Chapter 8 Flashcards Preview

IT in investment Operations IOC > Chapter 8 > Flashcards

Flashcards in Chapter 8 Deck (43)
Loading flashcards...
0
Q

Name the categories of KPIs

A

KPIs are often categorised into areas of supportability, recoverability, durability, performance, reliability, functionality, scalability, and flexibility.

1
Q

Name the typical sections in an SLA.

A
  1. Introduction (parties, signatures, service description)
  2. Scope of work (service hours, support)
  3. Performance
  4. Tracking and reporting (content, frequency)
  5. Problem management (change procedures, escalation)
  6. Compensation and service credits
  7. Customer duties and responsibilities
  8. Warranties and remedies
  9. Security
  10. Intellectual property rights and confidential information
  11. Legal compliance and resolution of disputes and
  12. Termination and signatures
2
Q

What is SLM?

A

Service Level Management (SLM) is the management of SLAs to ensure that they are up-to-date and current. The goal of SLM is to maintain and gradually improve the services that are being provided through a continuous cycle of monitoring, reporting and agreeing new targets during periodic reviews.

3
Q

What are the objectives of DRP?

A

The planning process should minimise the disruption of operations and ensure some level of organisational stability and an orderly recovery after a disaster.
Other objectives of disaster recovery planning include:
1. Providing a sense of security
2. Minimising the risk of delays
3. Guaranteeing the reliability of standby systems
4. Providing a standard for testing the plan
5. Ensuring there is a clear communicative plan in the event of an issue, and
6. Minimising decision-making during a disaster

4
Q

Outline the methodology of DRP?

A
  1. Obtain top management commitment - commit adequate time and resources
  2. Establish a planning committee - should define scope of plan and frequency of tests
  3. Perform a risk assessment for a range of possible disasters also analyse costs related to minimising potential exposures
  4. Establish priorities for processing and operations - establish critical needs of each department
  5. Determine recovery strategies - establish practical alternatives for recovery
  6. Perform data collection - using pre-formatted firms due to the volume abc diversity of data required
  7. Organise and document a written plan - standard format for consistency - start with outline and develop detail
  8. Develop testing criteria and procedures
  9. Test the plan
  10. Approve the plan
  11. Update the plan
5
Q

What needs to be considered for each department when assessing risk during the creation of a DRP?

A
  1. Functional operations
  2. Key personnel
  3. Information
  4. Processing systems
  5. Service
  6. Documentation
  7. Vital records, and
  8. Policies and procedures
6
Q

How are critical needs defined as part of DRP?

A

Critical needs are defined as the necessary procedures and equipment required to continue operations should a department, computer centre, main facility or a combination of these be destroyed or become inaccessible.

7
Q

As part of the ‘determine recovery strategy phase’ of DRP, what needs to be considered in selecting alternative recovery options?

A
  1. Contract duration
  2. Termination conditions
  3. Testing
  4. Costs
  5. Special security procedures
  6. Notification of systems changes
  7. Hours of operation
  8. Specific hardware and other equipment required for processing
  9. Personnel requirement
  10. Circumstances constituting an emergency
  11. Process to negotiate extension of service (including clear roles and responsibilities)
  12. Guarantee of compatibility
  13. Availability
  14. Non-mainframe resource requirements
  15. Priorities, and
  16. Other contractual issues
8
Q

As part of the ‘perform data collection phase’ of DRP, what needs to be considered/collected?

A
  1. Back-up position listing
  2. Critical telephone numbers
  3. Communications inventory
  4. Distribution register
  5. Documentation inventory (covering recovery procedures as well as normal BAU
    procedures)
9
Q

What are the responsibilities of top management in DRP?

A

Establishing policies, procedures and responsibilities for comprehensive contingency planning, and
2. Revising and approving the contingency plan annually, documenting such reviews in writing
If the organisation receives information processing form a service bureau, management must also:
1. Evaluate the adequacy of contingency plans for its service bureau
2. Ensure that its contingency plan is compatible with its service bureau’s plan
3. Approve the budget for the DR test

It is top managements ultimate responsibility that the organisation has a written and tested DRP.

10
Q

Who reports to the CIO?

A
Head of production support
Head of development and implementation 
Head of testing
Head of change
Head of business recovery
Head of information security
11
Q

Who typically reports to the head of production support?

A

DBAs

Help desk / support staff

12
Q

Who reports to the head of development and implementation?

A

BAs
App designers systems analysts
Programmers

13
Q

Who reports to the head of testing?

A

Test analysts

14
Q

Who reports to the head of change?

A

Programme managers

Project managers

15
Q

What are other names for applications?

A

Logic engine or business rules - will validate a trade, create a customer etc

16
Q

Describe the middleware/ real time messaging layer?

A

Products that distribute and obtain real time data to and from other parties.

17
Q

What are the benefits of a distributed system?

A
  1. To ensure that processing power is as close to the users as possible
  2. To ensure a high degree of robustness, for example via the use of data replication
  3. To enable hardware to be easily added as the resource demands of the applications running
    on the distributed system start increasing.
18
Q

What is data replication?

A

Data replication is the process of sharing information so as to ensure consistency between redundant resources, such as software or hardware components, to improve reliability, fault tolerance, or accessibility. Data replication can be implemented either by storing the same data on multiple storage devices, or by executing the same computing task many times on different devices, in which case it is known as ‘computation replication’.

19
Q

What are the seven operational risk events?

A
  1. Internal fraud – misappropriation of assets, tax evasion, international mismarking of positions and bribery. These activities can be facilitated by practices that allow, inter alia unauthorised access to applications and underlying data. They may be mitigated by the use of application password control and the deployment of systems that support the concept of segregation of duties.
  2. External fraud – theft of information, hacking damage, third-party theft and forgery. As for (1) above, but in addition, these problems can be mitigated by the deployment of anti- virus software, anti-spyware, firewall, etc.
  3. Employment practices and workplace safety – discrimination, workers, compensation, employee health and safety. There are no specific IT-related issues to this event; it is a company-wide issue.
  4. Clients, products, and business practice – market manipulation, anti-trust, improper trade, product defect, fiduciary breaches and account churning. ‘Product defects’ in this context includes defects in the software and hardware that is used to process the firm’s data. Good IT practice involves the use of standardised, reliable methodologies to discover and document business requirements, select software vendors and packages, build, test and deploy software and manage projects. It also involves the use of configuration management and change control procedures to ensure that the right software versions are deployed.
  5. Damage to physical assets – natural disasters, terrorism and vandalism
  6. Business disruption and systems failures – utility disruptions, software failures and
    hardware failures. These risks may be mitigated by proper ‘business recovery plans’.
    Software failures may also arise as a result of product defects (Basel II event no 4).
  7. Execution, delivery, and process management – data entry errors, accounting errors, failed mandatory reporting, and negligent loss of client assets. These events, in turn may be caused by product defects.
20
Q

Generally what are the two categories of risk management governance for IT departments with securities companies?

A
  1. Maintaining ‘business as usual’ activity
  2. Introducing business change
21
Q

Name some areas of risk management within BAU activity

A
  1. Ensuring that business applications and the configurations that run them are stable and are able to cope with normal business volumes.
  2. Recording deficiencies in the design or operation of systems that support the firm’s activities and maintaining documentation of the workarounds to keep the process in control.
  3. Protecting the organisation from system security issues such as unauthorised access
  4. Ensuring system development keeps pace with rapidly evolving user requirements
  5. Ensuring the systems integrate effectively, minimising manual intervention and data integrity
    issues.
22
Q

What are the risks that need to be managed when introducing business change within IT?

A
  1. Aligning the IT strategy with the business strategy
  2. Aligning the solution to the strategic business drivers
  3. Managing and monitoring risks of introducing the change on the business
  4. Providing visibility of risks and issues to responsible stakeholders
  5. Risk of over – (and under - ) spend
  6. Risk of ‘re-inventing the wheel’ – i.e. implementing duplicate systems
  7. Delivery risk – i.e. delivering late, or not delivering what is required
  8. Complexity risk – i.e., the end solution becomes so complex that it increases costs and
    impacts delivery
  9. Scope expansion risk – i.e., the scope grows and grows (‘scope creep’)
  10. Managing external parties, e.g., clients or suppliers
23
Q

What is benefits realisation?

A
  1. The intended benefits of that project must be documented and clearly understood at the outset, and agreed by senior management
  2. They should be expressed in financial terms, if possible, i.e. the expected return on investment should be measurable or, better still, quantified
  3. The identities of the business units that will enjoy those benefits must be known at the outset; and
  4. As part of the change plan, time and resources must be set aside to measure whether these intended benefits were, or were not, in fact achieved
24
Q

What are the components of an infrastructure catalogue?

A
  1. Users the desk supports – key details include:
    a. Name, department, telephone number, email address and physical location
    b. Normal working hours and working days
  2. Applications the desk supports – key details include:
    a. Name of the application
    b. Details of its role in the business
    c. Name and full contact details of the organisation that is responsible for supporting
    it. Note that this may be the firm’s it department or an external vendor. Technical details – is it a PC application such as Word or Excel, or is it a web-based application that does not require installation in a user PC, or is it a client-server application employing a database? If it is it a client-server application, what database is used and what specific servers does it run on?
    e. Any requirements for specific version numbers for database and operating system software
    f. Hours during the day and days of the week on which there is expected to be activity. If there is a great deal of night-time activity in this application, then the desk will need to hold out-of-hours contact details and perhaps rotas for support staff who may need to be contacted at home
    g. An assessment as to how critical the loss of this application for an extended period would be to the business
    h. Licence details – the number of simultaneous users, scope of use, volume limits etc.
  3. Hardware the desk supports – key details include:
    a. Locations of all servers and routers
    b. Whether they are used for production, testing or disaster recovery
    c. Which applications are running on each server
25
Q

What are the options for help desk structures to provide extended cover?

A

. ‘Follow the Sun’ – this model is widely used by firms that have operations in more than one time zone, and users accessing the same application and servers from different countries. During normal European working hours, support for all users worldwide is provided from a European location. When Europe closes, support moves to a North American support centre, and when North America closes, support is handled by an Asian support centre
2. Extended working hours – this model is widely used when a firm is doing business in a single time zone, but is using applications that are working throughout the day and night. A single help desk works in shifts, one shift coincides with normal working hours for the majority of the users and is more heavily manned that the other shift, which deals only with emergency calls
3. Partial outsourcing – if the number of out-of-hours calls are expected to be very few in number but may be critical then overnight manning of the help desk could be outsourced to a third party specialist firm

26
Q

What two fundamental types of SLAs exist?

A

External and internal

27
Q

What are the three levels of support personnel?

A

Help desk
Analyst
Service specialist

Escalate to management

28
Q

What is the primary objective of DRP?

A

To protect the organisation.

29
Q

What are the benefits of initially outlining the DRP written plan?

A
  1. Helps to organise the detailed procedures
  2. Identifies all major steps before the writing begins
  3. Identifies redundant procedures that only need to be written once;
  4. Provides a road map for developing the procedures
30
Q

How is the contingency organisation structured?

A

Teams being responsible for major functional areas, such as :

  1. Administrative functions
  2. Facilities
  3. Logistics
  4. User support
  5. Computer back-up
  6. Restoration, and
  7. Other important areas
31
Q

Who co-ordinaries the recovery process?

A

The management team, the team should assess the disaster, activate the recovery plan ad contact team managers and third- party suppliers. The management team also oversees, documents and monitors the recovery process. Management team members should be the final decision-makers in setting priorities, policies and procedures.

32
Q

How often should the DRP be tested and evaluated?

A

At least annually

33
Q

List some reasons for testing the DRP.

A
  1. Determining the feasibility and compatibilities of back-up facilities and procedures
  2. Ensuring the plan is realistic
  3. Identifying areas in the plan that need modification
  4. Providing training to the team managers and team members
  5. Demonstrating the ability of the organisation to recover and
  6. Providing motivation for maintaining and updating the DRP
34
Q

What does a structured walk through of a DRP provide?

A

The test will provide additional information regarding further steps that may need to be included, changes in procedures that are not effective, and other appropriate adjustments.

35
Q

When should DRP testing be carried out?

A

Initially testing of the plan should be done in sections and after normal business hours to minimise disruption to the overall operation of the organisation.

36
Q

Name types of testing that may be carried out on the DRP?

A
  1. checklist tests
  2. simulation tests
  3. full interruption tests, and
  4. cross industry tests involving suppliers and customers

To facilitate these recommendations, most exchanges and clearing houses offer their customers facilities to test whether their back-up facilities are able to communicate successfully with the providers’ own systems.

37
Q

What are the the key recommendations about testing in the FSAs BCMP Guide

A
  1. critical suppliers are involved in tests at least annually
  2. The firm should be prepared to supply evidence of its testing to its own customers, suppliers
    and regulators
38
Q

Who should approve the DRP?

A

Top management

39
Q

Who’s responsibility is if that an organisation has a documented and tested plan?

A

Top management

40
Q

What is management responsible for in the discipline of BCM?

A
  1. Establishing policies, procedures and responsibilities for comprehensive contingency planning, and
  2. Revising and approving the contingency plan annually, documenting such reviews in writing
    If the organisation receives information processing form a service bureau, management must also:
  3. Evaluate the adequacy of contingency plans for its service bureau
  4. Ensure that its contingency plan is compatible with its service bureau’s plan
  5. Approve the budget for the DR test
41
Q

Name the two aspects of change management.

A
  1. Use of version control

2. Development of procedures to ensure that only authorised changes are made

42
Q

What are change control practices designed to facilitate?

A

are designed to:
1. Allow changes to accepted work products to be proposed and evaluated, schedule and quality impact assessed, and the changes approved or rejected for release into production systems in a controlled manner
2. Provide a mechanism for management to accept and sign off changes that improve the product overall while rejecting those that degrade it.
3. Notify all parties materially affected by a proposed revision of the need to accept the new version
4. Notify all interested parties on the periphery of development regarding change proposals, their assessed impact, and whether the changes were approved or rejected
5. Facilitate efficient deployment of changes to environments where they are required