Computer security and audit Essay


The fiscal and concern environment is invariably altering and are faced with myriads of menace that progressively hinder their uninterrupted operation, it is hence imperative to guarantee that concern procedure that use the information are continuously available. Financial sector critically depend on the dependability, security and uninterrupted operation of their information system which had seemingly been face with the menace of homo and natural catastrophe. The recent clip breaks runing from Natural catastrophe to terrorist onslaught had signaled high degree of menace and instability to fiscal establishment.

Therefore, sing the criticalness of fiscal establishment concern procedure every bit good as their critical dependences, it is highly of import to develop a program that will guarantee the uninterrupted operation of the system in the event of any break. This seemingly involve the choice and execution of a suited concern continuity be aftering standard BS 25999 as an confidence to clients and interest holders that fiscal establishment can react efficaciously and expeditiously catastrophe and their concern procedure can go on as usual.

A good structured concern program will take into consideration all types of event impacting the critical information systems processing installations and their terminal users normal organisational operation map ( ISACA MANUAL 2008 ) . This undertaking work will deeply research into the impact of the standard BS 25999 on fiscal sector critical concern procedure.


My gratitude goes to God Godhead for giving the wisdom, cognition and understanding necessary to see me through this undertaking, I will forever appreciate Him for being the writer and closer of this undertaking work. I would wish to thank Dr. Fuchen Jia, of the Department of Computing and Mathematical scientific discipline for giving his clip to constructively knock this undertaking work every bit good as his meaningful suggestions and unflinching support towards the success of this thesis.

My extreme gratitude besides goes to direction of fiscal company such as Barclays, HSBC, HBOS, NATWEST, Lloyds TSB and others for supplying me extremely valuable information ‘s which had contributed vastly to the success and completion of the whole thesis.

I would besides like express my sincere gratitude to the staff squad of Greenwich University Maritime campus for all their utile support in the class of the whole undertaking.

I can ne’er bury but unfeignedly acknowledge the priceless support of my better half and kids Mrs. Bayonle, Daniel and Oluwanifemi Adedigba whose moral and fiscal support throughout my class of survey can non be quantified.

Last, I would wish to state whole heartedly that, I will be responsible for any error this part to knowledge may hold.

Chapter ONE


There seems to be many different thought about major break of concern in corporate administration other than fiscal crisis across the Earth, non until the major terrorist onslaught on universe trade Centre in the aftermath of September 11, 2001 which brought about a monumental loss to the universe at big. Ever since that clip industries, administrations every bit good as Government sections has been sing Business eventuality be aftering for such an event if and when it occur. This major incident of important magnitude, made direction of many administrations to rapidly travel to a pulling tabular array to readdress their programs and explicate an sanctioned set of formal readyings to react to catastrophe and focused on short term recovery. It is comparatively understanding that in a universe where uninterrupted operations are the indispensable portion for concern endurance, therefore action must be taken to guarantee information and the concern that use the information are continuously available. This rejuvenates a more thorough treatment about Business continuity planning in many administrations across the Earth.

Business continuity Planning ( BCP ) represents the concluding response of the administration when faced with any break of its critical map. It is besides serve as a rapid resettlement of administrations most critical concern map to another location which would maintain the administration running every bit rapidly as possible to enable uninterrupted operation of the administration concern procedure which would guarantee its being and minimise losingss runing from fiscal to reputation harm from the break every bit good as cut downing the hazard of loss of life.


Business continuity planning was brought Centre phase within the public sector by the civil eventualities Act 2004, statute law set up in response to the terrorist act, fuel crisis, deluging and pes and oral cavity panics in the early millenary. This act was hoped to set in topographic point a consistent frame work that could supply a coherent attack to concern continuity and exigency planning across public sector ( Julian Thrussell 2008 )

Business continuity planning is hence a procedure instead than project that encapsulate the readiness of organisation towards minimal and major break to the concern procedure. Administrations are to be adequately prepared for contingencies that could significantly hold an impact towards their service bringing. Therefore, Business continuity planning is an component of internal control that is established to pull off the handiness of critical procedures and valuable computing machine informations in the event of break ( ISACA manual 2008 )

The September 11th onslaught to United State of America and the London bombardments brought Business continuity planning to a Centre of eternal treatment to many organisations and authorities constitutions all over the universe. The immense media coverage of figure of recent catastrophes, runing from 9/11, London bombardments, the buncefield oil catastrophe, Latest batch of implosion therapy and latest terrorist onslaught in India, made many organisations around the universe to believe they are still without nice concern continuity programs. Although the magnitude of any catastrophe can non be accurately forecasted, but research findings suggest that administrations failure to fix adequately for unanticipated fortunes and catastrophe can be comparatively lay waste toing which could hold a important magnitude on the portion of the administration. Therefore, to cover with this issue suitably in other to safeguard many administration in the wake of series of high profile incidents, the authorities has present the BS25999 from British Standard Institute to back up concern in there continue planning.


BS25999is a criterion developed by the British Standard Institution for administration which provides a footing of understanding in developing and implementing a feasible concern continuity direction within an administration. This will heighten administrations bringing of service every bit good giving them a degree of assurance for a twenty-four hours to twenty-four hours, concern to concern and concern to client ‘s traffics ( Avalution confer withing 2008 ) . The BS25999 is written in two parts ; Part 1 theBS25999-1which specifically deals with codification of patterns embracing the criterion overall aims and sketching the counsel and recommendation. The criterion besides provide a footing for understanding, developing and implementing concern continuity within an administration and supplying assurance in the administration traffics with clients and other administrations. It enables administrations to mensurate its BCM capableness in a consistent and recognizable mode.

The portion 2BS25999-2of the criterion is the enfranchisement procedure detailing specifically with the activities that should be completed in other to run into concern continuity aims within the context of administration overall concern hazards ( Avalution Consulting 2008 ) . This criterion is international in nature supplying a frame work agreeable to administrations and organic structures irrespective of geographics. Therefore, for any administration to follow this frame work, the administration hazard direction scheme must use the critical activities with the concern aims so that they can aline together. This standard finally replaces the 1990 BSI publication of Publicly Acceptable Specification 56 ( PAS ) which attempt to put out a methodical attack to concern continuity.


Event of the recent times shows that all administrations that want to stay feasible in their comparatively competitory market should follow with this criterion. This gives such administration an excess ordinary confidence that they have put in topographic point appropriate steps to cover with contingencies either child or major that might ensue in break of services or closing. This among other impacts leads to the development of a criterion such as BS 25999 that will supply a system based on good pattern for concern continuity direction. Besides, it will further enable the organisation to mensurate its concern continuity direction in a consistent, dependable and recognizable mode.

The economic system is of the universe now is so globalised with outsourcing, amalgamations and acquisitions, of increasing administration and conformity and of class of technological progresss, mobility and Information Communication Technology ( ICT ) . This is an economic system that requires companies to reappraise about all facet of what they do and how they do it. Companies need to measure and re-assess the hazard they face and their programs for guaranting the security and continuity of their concern and its operation. It is in this respect that the conformity of this criterion in due diligence is highly of import so that outlooks from clients, stockholder, providers, regulators and other interest holders demands will be met in a mode that justify the unity and finest for intent of such administration in the challenges of the twenty-first century.


Our universe is altering ; there is evident growing in figure of menace to ability of administration to go on with their concern activities. The recent economic recession that badly affects most of the fiscal establishment culminate into researching in the important consequence of this criterion to the fiscal sector. Financial sector manages a pool of informations base and the sector critical assets are information system in safeguarding and transferring of financess and fiscal assets. Therefore, procuring this critical portion of the fiscal administration continue being keeps them less prone to fraud, fiscal impropernesss every bit good as catastrophe.

Therefore, the uninterrupted handiness of this information to their clients every bit good as keeping the unity of the system makes them less prone to catastrophe that could interrupt their twenty-four hours to twenty-four hours services.

AS one would anticipate, the trust of many houses within the fiscal services sector on big information systems runing on really short clip graduated tables, covering with banking minutess and the likes, has meant that they had to guarantee a high degree of Information Technology Disaster Recovery ( ITDR ) capableness to hold a information or hardware backup and recovery agreement.

Therefore, sing the sensitiveness of fiscal concern procedures and the tremendous impact of a catastrophe on their services, it is imperative to cognitively look into the consumption and execution of the criterion within the sector in due diligence.

Sandy Chen 2008, view the recent economic and fiscal crisis like that of Northern rock bank which is particularly due to some internal lacks that led to about being prostration before it was rescue by authorities to revive the Bank, are more of the grounds that brought about this thesis.

The recent plumb bob of Royal Bank of Scotland portion monetary value in the stock market taking them to a less safe establishment to impart every bit good as mounting concerns over monolithic exposure to defaults on complex fiscal instruments ( Sandy Chen 2008 ) add more to the thought of this research work. More significantly, the fiscal companies involved in September 11 onslaught on universe trade Centre such as Morgan Stanley, Aon corporation, Salomon Brothers and many more culminated into given this research work serious consideration of the fiscal establishment conformity and consumption of the standard BS25999.


The research methodological analysis designed for this undertaking work is to utilize both qualitative and quantitative attack that includes primary and secondary beginning to garner my informations ; but more attempts will be concentrated on primary beginning. Developing and distribution of questionnaire that is designed in a manner that technically address the issues at interest and that will give replies which will take to important information on the advancement of this undertaking work had been distributed. The distribution of this primary beginning of informations aggregation and reception has been electronically designed to rush up the undertaking work.

The information collected will now be transformed into utile information statistically to warrant the aims of this undertaking work. Besides the spread analysis will now be done to compare the consumption of both portion this criterion within the banking sector


The accent of concern continuity programs peculiarly sing this thesis work is on the fiscal administration ‘s critical concern procedures that need to be recovered in the event of a catastrophe for the endurance of their information engineering and other critical dependences.

Therefore, the chief purpose of this research work is to critically analyze the concern consumption of portion one and two of the BSI standard BS25999-1 and BS25999-2 as it is one of the most considered nationally-originated criterions and guidelines as portion of the internalization procedure for Business Continuity. These aims besides focus more on the concern consumption of this criterion within fiscal sector, every bit much as the impact of the criterion in guaranting Business continuity.

The chief aims of this undertaking are ;

  1. To analyse the two parts of concern continuity be aftering standard BS25999
  2. To analyse the impact of the two parts of the standard BS25999 in guaranting concern continuity
  3. Establish a spread analysis if any within the criterion
  4. To carry on a study of the organisation chiefly fiscal sector utilizing the two parts of the criterion

Chapter TWO


The chief purpose of this chapter is to critically analyze and reexamine the legion plants of research workers in the country of Business Continuity Planning, the development of British criterion 25999, every bit good as the interactive consequence of the two parts of the criterion in fiscal sector. This literature reappraisal is under the undermentioned subheadings ; definition of Business Continuity Planning, the development of the standard BS 25999, the intent of this criterion in fiscal sector, every bit good the benefit of the successful execution of this criterion in the fiscal sector.


Banks and Financial sector depends largely on Information Technology for their mundane activities, hence the Information possessed by fiscal administration is non merely been used by the administration and their employees but by Customers and spouses every bit good. These users who depend on these services expect uninterrupted handiness of instantaneous entree to organisational information ( McAnally, et al 2000 ) .

Business continuity planning therefore encompasses the procedure designed to understate organisation ‘s concern hazard that arise from an unexpected break of the critical functions/operation ( manual or automated ) necessary for the endurance of the organisation. This includes human/material resources back uping this critical functions/operation and confidence of such services for the continuity of the least minimal degree of services that is required for at least critical operation ( ISACA Manual 2008 )

It is besides position in the wide facet as the procedure that aid extenuate hazard to the smooth running of an organisation or bringing of service, guaranting continuity of organisation critical maps in the event of unexpected break, and an effectual recovery afterwards. Whenever catastrophe is mentioned, terrorist act, temblor, fires, inundation and larceny and many others ever come to our head. However, system malfunction, down clip, bluish screen of decease, computing machine bugs and computing machine viruses that frequently disrupt the smooth running of services can every bit good be regarded as a catastrophe and are after all more common happening ( Hawkins, Yen and Chou, 2000 ) .

The unanticipated event of the recent times such as the terrorist onslaught on the universe trade Centre, the hurricane Katrina, the July 7 bombardment in London, terrorist onslaught in Indian, the failure of the terminal 5 of British air passages and more significantly, the recent snow in London which has been widely regarded as the worst in 18years that led to closing of concern and school are all event that is doing most senior direction of public and private sector to see into the execution of Business continuity direction criterion BS 25999.

Further to recent study by Debt to Income Ratio ( DTI ) published in the concern criterion on 23rd July 2007 reveals that merely 49 % of organisation has a concern continuity program covering critical concern activities, Small-scale concerns in the study are the least prepared for any unexpected breaks, with merely 40 % of most administrations holding no program. This had led to a assortment of administration senior direction to come frontward to hold their programs certified and all seeking reassurance in the supply concatenation and the ability to last incidents ( DTI 2007 )

Therefore, for the intent of this research work, more accent would be laid on the British Standard BS 25999 in fiscal sector.

What is BS 25999?

The accent of the standard BS 25999 as continuity programs today is on the administration ‘s critical concern procedures that need to be recovered in the event of any child or major catastrophe for the endurance of the administration information engineering.

The recent twelvemonth ‘s calamities such as the 9/11 onslaught on the universe trade centre hurricane Katrina and many more had exhumed the demand of administration resiliency against terrible breaks. The event of the last decennaries had led to rapid development in the genre of concern continuity, which had resulted in the development of the standard BS 25999 as a codification of pattern and enfranchisement.

Therefore, in the clip of catastrophe or break, this Information Technology every bit good as the information systems should be restored within a sensible acceptable period of clip, which leads to Contingency Planning ( CP ) . The chief purpose of eventuality planning is to supply avenue for administration to go on concern procedures in the event of catastrophe while recovery is taking topographic point, the most critical concern procedure must be considered foremost in this state of affairs ( Glenn, 2002 ) .

It is to this consequence the BS 25999 was published in November 2006 as codification of pattern to replace the Public Available specification ( PAS ) 56 for concern continuity planning to understate hazard of break to concern and to maintain the concern running during the most ambitious and unexpected fortunes.

This criterion is in two parts The BS 25999-1 codification of pattern that provides concern continuity direction best pattern recommendation foremost published November 2006, this loosely address the good pattern for any administration that recognises their continue being as paramount to their administration.

The BS 25999-2 is the Specification that provides the baseline for Business continuity direction in following the best pattern. This portion of the criterion foremost published by the British Standard Institute ( BSI ) November 2007 demonstrate conformity via scrutinizing and province in inside informations what needs to be done by organisations to get this enfranchisement ( BSI 2009 ) . This shall besides be farther expatiated in the class of this undertaking work.


Since the beginning of the twelvemonth 2008, HSBC ‘s secure e payment service has gone down three times, a reasonably important outage in January, followed by more important outages in March and the beginning of April. Merchant clamor for compensation because they could n’t treat their payments there by losing out on concern themselves. ( John Leyden 2008 ) .

Business Standard Institution in March 2008 Audited and reported Industrial Bank of Korea ‘s ( IBK ) initial reappraisal and spread analysis and conducted concluding Audit upon execution, taking to the award of enfranchisement of BS 25999. The enfranchisement of IBK for following with BS 25999 demonstrates that best pattern has been achieved and more significantly, gives so the confidence that any signifier of exigency that could take to breaks of concern could be dealt with. It has besides give them the competitory advantage in market topographic point and reassures clients that the bank is committed to keeping continuity of service, whatever happens. ( BSI Korea 2008 ) .

Increasingly the fiscal service industries where Bankss are categorised is an information intensive one, it operates on a 24/7 footing and depends on 100 % of informations handiness to maintain the concern critical maps runing. DBS bank in 2003 peculiarly reexamine all its processing and service maps because of terrible acute respiratory syndrome ( SARS ) to place those it could non afford to be out by more than a twenty-four hours such as payment, recognition card blessing, fraud sensing, trading and liquidness direction holding done this through the twelvemonth, they enjoy strong capital place ( Divya Patel 2004 ) .

Divya stated in her research that fiscal establishments peculiarly Banks recognised the cost involved in down clip beyond the cost of idle employees and lost gross, she concluded that there is greater harm to credibleness with clients and loss of future concern in event of any breaks ( Divya Patel 2004 )

Recent researches in Business continuity planning had revealed that fiscal administration will hold to find their readiness in the event of any child or major catastrophe through the consistent execution of BS 25999 that encompasses the followers ;

  • A concern impact analysis that should be carried out from clip to clip to determine which fiscal concern procedures are more critical than the other and how it ‘s failure can hold important impact on the administration
  • The Hazard to the fiscal concern procedure should be carried out through hazard analysis to place all likely menaces and exposure of the system to the identified hazards and ways of mitigating such would every bit be identified
  • The recovery scheme that will embrace the recovery clip aim of all the critical concern procedure should be developed by the concern squad
  • The recovery program that will set in topographic point what should be tested from clip to clip to guarantee their program is valid, applicable and effectual.

Ken Doughty in his article study Gartner ‘s research on e- concern that 70 % of new application and 50 % of new substructure investing by 2005 in e-business is quickly transforming concern procedures which is one of the critical procedure of fiscal sector. If it occurs, this surely increases the degree of dependence and hazard that no longer can be ignored by direction ( Ken Doughty 2002 ) . Therefore, this will in turn make most fiscal organisation to increase their degree of recovery capableness to run into their client ‘s service outlook.


Fiscal Institution has been happening the execution of the standard BS 25999 utile and highly of import to their administration. Business Standard Institution in March 2008 Audited and reported Industrial Bank of Korea ‘s initial reappraisal and spread analysis and conducted concluding Audit upon execution, taking to the award of enfranchisement of BS 25999. This IBK enfranchisement depicts their degree of readiness towards unexpected catastrophe.

The execution of the standard focal points on how to extenuate catastrophe, when it happens what to make, every bit good as do recovery clip nonsubjective ( RTO ) in the event of any break every bit speedy as possible. This farther includes the upper limit tolerable down clip that the fiscal sector are prepared to suit before their concern is up and running once more for an effectual service bringing.


BS 25999 was non merely created overnight, holding developed from the Business Continuity Institute ‘s Good Practice Guidelines ( foremost created in 2002 ) into the BSI ‘s Publicly Available Specification ( PAS ) 56 ( 2003 ) . The criterion has been supported over the old ages of its development by a figure of influential stakeholders including the UK authorities ( Cabinet Office, Department for Business, Enterprise and Regulatory Reform, FSA ) , the Association of British Insurers, the Institute of Directors, the Institute of Internal Auditors, the Institute of Risk Management and the Business Continuity Institute ( Robin 2008 )

British Standard 25999 is finally written in two parts. Separate 1 foremost published November 2006, the Code of Practice, which outlines the criterion ‘s overall aims, counsel and recommendations. Separate 2 foremost published November 2007, the Specifications, inside informations the activities that should be completed in order to run into concern continuity aims within the context of an organisation ‘s overall concern hazards ( White Paper 2008 ) .

Therefore this will take to the treatment of the two parts of the criterion to show their relevancy to fiscal establishment.


BS 25999 provides a footing for understanding developing and implementing concern continuity within an administration sing assorted events that could take to breaks of services and the criticalness of their concern procedure. It besides contains a comprehensive set of demands base on Business Continuity Management best pattern and covers the whole BCM life rhythm. It replaces the PAS 56 which itself was publically available paper published 2003 ( BSI 2007 ) .

Mike low province that Business continuity appraisal tool such as BS 25999 will assist fiscal organisation to understand how to fix a continuity program in a simple yet effectual frame work and will give confidence and added value to their concern enabling them to show improved hazard direction ( Mike 2007 ) .

BS 25999 portion 1 therefore, proposes and evaluate concern continuity base on this aggregation of procedure and resources referred to as whole system believing. It besides outline the uninterrupted life rhythm of a concern direction system peculiarly in the financial/banking sector, specifying the system as a life and continuously germinating programme ( BSI 2007 ) . The figure below depicts this life rhythm of BS 25999 applicable to fiscal administration:

By concentrating on the impact of break, BCM identifies those merchandises and services at which the fiscal organisation depends for its endurance such as information systems, information engineering, people, informations base direction and endorse up sites ; and can place what is required for the fiscal organisation to go on to run into its duties to their clients every bit good as interest holders.

In the illustration of figure 1 of the BCM life rhythm which encompasses six elements that can be implemented by organisations of all sizes, in all sectors: public, private, non-profit, educational and fabrication sectors. The range and construction of a BCM programme can change, and the attempt expended will be tailored to the demands of the single organisation, but these indispensable elements still have to be undertaken. ( BSI 2006 ) these are as follows:

BCM programme direction

This stage besides incorporates all the procedure every bit good as activities required to guarantee that BCP undertaking is decently and suitably planned. Planning is the most indispensable portion in any stage of concern continuity and it start with the understanding the procedure that is critical to the administration endurance. ( Jaques et al 2004 )

Understanding the Financial Organization

Understanding the administration provide information on critical concern procedure that enables prioritization of fiscal organisation ‘s merchandises and services and the urgency of the activities that are required to present them. This sets the demands that will find the choice of appropriate BCM schemes ( BSI 2006 )

Determining concern continuity scheme

Wilson 2000 refers this stage as a stage that entails the designation of assorted schemes which will concentrate more on guaranting concern continuity and recovery in fiscal sector. It besides requires the reappraisal of the assorted identified catastrophe scenarios to develop methods to cover with these state of affairss.

Developing and implementing a BCM response

Business Impact Analysis ( BIA ) must be done to place and analyze critical fiscal concern procedure. This will place the impact of this critical concern procedure to the fiscal establishments in the event of child or major catastrophe. Once the analysis is complete, the impact that assorted catastrophe may hold on the concern should go clear ( Gordon 2000 ) .

BCM exercise, keeping and reexamining BCM agreements

This portion involves proving the program in topographic point, and to find whether the eventuality programs are adequately written to guarantee continuity of fiscal concern procedures and the recovery of informations Centres. Furthermore, proving will assist to find whether the programs can be implemented on clip every bit good as finding where ascent is necessary due to germinating engineering ( United State General Accounting Office, 1998 ) .

Implanting BCM in the organisation ‘s civilization

Implanting BCM in the fiscal organisation ‘s civilization enables BCM to go portion of the fiscal organisation ‘s nucleus values and instils assurance in all stakeholders every bit good as clients in the ability of the organisation to get by with any signifier of breaks ( BSI 2006 )

BS 25999 AS A Certification

This British Standard specifies the demands for planning, set uping, implementing, operating, monitoring, reexamining, exerting, keeping and bettering a documented BCMS within the context of pull offing organisation ‘s that includes fiscal sector overall concern hazards. It is non the purpose of this British Standard to connote uniformity in the construction of a BCMS but for fiscal organisation to plan a BCMS that is appropriate to its demands and that meets its stakeholders ‘ demands. These demands are shaped by regulative, client and concern demands, the merchandises and services, the procedures employed the size and construction of the organisation and the demands of its stakeholders ( BSI 2007 ) .

The intent of the enfranchisement stage is to specify the boundaries of the BCMS and to guarantee that fiscal administrations aims are clearly stated, understood and communicated, top direction ‘s committedness to BCM is demonstrated, resources are allocated and those with BCM duties are competent to execute their functions ( BSI 2007 ) .

This is a Specification that inside informations the demands for a Business Continuity Management System ( BCMS ) that most administrations desiring continuity should follow. It is auditable which means that fiscal organisation will be able to show conformity via a enfranchisement procedure. Bing certified to BS 25999 by BSI will be the ultimate confidence to stakeholders that fiscal administration comply with BCM best pattern ( BSI 2007 ) .

BS 25999 goes beyond simple formalistic Business Continuity Planning to include the constitution of a concern continuity direction system ( BCMS ) . This apply the Plan-Do-Check-Act ( PDCA ) methods which includes planning, proving, preparation and changeless rating of the people, procedures, installations, engineerings and all things related to Business continuity Plan. ( White Paper 2007 ) . It besides ensures continual betterment and allows for the alliance or integrating with other direction system criterions such as ISO 9001 and ISO/IEC 27001 ( White Paper 2007 ) .

BS 25999 hence enable fiscal organisation to place the critical activities and resources needed to back up its key merchandises and services, understand the menaces to them, take appropriate hazard interventions, develop and implement appropriate BCM programs and agreements to pull off any incident and go on its critical activities, to verify the on-going effectivity of the BCM agreements in other to supply greater confidence following an incident that critical activities will be recovered as required ( BSI 2007 ) .

The following phase of this undertaking work will detail how BS 25999 is used in the fiscal sector.


In the event of a concern break, Business Continuity Management ( BCM ) helps organisations to place and fix for critical concern operations that impact upon the proviso of your services or merchandises to your stakeholders, peculiarly your clients. This is critically of import for organisations with planetary complex supply ironss such as fiscal establishment or where there is a single-point of dependence from either the provider or client side ( Raz 2009 )

Recent studies by Hunter have confirmed that the fiscal sector is blazing the trail in concern continuity planning, and is much better at guaranting that employees know about eventuality programs and what to make in the event of catastrophe. YouGov ‘s latest study in this country reported that 91 per cent of employees in fiscal services houses understood their continuity programs, compared with merely 41 per cent in the following best prepared sector, professional services. ( Hunter 2009 )

Butterfield Bank in their recent research identified electronic mail and it associated security as a critical system that needs betterment, they use mime dramatis personae ‘s electronic mail direction system to run into this demand. The cost nest eggs came chiefly from automatizing Spam filtering, which had become a extremely intensive manual advancement because other filters had failed to work. The consequence was that worlds had had to sift through much of the Spam flood, which had reached 17,000 an hr, harmonizing to the bank ‘s main engineering officer, James Knapp ( Hunter 2009 )

In a related development, there is besides the major affair of natural catastrophes, which must be considered as portion of any good concern continuity scheme. Butterfield Bank is on an island topic to occasional hurricanes and besides to a great extent reliant on submarine overseas telegrams for its communications. As a consequence the bank has set up an surrogate site in Halifax, Nova Scotia, Canada, for its critical electronic mail system. It should hence be able to run throughout the hurricane season without any breaks ( Hunter 2009 )

On a smaller graduated table, IT catastrophe impacting fiscal houses will ruffle through a supply concatenation, impacting even those with stalwart continuity programs. “ The fiscal sector continuity programs might be great, but the 3rd party such as seller they work with might non be so good in alining with the criterion. The Standards such as BS25999 will play a critical function here in harmonizing and supplying enfranchisement for continuity programs. Firms within a supply concatenation can so corroborate that all their spouses comply with the criterion, heightening resilience ( Hunter 2009 )

Therefore, for the intent of this thesis, attempts will be concentrated on the impact of this Standard in the fiscal sector, comparing the two parts of the criterion, Gap analysis of the two parts if any every bit good as look intoing the fiscal establishments utilizing the criterion and measure their experience for the remainder of this chapter.

Chapter THREE


In what seems to be an progressively disruptive universe, concern continuity direction had seen this as a immense challenge and has risen up to the corporate docket in recent old ages and nowhere is this more apparent than within the fiscal services sector. As the anchor to the economic system of most of the states in the universe, any major or minor operational break to a portion or all of the fiscal establishment systems would hold a important impact within the state and on the planetary fiscal markets.

Implementing the standard BS25999 in fiscal sector is going progressively of import, sing the criticalness of their concern to better their resiliency towards any signifier of catastrophe, the likeliness of its happening, cost and continuance of fiscal concern break of such unpleasant and unexpected breaks. For any effectual execution of the criterion in the fiscal sector, involves the deep apprehension of the concern procedure and alining the procedure to suit the incorporation of the standard BS 25999.

Implementing the criterion within the fiscal sector encompasses the consideration of the undermentioned rhythm:


If any fiscal industry has no entree to their informations after a catastrophe, it is virtually impossible to retrieve. Having an efficient and effectual back up program in topographic point, play an of import function in the foundation of farther recovery attempts ( Koski, K 2001 ) . Fiscal establishment informations are largely the critical concern procedure which is identified during Business Impact Analysis ( BIA ) , so one time the information is listed it should be ensured that they are safe backup decently and out of weaponries manner. This is achieved through regular backup and offsite storage of informations ( Jacques et al 2002 ) .


In the continuity strategic stage of the criterion within the fiscal sector, the direction frequently identifies assorted recovery options by measuring the recovery clip frames, the recovery point aim ( RPO ) , and recovery clip nonsubjective ( RTO ) for the most critical concern procedure. Fiscal establishment see the handiness and unity of their cyberspace and ICT highly of import in the safeguarding of transferring of financess and fiscal assets, which they could non afford to be down for an hr or there about because of the immense fiscal impact of this procedure on their concern. These along with the exigency response processs and the recovery processs written in the execution stage must aline with the content of the standard BS25999 ( Jacques et al 2002 )


This stage aims at guaranting the continuity of all critical concern procedure within the fiscal sector while information engineering is retrieving. The event of 9/11 onslaught on universe trade Centre that grossly affect fiscal establishments such Deutsche Bank, Bank of America and many more makes this stage of import and is similar to the catastrophe recovery rhythm. The strategic execution of this phase takes into full history the criterion which is BS 25999, the procedure continuity process and squad designation. This will farther concentrate on the effectivity of the program and the care to guarantee the program is up to day of the month.


There should be a reappraisal of concern procedure to guarantee fiscal information and policy is right and aligns with the demands of the standard BS 25999 within the fiscal sector. Here is the insurance screen reappraisal and the concentration on the concern as a whole, public dealingss readying to protect the image of the fiscal establishments and exigency resources designation while preparation, proving and care commenced ( Jacques et al 2002 ) .


Tony Drewitt in his “ Managers usher to BS 25999 2008 ” said ; “ AS one would anticipate, the trust of many houses within the fiscal services sector on big information systems runing in a really short clip graduated tables, covering with banking minutess and the similar, has meant that they had to guarantee high degree of ITDR capableness. It hence became a natural extension of the direction subject to set in topographic point for all other operation facet of fiscal concern ” .

The Chartered Management Institute ‘s research into BCM addresses a broad scope of menaces faced by directors across the UK. It tracks directors ‘ perceptual experiences of menaces every bit good as their existent experiences of break. Loss of Information Technology is where fiscal organisation most critical concern procedure has the most frequent break, as in old old ages. Loss of people besides continues to be a major cause of break. The Chartered Management Institute ‘s research into BCM addresses a broad scope of menaces faced by directors across the UK. It tracks directors ‘ perceptual experiences of menaces every bit good as their existent experiences of break. Loss of Information Technology is where fiscal organisation most critical concern procedure has the most frequent break, as in old old ages. Loss of people besides continues to be a major cause of break.

Furthermore, sing the event of recent clip breaks such as natural and human catastrophe shows that, the hazard to fiscal establishment concern procedure breaks is reasonably high, these and many other menaces earlier mentioned to fiscal sector service bringing, brought about senior direction of many fiscal establishments to seek the execution of BS 25999 to fix and better their precaution steps.


Andrew Crockett Handbook on pecuniary and financial policy 2001 said that the growing in the volume of fiscal minutess and the increasing integrating of capital market have made establishment in the fiscal sector to be more mutualist and has brought about the bow the issue of systemic hazards.

Investing direction house Baillie Gilford based in Edinburg with its offices around the universe adopted a proactive attack to Business continuity planning and the execution of the two portion of BS 25999 by incorporating their long term strategic be aftering into their nucleus concern and matched investing in its IT systems with investing to guarantee their handiness. Today, the company has been observed to hold a high handiness solution within its spouse ‘s recovery Centre, which is integrated with its ain LAN, leting rapid recovery from either an single waiter failure or the sweeping loss of its Edinburgh central office ( IT Adviser March/April 2007 )

Rauno et Al 2008 reported important losingss in net income when commercial information systems have non worked decently or hold stopped the full organisation outright, e.g. Sampo Bank, a Finnish portion of the major Nordic Danske Bank Group, lost 1000s of clients during their system migration procedure in spring 2008.

Research has besides confirmed that holding the criterion in topographic point non merely helps with the direction of their current operations but besides aid failure growing. While 46 % of Business is required by clients to demo they have concern continuity step in topographic point, three one-fourth now inquire their ain provider to make the same ( Niki Dennis 2007 ) .

Having understood the important importance of BS 25999 in driving the fiscal concern procedure, hence there is demand for consistent continuance of the concern, which brings about the apprehension of the consequence of the standard BS 25999 on fiscal sector continuity planning.

Therefore, based on this there is demand to compare the two parts of the standard BS 25999 to warrant their alliance for fiscal organisation concern continuity.


In the class of this thesis, it is seemingly of import to compare the two parts of the criterion to warrant how the complement one another every bit good as what lead to the development of the later.


The criticalness of fiscal concern procedure made senior direction of such organisation to seek for a manner of safeguarding their assets and the viability of their organisation to supply a minimal degree of functionality in driving their concern procedures.

Therefore, from the ISACA reappraisal manual 2008, I was able to infer there are three chief demands for the successful execution of this criterion in the fiscal sector which is as follow ;

  1. The designation of those critical operations that are indispensable to the fiscal organisation endurance
  2. The betterment of the security of normal operation
  3. The human and the material resources back uping the operation of the critical concern procedure

The Identification of those operations that is critical to the fiscal organisation endurance

This stage place the operation critical to fiscal organisation endurance which include the Information System and the technological infrastructural constituents that matched this application such as computing machine, hardware, package, their operating system, the information base, web equipment and application that utilizes this for uninterrupted operation within the fiscal sector. Fiscal organisation operates a 24 hours service which makes the uninterrupted being of their critical concern procedure highly of import.

This facet is what the two parts of the standard references so that in the event of break of concern procedure, fiscal organisation could set their concern operation back and running within a moderately acceptable period of clip sing the exigencies of their dealing and fiscal deduction for a system down clip of more than 1hour.

The betterment of security of normal operation

This encompasses the exposure of the fiscal concern procedure, and involves the countermeasure that could be devised to diminish the chance of happening of events that could take to minor or major break of fiscal concern procedure. The execution of the standard BS 25999 demands to suit other security policies within the fiscal organisation such as ISO27001 without any clash. The chief conditions of security which is handiness, confidentiality and care of unity of fiscal information system has to be checked on a regular basis and embedded in the standard BS 25999.

The Human and Material resources back uping the operation of critical concern procedure

This straight relates to the strength of the work force of the fiscal organisation, the duties of the employees and the organisation policies and processs back uping their duties are really critical to the execution of BS 25999. Segregation of responsibilities here is highly of import every bit good as the operation back uping the critical concern procedure such as intranet, cyberspace, runing systems, regular back up of informations, informations direction, security in safeguarding the transference of financess every bit good as fiscal assets, and direction of the backup site.

Furthermore, it is imperative to look into the cost of implementing this criterion and see the cost benefit ratio to see whether it is cost effectual on the portion of fiscal establishment to implement the standard BS 25999.


Perry Johnson 2008 deduced the professional stairss to implement BS 25999 to its best pattern as generated from catastrophe recovery institute international. In his research work, reveals that the best pattern is applicable to all organisations where fiscal sector falls into.

He farther stressed on the rules of implementing BS 25999 demands every bit good as the of import facet of developing and keeping a Business Continuity Management system that encompasses the followers ;

Undertaking Initiation and Management

This merely depict that for successful execution of the standard BS 25999 any organisation seeking to implement must transport out a spread analysis that aligns with the organisation long term strategic program. Gap analysis can be conducted be finding the criticalness of different map within the organisation and Identifying who are responsible for maintain the critical procedure.

Pertinent to the fiscal sector, self appraisal should carry on for those whose duties are to keep the critical procedure through encephalon storming subdivision, interview every bit good as feedback generated from clients and interest holders.

Hazard Evaluation and Control

The feedback from the analysis of the undertaking induction and direction will infer the likeliness and impact of possible hazards fiscal services. Most fiscal organisation respect online banking as one of their critical dependences and the hazard to its break ( Down Time ) will hold a immense impact on their concern peculiarly in financess and fiscal plus minutess. In any instance when the critical maps of the fiscal sector are interrupted, there should be minimal and maximal tolerable period of breaks in other to cut down important fiscal loss.

Besides it is significantly of import to guarantee that the clip to restart normal operations is non exceeded at any point in clip. The graph below demonstrates the degree of public presentation per clip for any organisation.

Business Impact Analysis ( BIA )

Business Impact Analysis ( BIA ) is an operation or procedure that is indispensable in the endurance of any concern. BIA is besides a critical measure in developing concern continuity program, this identifies the resources require for critical concern procedure or unit to return into its full operation after any break or catastrophe. The designation of the hazard rating will warrant its impact on the concern procedure.

Developing Business Continuity Management Strategies

The consequence of the Business impact analysis from the hazard rating will take into developing continuity schemes that aligns with the long term aims of the organisation and the eventuality planning every bit good. Therefore, developing a BCM schemes will visibly pull off the hazard that could ensue in black event, cut down the clip taking to retrieve when an incident occur and more significantly, minimise the hazard involved in recovery procedure.

Emergency response and operation

This is specifically designated to pull off suitably any information about every incident that could be regarded to hold childs or major impact to the organisation. Therefore, there is coordination here by associating the catastrophe to the timely recovery aim of any organisation.

Crisis Communication

This mainly trades with what information is to be communicated in footings of crisis, who should be responsible for the communicating, where is the meeting point during crisis, what confidence should be given to the member of the populace in this respects. More significantly, the usage of call tree is virtually adopted by most organisations in footings of crisis communicating.


The cost of implementing the criterion within the fiscal sector could merely be justified through a cost benefit analysis. This could merely be done by placing the criticalness of the concern operation/ map to the long term aim of the organisation, analysing the impact of this critical map in the event of any breaks every bit good as quantifying the impact of these breaks financially and in footings of the organisation repute.

Having done this, the senior direction of the fiscal establishment can now critically analyze the important benefit of implementing the criterion to the cost of pull offing catastrophe if the criterion is non in topographic point. Having done this, the senior direction of the fiscal establishment can now critically analyze the important benefit of implementing the criterion to the cost of pull offing catastrophe if the criterion is non in topographic point.


Therefore in warranting this suitably, the following chapter of this undertaking will elaborate further and suitably the cost benefits analysis of implementing the criterion within fiscal sector.

Chapter 4


This chapter will turn to the methodological analysis used in garnering my informations, and the analysis of the information gathered will hence be transformed into information that will be utile for the intent and aims of this survey. The information was generated through questionnaire since questioning cardinal people responsible for those information ‘s are non willing to portion the information with me via interview. The inquiries therefore were structured in a manner that meets the aims of this survey and analysed as follows ;

Chapter FIVE


Sing the complexness of the nature of concern within fiscal sector, the research work of this undertaking will add new vision to the bing theories that BS 25999 provide a good starting point for Business Continuity Planning peculiarly to guarantee that direction of fiscal concern are capable of pull offing their functionality every bit good as run intoing regulative duties in the event of unanticipated break.

To understand the important impact of unanticipated break to concerns, the fiscal sector is selected for research to research an extended cognition about the applications of the criterion, and besides because of the criticalness of fiscal sector concern procedure. The study hence conducted within fiscal sector reveals that the issues environing the execution of the standard BS 25999 Centre round the care of their current informations, resources and expertness when a alteration of any signifier occurs every bit good as to guarantee that fiscal organisation retains its resilient position in the event of any break.

The exposure of fiscal sector concern procedure additions as Numberss of their indispensable functional systems are more and more dependent on Information Systems which culminate into the execution of BS 25999 as an confidence that their system is adequately prepared for any unexpected fortunes. It is every bit of import to observe that information in fiscal sector are in electronic signifier such as recognition card informations, financess transfer and fiscal plus transportation which are critical to their concern and more vulnerable to put on the line. Therefore, more attempts are continually made to maintain this information confidential and protected from any signifier of break and unauthorised entree.

Patrick woodsman 2008 in his research diagrammatically represented below stated the usage and consumption of Business continuity criterion BS 25999 that varies widely within peculiar industry sector. He stated further that 89 % of directors working within fiscal sector and insurance studies their organisation have BCPs ; this is every bit followed by Utility, gas and H2O with 83 % , local authorities 69 % , concern services 43 % and IT sector 33 % . This farther support the consequence of the study I conducted within the fiscal sector analyze in my methodological analysis inquiry 5, 6 and 7 where most respondents demonstrate the importance of the criterion within the sector through their response.

The study conducted for the intent of this research work is besides to picture farther the readiness of fiscal sector towards any signifier of catastrophe or concern break due to systematically altering work environment. Therefore, fiscal sector are using more holistic attack to guarantee they are more resiliency in the event of child or major breaks.

Consequently that a more robust and relative attack are to be designed by direction to suit the execution of the criterion within the fiscal sector that takes into consideration their size every bit good as organisation long term strategic program.

Furthermore the research work from the respondents study analyzed in the methodological analysis besides depict that size of organisation is a determiner of BS 25999 consumption within fiscal sector. This farther aligns with the study conducted by Patrick Woodman 2008 diagrammatically represented below that big organisation are more likely to hold BCP. He stress further that privates companies every bit good as voluntary/ non-for- net income sector show lower degree of consumption.

Even though the decision of this research work is restricted to the jobs encountered acquiring most of the response back, nevertheless the small response gotten had greatly contributed to the success achieved so far in this thesis and had impacted greatly to the part of cognition in the country of BS 25999.


Among the organisation that this research was specifically carried out on such as Barclays, HSBC, NatWest, Halifax, HBOS, Abbey, Investment banking, Lloyds and many more reveal from the questionnaire of the study that the in-depth of the standard BS 25999 is going an progressively demand within the fiscal sector. Hence, attempts are been made to do certain that their organisation is up to the criterion in the event of unprecedented breaks.

Besides, from the study reveals that the execution of the criterion does non merely necessitate technological or physical demand, but cognitively people and accomplishments demands are of equal importance in the successful execution of the standard towards safeguarding the concern procedure of fiscal sector.

The universe is a globalised changing environment which makes most organisations to continually and systematically reassuring their clients that their accomplishment so far, is non merely a merchandise of what the company offers but besides the appraisal of quality and consistent service they are able to render. Therefore, from the analyzed study the frame work of BS25999 had significantly helped most fiscal establishment in hazard extenuation, hazard recovery and continual betterment of their critical concern procedure.

Perry Johnson 2008 research shows the direction system that works with BS 25999 includes ISO 9001:2000 and ISO 27001: 2005 which specifies the demand of quality direction system pertinence to any type of concern and demand for information security direction system severally. He stress further that ISO 27001 and BS 25999 have requirement related to disaster IT recovery important to fiscal sector.


In the procedure of this survey, tonss of jobs emanated in acquiring information from targeted organisation through interview as most of these Organizations such as Barclays, HBOS, HSBC, NatWest, Lloyds, Halifax and host of others were really loath to discourse any confidential information with me. This I can understand might be due to their organisation policies and processs every bit good as recent economic crisis.

It was on this note that the questionnaire analyzed in the ulterior chapter of this survey was designed and distributed. Out of about 40 questionnaires distributed through station, merely 5 responses were gotten back which represent 12.5 % response. This was a large restraint as the response is an highly low comparison to the purpose of this survey.

Further to this, I encountered myriads of other jobs that include but non limited to some articles that are comparatively for sale on the web site, the text books which I considered would hold contributed to the development of cognition were every bit good expensive. More significantly, the two parts of the Standard BS 25999-1 and BS 25999 were seemingly for sale and the tool kit for the criterion were outrageously expensive for me to buy which represent a major reverse.

Furthermore, understanding that this is an of import research work sing the event of the recent times breaks to organisation which needs thorough homo and material resources in garnering informations, hence I have been streamlined in garnering informations in this respects because of the development of the criterion is merely 3-4years old and there is soon no international criterion for BCP at the minute. These comparatively limit the sum of recent research that could be gotten in relation to the survey.


Having fastidiously carried out this research, I want to do the undermentioned recommendation to better understand the full consequence of the criterion which is as follows:

  1. That fiscal organisation should understand at that place critical concern procedure and see the important importance of the enfranchisement facet of the standard BS 25999 before traveling for it
  2. That the consumption of this criterion globally since its development is significantly overpowering, which depict the consequence of it on most organisation and its contents deserving been nationally accepted
  3. The tool kit for the execution of the criterion should be embedded in fiscal organisation sector to aline their preparedness to the standard BS 25999


  • Bird L, 2007, choosing the tools to back up the Procedure. In ( P.barnes, A Hile: Editors ) : The unequivocal enchiridion of Business continuity Management. Wiley 2007, pp263-279
  • British Standard Institution 2009, Business Continuity Standard Minimizing disruption-Maximizing recovery. hypertext transfer protocol: //
  • BSI October 6th 2008 publication on Business Continuity BS 25999 ; Embedding Business continuity in the Industrial Bank of Korea in the Business Standard October 6th, 2008. hypertext transfer protocol: //
  • Divya Patel 2004. Business Continuity Planning: Network to Protect Asian Bank Journal Issue 46 June 2004 hypertext transfer protocol: // ( $ All ) /3D5CF9D3700E26EB48256E90001BF395? OpenDocument
  • DBS News released June 2003. hypertext transfer protocol: //
  • Debt to income ratio Published in the Business criterion of 23rd July 2007
  • Glen, J. ( 2002 ) . What is Business Continuity Planning? How does it differ from Disaster Recovery Planning? Disaster recovery diary [ online ] . [ Cited May 11, 2002 ] Available from cyberspace URL hypertext transfer protocol: //
  • Gordon C, 2000 How to Cost Justify a Business Continuation Plan to Management Disaster Recovery Journal Volume 13 Issue 12. hypertext transfer protocol: //
  • Hawkynss, S. , M, Yen, D. C. & A ; Chou, D. C ( 2000 ) . Disaster Recovery Planning: a scheme for informations security. Information Management and Computer Security, 8 ( 5 ) , pp 222-229
  • How to deploy BS 25999 2nd edition by Avalution Consulting and BSI direction systems America 2008. hypertext transfer protocol: //
  • ISACA CISA Review manual 2008 page 456,458. hypertext transfer protocol: //
  • Ken Doughty 2002 Business continuity: A concern endurance scheme Information System Control, Volume 1, 2002 hypertext transfer protocol: // Section=Journal & A ; CONTENTID=16991 & A ; TEMPLATE=/ContentManagement/ContentDisplay.cfm
  • Jacques Botha and Rossouw Von Solms 2004 Cyclic Approach to Business Continuity Planning
  • John Leyden 2008, HSBC e payment system goes titsup ( once more ) published April 2008 hypertext transfer protocol: //
  • Julian Thrussell 2008, Public sector: Business as usual? Business Standard October 2008. hypertext transfer protocol