Article: 5 Ways to Disaster-proof Your Credit Union’s IT Environment

By: Matthew Wilhelm
As featured in:
credit union technology, compliance for credit unions, credit union risk management, credit union compliance

Disaster preparedness planning is one of the most common reasons credit unions engage our firm. And rightfully so, it is one of the most important elements of effective information systems management for a credit union of any size. Although a credit union’s ability to withstand large (and not so large) catastrophic events has always been relevant, there has never been more emphasis on disaster recovery (“DR”) as a practice. Ask an industry expert and you’ll learn that this is primarily due to two factors: One, an ever growing reliance on data, information, technology, and Internet; and two, oddly enough, Hurricane Katrina.

In recent years a credit union’s reliance on information technology has grown exponentially. Think of the ways we rely on technology today that we did not just five or ten years ago. To service the daily needs of our membership we lean on our ability to quickly and efficiently access not just core processor data but many sources of information and databases that support our roles. Beyond the core processor, credit unions rely on email and voice communications, web portals, lending platforms, third party payment and processing services, ATM connectivity, CRM and MCIF systems, file and document imaging services – the list goes on and on. 

Questions about IT Security?

Questions about Disaster Recovery?

Questions about Compliance?

Ask an IT Expert Now!

Contact Us Now!

While Hurricane Katrina isn’t the only other reason there has been increased emphasis on DR, it was a huge contributor to why regulating bodies started to highlight the need for credit unions to more thoroughly, creatively, and urgently act to improve their DR capabilities. Our take: a huge natural disaster should not be your only impetus to improve your credit union’s ability to respond to a disaster. More often than not, our credit union experts are focused on the more menial of “disasters”, think simple power failures or internet connectivity issues.

Since each credit union is truly unique, professional assistance should be sought when necessary. Many of our credit union clients internally feel comfortable with many regulatory issues affecting their business but often feel uncomfortable about IT related compliance requirements due to unfamiliarity with the subject matter. There are a host of qualified service providers that can assess your individual needs and make recommendations for policy and procedural changes as well as environmental improvements.

The good news is, there are many ways your IT disaster recovery plan can be improved. This article will introduce you to five ways to “disaster-proof” your credit union’s IT environment. And while having said that, we all know there is no way to truly disaster-proof your environment; however, solid planning and preparedness can greatly reduce the likelihood of a simple or severe disaster creating downtime for you, or more importantly, your membership.

 

Here are five basic concepts to consider when designing your credit union’s IT disaster recovery plan:

Always start with a comprehensive risk analysis. The most prepared credit unions have a deep understanding of their systems both technically and functionally. Technically you must have detailed documentation of all aspects of information systems including network configuration, platforms, and line of business applications. Start with the application environment by taking a detailed inventory of software, who depends on each, and their criticality to maintaining member service. Since access to these applications is so important to maintaining member service, it is important to complete an in depth situation analysis. Think in terms of, if this happens, then what. For example, if internet connectivity is disrupted, what does this impact? Does it impact ATM connectivity? Access to core processor? Does it impact everyone or just the branch environment? If a specific lone event can cause disruption to a critical function, it is considered a single point of failure. A comprehensive risk analysis aims to minimize single points of failure. Based on size and budget, some credit unions seek to eliminate single points of failure altogether, while in some cases it is enough to identify the single point of failure and institute a failover strategy. These strategies should be documented in your procedure manual.

Don’t forget non-core processor systems! There is a natural tendency for credit unions to focus so pointedly on their core processor that they often lose sight of other systems they deeply rely on. No doubt the core processor is the single most important system in place for any financial institution but it can be similarly important to maintain accessibility to such ancillary systems as: document management and imaging, lending platforms, email and collaboration systems, CRM and MCIF systems, etc. Don’t forget these critical systems when considering your disaster preparedness strategy.

While technology is important, credit unions often misjudge their dependency on the human aspect of IT. Maintaining uptime of critical systems is important; however, what would happen if your IT team, often a single individual, were to disappear? Does your credit union have the detailed documentation in place necessary to pick up the pieces and move forward? Does your credit union rely on a single person to maintain access to critical systems? If so, this can be a security and disaster preparedness risk. Also, on the topic of the human aspect IT, does your member-facing staff have a good understanding of backup procedures and how to communicate to a member when systems are temporarily down? Training is important here. Also, consider working with your IT staff or provider to draft a comprehensive set of systems documentation including credentials, systems configurations, scenario analysis, etc. Store this in a safe place, one that is accessible even in a disaster situation – that’s when you’ll need it most.

Have a solid and actionable testing procedure in place, and follow-through. Once your credit union has solid disaster preparedness policies and actionable procedures in place it is important to have a regularly scheduled testing routine. Consider monthly, quarterly, semiannual and annual testing procedures. Document frequencies and timelines. Document the results of each test and resulting action items. For example, too often we see credit unions that take daily backups and rarely (if ever) complete a test restore to ensure their backup data is actually usable in a disaster situation. Typical testing activities include: backup battery testing and runtime analysis, generator failover testing and runtime analysis, test restore of backup data, testing of backup internet connectivity and failover functionality, testing of alternate access to core processor systems, etc. Consider a regularly scheduled mock disaster with your team.

Consider new technologies: virtualization, remote backups, wireless functionality. There are a myriad of new technologies today that weren’t available or were not cost effective just two or three years ago. One technology is virtualization; consider this technology to not only reduce the size of the server environment but to also reduce restoration time in a disaster scenario. For example, a server your credit union relies on can often be virtualized and imaged in a way that can be rapidly restored if necessary, thus reducing downtime when disaster strikes. Remote data backups are another technology that has minimized many credit unions’ dependency on tape-based backups and also increases data security and reduces cost. New wireless functionality exists today that can provide internet connectivity to an entire credit union or branch office in an internet outage situation. This technology uses a router equipped with a cellular receiver that can utilize a wireless carrier to stream internet to the financial institution. These are just three new technologies, there are more available and more coming down the pike, consult a credit union IT professional for more ideas.

 

pdfDownload the Full Article Here [PDF]

 

A Presentation on Disaster Preparedness for Credit Unions: