Thursday, February 23, 2012

Want to make bank regulators mad? Encrypt your DR Resource List.

When I'm asked to review a bank's BCP/DR Plans, one of the first things I want to look at is the "Resource Inventory". Called by various names, this is the list of critical systems and services that are prioritized for recovery.

DR/BCP Coordinators are asserting that, if their building gets flattened, the items on this list can be restored to a production state within a time frame that they have assigned.

So it helps your cause immensely if the list makes sense. Not just to insiders, but to outsiders who must form a judgement as to whether or not the bank staff can actually accomplish what is proposed.

Sadly, some of these lists look like encoded spy messages.

Enigma Cipher Machine - Portable Version
Are you using this to encode Resource Lists?
For instance, what is an examiner to make of these:

3 T System

Presumably, someone in the organization knows what this stuff is. But to an outsider it looks like gibberish.

Some of these lists are so bad that the best you can expect is a frustrated and confused examiner. The worst is they will interpret the list as an attempt at obfuscation.

And there is nothing so dangerous as a regulator who feels obfuscated.