster Recovery Plan?No ratings yetDisaster Recovery Plan What Is A Disaster Recovery Plan?4 pages
- Ef5c HDT Infra Urban Rural Border Comm PPP Pcb12No ratings yetEf5c HDT Infra Urban Rural Border Comm PPP Pcb1257 pages
- Optimum Feeder Routing and Distribution Substation Placement and SizingNo ratings yetOptimum Feeder Routing and Distribution Substation Placement and Sizing8 pages
- 24 SGW - ISO 450012018 vs. OHSAS 180012007 - MatrixNo ratings yet24 SGW - ISO 450012018 vs. OHSAS 180012007 - Matrix9 pages
- Chapter 2 Lesson 2 Ethics and Critical ThinkingNo ratings yetChapter 2 Lesson 2 Ethics and Critical Thinking16 pages
- Adoc - Pub - Company Profile Rental Mobil Abdi Cakra YogyakartaNo ratings yetAdoc - Pub - Company Profile Rental Mobil Abdi Cakra Yogyakarta20 pages
- The Role of Technology in Shaping Business CommunicationNo ratings yetThe Role of Technology in Shaping Business Communication6 pages
- Sikorskaya 2017 Intercultural Education Policies Across Europe 2006-2016No ratings yetSikorskaya 2017 Intercultural Education Policies Across Europe 2006-201624 pages
- Steps For The Interpretation of The KABC-IINo ratings yetSteps For The Interpretation of The KABC-II9 pages
- Enhancing Vocabulary with Crossword PuzzlesNo ratings yetEnhancing Vocabulary with Crossword Puzzles10 pages
- Class 12 Python Revision Tour 2 WorksheetNo ratings yetClass 12 Python Revision Tour 2 Worksheet5 pages
- The Humanities Culture Continuity and Change Volume 1 4th Edition Henry M Sayre Ebook and TestBank Bundle PDF DownloadNo ratings yetThe Humanities Culture Continuity and Change Volume 1 4th Edition Henry M Sayre Ebook and TestBank Bundle PDF Download330 pages
- Iconic Designs - 50 Stories About 50 Things, Edited by Grace Lees-Maffei (The Design Journal, Vol. 18, Issue 3) (2015)No ratings yetIconic Designs - 50 Stories About 50 Things, Edited by Grace Lees-Maffei (The Design Journal, Vol. 18, Issue 3) (2015)5 pages
- Pharmacovigilance and Epidemiological MethodsNo ratings yetPharmacovigilance and Epidemiological Methods6 pages
