Mit Rajani

As Dr. Singleton points out in our “What Every IT Auditor Should Know About Backup and Recovery” reading, Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are two distinct concepts.

The DRP is put in place to address the loss or interruption of digital/business infrastructure as a result of a disaster, such as a fire or a terrorist attack. A BCP is a strategy, not simply a plan, to mitigate downtime to core business functions. The distinction can appear to be subtle, but I think the following example makes it more clear.

If Acme Motors suffers a catastrophic fire in the factory that houses their data center and automated assembly line, the company would rely on its DRP to address the loss and destruction of key infrastructure.

However, if Acme Motors was looking to migrate its data center to the cloud while replacing 70% of the automated assembly line, they would need to rely on their BCP. Acme would be concerned about minimizing downtime to their business functions as a result of corporate strategy, not a disaster.

Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

Disaster recovery is the process by which you resume business after a disruptive event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Center-or something small, like malfunctioning software caused by a computer virus.

Given the human tendency to look on the bright side, many business executives are prone to ignoring “disaster recovery” because disaster seems an unlikely event. “Business continuity planning” suggests a more comprehensive approach to making sure you can keep making money. Often, the two terms are married under the acronym BC/DR. At any rate, DR and/or BC determines how a company will keep functioning after a disruptive event until its normal facilities are restored.

Technically, the Disaster Recovery Plan (DRP) deals with the restoration of computer systems with all attendant software and connections to full functionality under a variety of damaging or interfering external conditions. In daily practice Business Continuity often refers to disaster recovery from a business point-of-view, or dealing with simple daily issues, such as a failed disk, failed server or database, possibly a bad communications line. It is often referred to as the measure of lost time in an application, possibly a mission critical application.

In short we can say that Disaster Recovery Plans addresses the procedures to be followed during and after the loss where as BCP is the preemptive process put in place in preparation for the handling of a disaster.

http://www.cio.com/article/2439506/security0/business-continuity-and-disaster-recovery-planning-definition-and-solutions.html#1
http://www.disasterrecoveryplantemplate.org/difference-between-drp-and-bcp/

Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are two different concepts. BCP is the organizational strategy involved with ensuring the continuous operation of core business functions during and after a disaster. DRP is a subset of the overall BCP and are more specific. DRPs may be developed for specific groups within the organization to allow them to recover a business application or function.

The best way to look at this is that BCP is proactive in approach. It defines potential assets and threats associated with core business processes that may adversely affect the business, and derives alternative approaches to maintain business operations and stability. For example, if a building catches on fire, where will the employees work from.

DRP is reactive in approach, because it outlines the actions that a business takes after an adverse event. These might include information on how to recover data or what to do in an event of loss to critical staff,

Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. In other words, it provides detailed strategies on the steps that employees must follow during, and immediately after, a disaster.

The business continuity plan (BCP) takes the disaster recovery plan one step further. It is the creation of a strategy through the recognition of threats and risks facing a company, with an eye to ensure that personnel and assets are protected and able to function in the event of a disaster.

These plans are interdependent but cover items that the other does not. In fact, DRP includes preventives strategies, whereas BCP introduces strategies that the business will use to maintain operations.

http://smallbusiness.chron.com/disaster-recovery-plan-vs-business-continuity-plan-1087.html

1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

Though Business Continuity Plan and Disaster Recovery plan are used interchangeably they have different meaning.
Business continuity plan is business centric and people centric and it focuses on management oversight and plans to make sure that the entire business can continue to operate effectively with as little disruptions as possible during and after the event of disaster. It involves rigorous planning and commitment of resources to plan for the recovery. BC plan includes all department and defines steps to be followed. It ensures that employees are aware of what needs to be done and where to go in case of a disaster. Example: Fire drills, emergency contact numbers etc. BCP includes both DRP recovering a facility rendered inoperable and the restoration plan which is used to return operations to normality.

Disaster recovery plan is a part of Business continuity plan. It is data centric i.e. it is concerned about the process of replicating and storing data so that it can be quickly recovered when disaster occurs. It ensures that the data will be easily accessible so that the down time to restore operation is minimum and it won’t affect the daily operation of the business. Having a backup in different location or mirroring of datacenters, properly defined restore points all come under DRP.

Source: http://www.oneneck.com/news-events/blog/posts/2016/7/19/disaster-recovery-vs-business-continuity-what-s-the-difference

Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

While Business Continuity Plans and Disaster Recovery Plans might sound alike, they are in fact two different areas. One can see this by looking more closely as the names of each plan. For Business Continuity, the plan is to continue the business operations through events such as natural disaster without any “hiccups”. This plan essentially outlines multiple steps an employee should take for a variety of events such as fires, natural disasters, building collapse, etc. In my experience when I did an Internal Audit internship, our BCP included the names, telephone number, and addresses of all the members of my department as well as include where the designated backup meeting spot was (at a hotel down the road) and telephone numbers of other important staff. The key focus on the business continuity plan is to have the business continue its operations through its personnel during a disastrous event.

Disaster Recovery Plans are different and as the name implies, is a plan to recover after a disaster has occurred. These plans usually revolve around maintaining or recovering data and IT infrastructure after a disaster has occurred, but can also encompass recovering business processes as well. This plan essentially outlines how if a business were to experience a disaster, what would be it steps to go back to pre-disaster or new desired conditions? With that being said, one of the key areas of disaster recovery is the protection and use of data within a company. Since many businesses run off of data or online communication, is it crucial that a Disaster Recovery Plan include some form of data backup policy and how that data will be recovered into the system. The key focus on the disaster recovery plan is to recover back business processes and information after a disaster has occurred.

They are different!

Disaster recovery plan provides detailed strategies about processes and procedures an organization must put in place immediately to ensure that critical functions can continue during and after a disaster to recover from the event. Such as emergency supplies, flashlights, backup business information.

Business Continuity plan refers to more comprehensive planning that identifies the long-term, crucial strategies that are needed to ensure that the business maintains stability. It includes DR and address to how the business will continue its key operations after the disaster. It also refers to how the business will continue its operations after smaller events, such as power outages.

This two terms are always used together, so people forget that there are differences between them.
What is BCP?
Identify contingencies and alternatives for continuing business, and allow the business to define key parameters for the development of DRP. Concerned with keeping business operations running after disaster has struck.
What is DRP?
DRP specify how to recovery of a function will be performed. Within a DR plan, there will be individual component system recovery plans that would specify steps to recover applications.

BCP tends to focus on the whole business, DRP tends to focus more on a specific side like technical of the business. It is easier to think of a BCP as an umbrella policy, DRP as part of it. There is a good chance the whole strategy (BCP) will be either less effective, or useless for department uses when a disaster happens. On the other hand, DRP can stand alone and many companies can do fine without a full continuity plan. BCP is typically set up on a day-to-day basis. The reason to have BCP is because they wish to remain able to provide their service or product to customers. A properly defined BCP would include considerations such as paper processes, communication with customers and suppliers, staff relocation, location of other documents and contact details.

links: https://www.grittechs.com/difference-bcp-dr

The difference between BCP and DR

Q1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

BCP and DRP are not synonyms rather they are different.

• Business Continuity Planning: is a policy cum implementation of measures which will ensure continuity of critical business operations after a disaster has struck

• Disaster Recovery Planning: is a set of “fail-over” arrangements which ensures restoration of systems, operations and data without loss.

Following are the differences between BCP and DRP:

BCP
a. Strategy: Business Continuity
b. Concerns principally with the continuity of business functions even after the disaster has struck
c. Objective is to ensure Enterprise wise continuity of operational activities essential for business
d. Guidance and planning derived from IT Governance and directed by Governing body
e. A broader approach of identification of critical business processes, assets and people
f. Essentially Under Governance-top down approach
g. Defining the Metrics for recovery is MUST

DRP:
a. Strategy: Recovery from Disaster
b. Concerns mainly with the ability to Recover of the main systems after disaster.
c. Objective is effective recovery defined by the metrics such as Recovery Time Objective (RTO) and (RPO)
d. Guidance and planning are usually responsibility of the IT Head
e. Minimize the effect of Disaster
f. Governance is not emphasized
g. Metrics for recovery & restoration not emphasized

Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

Business continuity plan and disaster recovery plan are different even they are both related practices that describe an organization’s preparation for unforeseen risks and continued operations.
Business continuity plan is to minimize service interruption, keep critical system online during recovery process, prioritize and cut scope and consider paper-based emergency alternatives.
Disaster plan is to protect assets to provide enormous business values. It is required by law. Some companies think that backing up is a disaster plan, however, backups are just part of a larger disaster plan, and it only protects data. In addition, backups must be sent offsite. On the other hand, IT departments have the greatest insight into company, but every other department must contribute to the disaster plan as well, because disaster planning is a business issue, not an IT issue. Disaster recovery plan should outline how a company prepares for disaster, reacts to disaster and recovers from disaster, and roles must be assigned rehearsed and revised.

BCP stands for the planning of Business Continuity and DR is actions taken to recover form a disastrous event to bring business back to continuity after an event of calamity or failure. BCP leads to DR.
Business Continuity Planning-
1. It is a blueprint of a plan if an incident occurs. BCP identifies the parameters of DR. BCP defines a plan in advance
– Critical business activities that will be continued
– What is the process that must be followed in case of an event
– Who must be informed , what is the time duration within which event occurrence must be reported
– Who will be the critical resources who will continue with the activities during and after event
– What is the timeline for disaster recovery?
– What level of disaster recovery plan is in place?
Ex. Level 1- Inside the same building on a different floor, Level 2- In the different city than the incident, Level 3- Continuity will be done in a different country than the country in which incident occurred
2. BCP consists of 1. BC Strategy 2. BC Plan 3. Impact Analysis 4. Recovery plan stages 5. How information of Incident will be communicated to all
3. ex. BCP of a XYZ project will specify that the normal activities if halted, only critical activities like monitoring servers will be continued. BCP will identity the critical resources who will continue to work in case of any BCP event.
Disaster Recovery
1. DR defines the steps and procedures towards resuming the critical and normal activities after a calamity has occurred. DR defines steps to be followed immediately after an incident. DR is how to recover get back if a failure has occurred.
2. DR identifies 1. Backup Strategy 2. Risk Management 3. Emergency Response Team 4. DRP activation plan 5. DR plan for specific infrastructure ex. Media, internet, and remote connectivity.
3. DR consists of incident response, emergency response, damage assessment, evacuation plans
4. DR- ex. DR will specify that in case of incident at location A, location B resources will take over. The resources from location B will connect via the VPN to the backed up data located at located at client site.

1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

I think these plans are different but reliant on each other as one covers issues and situations the other does not and vice versa. Disaster Recovery Plan discusses the specific instructions to be taken in order to resume operations in the aftermath of a natural disaster or national emergency. Overall, this plan protects a business’s IT infrastructure by providing detailed steps that employees should follow during and after a disaster. The Business Continuity Plan follows the DRP by allowing businesses to follow a strategy tailored through the recognition of threats and risk facing the business as well as ensuring that employees and assets are protected in the event of a catastrophe.

Great post Pryia and explanation. The examples you used really bring the plans to life and make the difference so much more apparent. Great job !

Priya*

1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

The difference between BCP & DRP is in the name. BCP is a Business Continuity Plan. Continuity means remaining constant or to continue. This means the BCP is a plan to follow when the system goes completely down. A solution is to have a Second server in place, so in the case of the “original” server were to go down, you could re-direct traffic to the Second server, or NAS device. The DRP is a Disaster Recovery Plan. This means the DRP is a plan to follow when you need to recover data or a system. A solution for this is Remote Back-Up. The data is back-up to the cloud and accessible if a user accidently deletes and email or file.

Here is a link to how ISACA. http://www.isaca.org/Groups/Professional-English/business-continuity-disaster-recovery-planning/Pages/ViewDiscussion.aspx?PostID=72
Here is what they say:

“BCP refers to plans about how a business should plan for continuing in case of a disaster. DR refers to how the IT (information technology) should recover in case of a disaster.”

1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

Although there is some overlap between the two, they are different and not synonyms. A disaster recovery plan is essentially a subset of a business continuity plan. A business continuity plan is much broader than disaster recovery and ensures that a business will still operate in the event of a disaster or catastrophic event. Its purview includes the entire infrastructure, including both the hardware and software, not only the data. A disaster recovery plan only ensures that the data can be recovered in the event of a disaster. However, if there is a disaster and the business only has a DRP and not a BCP, then there will likely be an interruption in business operations. It will take time to recover the data, and in then made accessible to the business. If the infrastrucutre is also damaged, then the data will remained unaccessible until the repairs are made.

Business Continuity Plan and Disaster Recovery Plan are different. BCP refers to the response strategy that kicks in in the event of a Disaster. It involves alternate planning of employee staffing, network availability, physical resources such as office space, desktops, and even power in case of a disaster. BCP are the steps taken to ensure that business continues to deliver the expectations in face of single or multiple disasters.

Disaster Recovery Plan : are the actions to be taken or steps to be performed to recover the state of IT systems to the same state as before the disaster, onto same or remote sites depending on the disaster. It includes the planned actions for restoration of data and IT systems in the event of disasters like server crash or physical harm to equipment or data centre.

BCP comprises of the actions that need to be kicked-off immediately, while Disaster Recovery may still be underway or may not have even kicked off. BCP provides the process to be followed as soon as a disaster occurs – it is the first response while DRP provides the process to be followed after the disaster has occurred and Business continuity is established.

Since BCP also covers availability of employees, it is possible that an incident can occur which would require only the BCP to be triggered and not both BCP and DRP eg: Staff being unable to travel to office due to political strikes or riots and staff located in other city filling in for unavailable personnel to ensure business continuity.

According to ISACA, a business continuity plan (BCP) refers to plans about how a business should plan for continuing in case of a disaster. It allows a business to plan in advance what it needs to do to ensure that its key products and services continue to be delivered at a predefined level.

A disaster recovery planning (DRP) refers to how the IT should recover in case of a disaster. It allows a business to plan what needs to be done immediately after a disaster to recover from the event. In daily practice, Disaster Recovery plan often refers to major disruption rush as flooded building, fire or earthquake disrupting an entire installation, and data branch to an organization.

BCP   
• Activities required to ensure the continuation of critical business processes in an organization
• Alternate personnel, equipment, and facilities
• Often includes non-IT aspects of business

DRP  
• Assessment, salvage, repair, and eventual restoration of damaged facilities and systems
• Often focuses on IT systems

In short, DRP addresses the procedures to be followed during and after the loss where as BCP is the preemptive process put in place in preparation for the handling of a disaster.

Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are not synonyms. Rather, DRP can be categorized as a subset of a BCP. BCP is all about maintaining critical business operations following a disaster. The elements necessary for business continuity include the physical location of the place(s) of business, staffing, equipment, inventory, transportation, distribution channels and of course IT systems. DRP is considered a subset of BCP because it mainly focuses on the IT systems of the BCP. DRP is the process of saving data with the sole purpose of being able to recover it in the event of a disaster. The root of disaster recovery is that data is kept in a secondary site, and plans are made to insure that the data will be recovered and the business can access it in a timely fashion.

Continuity represents a much larger scope of planning and maintenance than recovery. However, given the dependency most businesses have on technology, disaster recovery is usually a top priority because it supports all the other elements of the business continuity plan.

Source: https://www.secure-24.com/disaster-recovery-dr-business-continuity-bc-related-but-not-the-same/

Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

Disaster Recovery and Business continuity although sound very similar and have a lot of overlap, they are different.

Disaster Recovery:

Disaster Recovery outlines how a company prepares for disaster, what the company’s response will be in an event of the disaster and what steps will the company take to make sure the operations will be restored (recover from disaster). This plan should include many possible scenarios. Since causes of disaster can vary greatly, it can include causes from deliberate criminal activity to a natural disaster like fire, from a stolen laptop to power outages and terrorist attacks. There are hundreds of possible scenarios and they vary based on culture, geography and industry.

It is also important that the disaster recovery plan is distributed across the organization so that everyone knows their role within the plan and can also take over the roles of their teammates who are unable to perform their duties.

Business Continuity:

It’s a plan that outlines as to what steps an organization must take to minimize the effects of service interruptions.

For e.g.: Hospitals have generators to ensure that their patients still get the required treatment (service) even if in a case of power outage (interruption). Back when companies were mainly paper-driven and information processing was done using batch processing, organizations could tolerate a few days of downtime. Now-a-days, technology has become faster and cheaper, companies have thus began computerizing their critical business activities; companies now have systems in place to minimize unplanned downtime.

Business Continuity planning focuses on sustaining an organization’s business processes during and after a disruption.

Business continuity is based on standards, policies, guidelines, and procedures that facilitate continuous operation regardless of the incidents. Disaster recovery (DR) is a subsection of business continuity and is concerned with data and IT systems. Although BC and DR are always used together, actually, they are two different concepts.

As the definition indicates, DR is a subsection of BCP, i.e. business continuity represents a much larger scope of maintenance than the recovery of just the data and IT infrastructure. Disaster recovery (DR) refers to having the ability to restore the data and applications that run your business once your data center, servers, or other infrastructure get damaged or destroyed. One important DR consideration is how quickly data and applications can be recovered and restored. Business continuity (BC) planning refers to a strategy that describes the processes and procedures an organization must put in place to ensure that mission-critical functions can continue during and after a disaster, enable a business operate with minimal or no downtime or service outage.
Therefore, a disaster recovery plan is more reactive while a business continuity plan is more proactive.

Source: Vacca, http://searchstorage.techtarget.com/definition/Business-Continuity-and-Disaster-Recovery-BCDR

Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

The Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are different. Disaster recovery is a subset, which is a small part of the overall business continuity. It is the process of saving data with the sole purpose of being able to recover it in the event of a disaster. Disasters in IT range can from minor to major: the minor loss of an important set of data to the major loss of an entire data center.

Different from the DRP, business continuity plan typically refers to the management oversight and planning involved with ensuring the continuous operating of IT functions. Moreover, it is not a data centric, but business centric. The most important point for the business continuity is to continue to do the business even if the failure or disaster occurred.

Source: http://www.datacenterknowledge.com/archives/2013/01/04/disaster-recovery-is-not-business-continuity/

Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

From the endnote of What Every IT Auditor Should Know About Backup and Recovery, We can get that “BCP and DRP are deferent and separate”.

BCP is about the business continues to operate if something goes wrong. DRP defines the business requirements for a Disaster Recovery Plan. DRP deals with the restoration of computer systems with all attendant software and connections to full functionality under variety of damaging or interfering external conditions. DRP will specify how the recovery of a function will be performed. In a DR plan, the individual component system recovery plans that would specify steps to recover applications.

Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

BUSINESS CONTINUITY PLANNING (BCP) – A process that organization use to plan and test the recovery of its business processes after a disruption. It also describes how an organization will continue to function under adverse conditions that may arise.

DISASTER RECOVERY PLANNING (DRP) – A process of planning and testing for recovery of information technology infrastructure after a natural or other disaster.

Both BCP and DRP are very important to IT auditor. However, BCP and DRP are not synonyms because BCP is the preemptive process put in place in preparation for the handling of a disaster. DRP addresses the procedures to be followed during and after the loss.

Source: http://www.intosaiitaudit.org/WGITA23rd/23rdWGITAMeeting/IT_Handbook.pdf

DRP and BCP are both used situationally and customized depending on the needs of the companies that create and install them. The BCP is the preventative process put in place in preparation on how to respond to a disaster, while the DRP addresses the procedures to be followed during and after the loss. For example, the DRP deals with the refurbishment of computer systems in terms of getting the system’s software and connections back to full functionality. The BCP is from the business perspective and often refers to disaster recovery in terms of a failed server or database for example.

Source: http://www.disasterrecoveryplantemplate.org/difference-between-drp-and-bcp/

Good example Ahbay,

Hospitals usually have a special control to mitigate the risk of running out of power. It is one of the Business Continuity Plan (BCP) example, which is really important to make the patient’s safety. In the same case, companies should be able to operate at a minimum level to not affect the consumers.

Good post Shahla,

Even though both DRP and BCP sound similarly, they are totally different from each other. Disaster recovery plan focuses on how to recover from the event, whereas Business Continuity plan focuses on how to maintain its main functions during or after the event.

Hi Yulun,

Great post, the video really helped me understand the difference between both Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). This video describes how they are different and simplified reasons on why. It also points out that the IT department or head should help the company write the disaster plan because they have the greatest insight of the company. Very useful video!

You are right, Yu Ming, DRP and BCP are similar but different from each other. Actually, the Disaster Recovery Plan is part of the BCP, besides DRP, there are many other methods to ensure the business continuity of an organization. For example, an effective backup plan can also mitigate the risks and enhance the continuity of the business.

Hi, Abhay

Thanks for sharing the hospital example! It’s very important to have Business Continuity Plan (BCP) to guide the hospital in response to an emergency/disaster situation or a mass casualty incident. Patients’ safety should be hospital’s priority concern. Also, organizations should strengthening their capacity to scale their response to a range of events impacting operations as well.

Question 1: What are the security challenges in online banking?

Online banking has become prominently global due to, it’s ever so easy banking platform. The convenience of online banking, allows its internet users to manage their bank accounts from anywhere in the world, at any given time. Like the HDFC, many banks have been encouraged to park take in this trend. Furthermore so, online banking saves banks a lot of resources such as operational cost, staff training, and branch and ATM investments. The basis of online banking is to dramatically enhance the users’ experiences by providing and bridging the access of their bank accounts to their fingertips.

However, since the Internet was not originally intended for banking; banks are now faced with a wide array of security risk for both offline and online infrastructures. Some of these risk include phishing scams, spamming, credit card fraud, identity theft as well as many other related cyber-crimes. Subsequently, there is not a doubt the transition to online banking has greatly improved banking globally but, the absence of proper controls whether legal or regulatory, infrastructure failures and consumer protection continue to pose major challenges for online banking operations. The objective of this case analysis is to critically evaluate security challenges faced by online banking, as represented in the HDFC Bank fiasco.

As depicted in the HDFC Bank case study, many banks and managers are being challenged with attempting to remain cutting edge as well as strong competitors. CISO, Vishal Salvi experienced this first hand at HDFC. He was being challenged with the use of new technology and software systems, all in order to remain a key player within the banking sector in India. However, one must be careful with this. They must assess and weigh the probability impact on the business as well as maintaining alignment with the business objectives. Like the HDFC Bank, many banks CISO are faced with the same three major dilemmas. “How do I ensure the security of an online transaction while still keeping customer convenience as a priority? Should I make secure access mandatory or should I leave it discretionary? Should I go for an onsite model or for a cloud model?” These questions are tough to answer because, no banks are the same and face different issues.

Yet, with the many benefits of online banking, there are many inherent security risk involved such as, confidentiality, integrity and availability. These security challenges possess many risk such as the confidentiality of personal information being exchanged, authentication in regards to the integrity of the online banking platform and ability to access the platform. Conversely, there is no doubt that all of these security risk can overlap simultaneously. With that being said, a bank must secure their transactions by possessing and mitigating confidentiality and integrity controls so, the user’s’ transactions and content exchanges with the bank remain secure; without strong authentication techniques the banks have no way to be sure that the user placing request are the person they say they are. The HDFC Bank case study exemplifies these risk when dealing with online banking. Today, technology is the future and will continue to expand even more throughout the future. Along with technology’s evolution, online banking needs to evolve as well to combat those risk. Banks need the ability to define the risks factors involved such as regulatory risk, legal risk, operational risk, and reputational risk. Consequently, although a considerable amount of work has been done in adapting banking and supervision regulations; continuous attention and modifications will be essential as the scope of online banking and technology increases.

Overall, there is no one-size-fits-all strategy approach. There are numerous different types of security dangers that affect the online banking platform. On the other hand, by focusing on a multi-layer protection approach, a bank can focus on system security, protection of consumers’ interests, as well as other factors. This approach would allow a bank to implement a mix of different factors when implementing controls a few being: shielding the authentication process from malicious activities that can affect the customer; providing customer authentication strategies which allow the user the ability to verify the connection, to then access the site; effective communication with the customers that a potential occurrence of fraud is happening and etc. Like mentioned earlier, there are many risk involved with online banking but, it is up to banks to mitigate these risk to the best of their ability with the strong use of IT Governance.

Source: https://cb.hbsp.harvard.edu/cbmp/product/HKU920-PDF-ENG

With the rise of technology and a growing number of Internet users, banks found it convenient to offer online banking to their customers, allowing them to manage their finance anytime, anywhere. However, as online banking become increasingly popular, it is more vulnerable to security threats and present various security challenges that should be addressed individually. Those security challenges include authentication, authorization, privacy, integrity and non-repudiation.

Authentication refers to the idea of virtually making sure that the user is who they claim to be. In fact, if one can pretend to be another person, the possibilities to compromise the privacy and integrity of that person’s financial data are endless. Banks need to clearly identify the person accessing the account. This is usually done using a single-factor authentication such as username and password. However, with the increasing number of online frauds, the use of single-factor authentication has been inadequate for guarding against account fraud and identity theft. Hence, banks add more layers of security using multi-factor authentication, consisting of using two or more factors together, to protect customers’ identity. The main issue with multi-factor authentication is user fatigue. Indeed, as mentioned in HDFC Bank case study, customers want “simplicity” whereas authentication requires them to enter username, password, answer to security questions and more, in order to only make a simple transaction (pp.8).

Following authentication, authorization is another security challenge in online banking. Users need to not only be authenticated, but also have the permission to make a specific transaction. The authorization process is another layer of security added to protect customers’ accounts. For instance, a large transaction may require approval from the bank before going through. During this approval time, the bank has the opportunity to verify if the person who initiated the transaction is an authorized user. SafePass used by Bank of America online banking illustrates this concept well. It uses a 6-digit one-time code sent in a text message to the user’s registered mobile number, to help verify their identity before authorizing certain transaction, including higher-value transfers or log in from unusual devices. Authorization, like authentication, can be seen as tedious for users in a hurry to make a rapid transaction for example.

Moreover, privacy should be of major concern in online banking because it can lead to unwanted exposure of information, which can be used to commit ID theft. The main challenge here is to teach users how to protect their privacy while accessing their online account. Indeed, personal privacy is threatened the second users log on, and this is the main fear of customers in India who would rather use physical locations. However, some privacy safeguards can be used to minimize the risk. These include, strong password, secure devices and limited personal information sharing on social media. Additionally, when it comes to transactions, banks must create secure platforms ensuring that the exchange of sensitive information is only between the two parties involved and no one else. In other words, the sender’s personal information should be kept secret in order to increase the security of the transaction.

Above all, data integrity and non-repudiation should be part of the online banking IT security system because they protect banks from frauds. Data integrity refers to the idea that banks should have security protocols leveraging encryption for transferring data. This will ensure that information can only be accessed and modified by authorized users. Similarly, non-repudiation implies that online banking should be monitored in a way that would prevent customers from repudiating transaction they authorized. For example, if users deny and claim refund for transactions they intentionally made, the bank should have the necessary tools to prove otherwise.

A strong IT security system should take into consideration the security issues that online banking presents. Those issues are authentication, authorization, privacy, integrity and non-repudiation. Indeed, online banking offers an easy access to financials account, which makes it the main target for phishing attacks. However, understanding the risks and challenges involved will allow banks and customers to safely protect their data.

Source:
https://cb.hbsp.harvard.edu/cbmp/product/HKU920-PDF-ENG
http://www.ijcsi.org/papers/IJCSI-9-4-3-432-446.pdf

Great analysis Laly.
However, when you say that “no banks are the same and face different issues,” it is both right and wrong. To me, when it comes to online banking, all banks have the same issues, the same security challenges in that case, given the nature of the service they provide to customers.
Perhaps in another context like financials or organizational structure, that statement may apply.

You summarized it well Magaly. Great point about a strategy not being one-size-fits-all approach. I think the basic issues remain the same but the ways to implement them become different for organizations dependent upon the business operations, geographical location, the core business function and different cultures where the business is active.
Like in this case, HDFC bank has to deal with two main problems. One, maintaining trust of customers who are used to offline and in person banking. Two, the trust is at stake even with dormant customers who have created account online but do not use it.
Another important thing to discuss if giving IS security to a vendor who is expert a good choice over in house management? In case of HDFC when they were exploring a new area and trying to recover out of so many problems, it was better to take expert advice. That would save a lot of time as experts would not be experimenting, RSA was already an expert and had explored the security solutions.

HDFC Bank is one of the leading private banks of India. This case analysis will focus on the question, what are the security challenges in online banking, and I will provide a recommendation.
Online banking is an electronic payment system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial institution’s website. Not only HDFC Bank were facing security problem of online banking, but also all of the online banking faced the same security problems. For example, phishing attack is the attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. According to the case, “customers were receiving e-mails claiming to have originated from the bank and seeking sensitive account information, including passwords and personal identification codes.”
Additionally, there is a competitive banking environment in, so many banks quickly start online banking for taking more market shares. It will lead to the online banking system vulnerability. Many customers are apprehension about online transactions because online banking is still in its early stage in India. What’s more, RBI announced a set of guidelines for online banking, however, Indian banks may not follow them. “RBI observed that at present some banks do not have proper security policy and methods to monitor the service level agreements with third parties and have inadequate audit trail.” (Comparitive Study of Online Banking Security System of various Banks in India, Rajpreet Kaur Jassal)
As the CIO of HDFC bank, Salvi had provided HDFC’s dilemmas in strengthening security in order to face these challenges. Firstly, HDFC bank balanced between customer convenience and system security. According to the case, “she had to strike a balance between keeping the IS transparent to the customer (so that he or she breezed through an online transaction without barriers) and making it effective from the bank’s point of view (so that the bank was not taken for a ride by potential fraudsters).” Second, she had to increased the secure access. “Salvi was planning to introduce a second level of authentication for all online customers… and beneficiaries.” The beneficiaries mean “another major part of secure access was asking the customer to provide the bank with a list of account holders with whom the online customer’s transactions would be periodical and regular.” Third, she selected the secured server location. Locating the servers onsite or offsite should be decided by Salvi, according to two models’ advantages and disadvantages. “The main advantage of the cloud, as its name suggested, was that it was fluid and elastic. It could expand and contract depending upon the need of the user to scale up or scale down the relevant computing services.”
It is necessary for Salvi to solve those issues, and I provide some recommendations for Salvi in order to increase the level of the security as followed:
1. Creating cyber security policy and making Internal control. HDFC bank should follow the RBI regulations to create a security policy for bank, which can provide specific documented business rule to protect information and systems in order to optimize risks and resources. It is critical for a bank to understand the role IT plays in order for the department to help the bank succeed.
2. Increasing level of secure online bank system by layered security approach. When the bank accepted the transaction, it should be verified by Visa, MasterCard Secure Code and JCB J/Secure. Additionally, the bank should monitor the irregular large amount billing transaction. The bank also can use the adaptive authentication for e-commerce. Those methods would minimize the risk of the transaction by online bank system.
3. Freezing dormant accounts. If the time that customers don’t use the online accounts exceeds 6 months, the bank will able to freeze the dormant accounts automatically. Users can reactive their accounts online by using their authentication information.
4. Building up cloud computing with dedicated bandwidth. Although this practice cost lots of money to the bank, it is the most reliable to provide trustworthy financial services to customers. 
Overall, those recommendations can help HDFC improve secure online system, and those recommendations also can be used by other Indian banks.

Resource: http://iasir.net/IJEBEApapers/IJEBEA13-358.pdf

What are the security challenges in online banking?
Online banking has become a trend as we can see in exhibit 2, millions of people are using internet today. Usually, when you open a bank account, it will come with an online account. Online banking had two components: net banking and mobile banking.
Therefore, we can analyze some major problems in this two components first:
Challenges that faced in net banking:
Most computers have the function of “remember your password and username” now. Banks should eliminate this function when design the online bank websites.
Challenges that faced in mobile banking:
Smartphones have security flaws itself, click on a simple link can bring malware in the smartphones. In 2014, a security expert named Winston Bond demonstrated how easy it was to reverse engineer mobile app: decompiling them back into source code, altering the behavior of the app, and reuploading it back onto the app distribution servers (Makeusof.com).

There are nine most common online frauds that banks should be aware of: Spam, scam, malware, phishing, pharming, man-in-the-middle, man-in-the-browser, replay attack and crimeware (Exhibits 7). HDCF bank was suffered from the phishing attack in 2007.
The overall challenges for online banking (net banking and mobile banking):
1. Adaption: in the light of how rapidly technology is changing today, adapting different version of online banking is the first thing that every bank should think of. The password system, management of database, applications and etc. need to update to the newest technology in order to mitigate the risks.
2. Legalization: new methods of conducting transactions, new instruments and new service providers need to require permissions from regulation departments. For example, it will be essential to define an electronic signature and give it the same legal status as the handwritten signature (imf.org)
3. Harmonization: since most banks have branches in different countries, they may have different regulations among countries. The international harmonization of online banking is also a challenge for banks. They need to adjust their systems and applications based on a country’s law and culture.
4. Integration: Salvi mentioned in the case that for HDFC bank, an IS framework, in the light of the changing ecosystem, has three dimensions-technology integration, business integration and risk integration. This is the process of including information technology issues and their accompanying operational risks in bank supervisors’ safety and evaluation.

links: https://cb.hbsp.harvard.edu/cbmp/content/55230080
http://www.imf.org/external/pubs/ft/fandd/2002/09/nsouli.htm

Is Online Banking Secure? 5 Risks That Should Worry You

Question 1: What are the security challenges in online banking?

Online banking is popular because it’s accessible, quick, and convenient. With the biggest network ever created (Internet), online banking became a “must have” for banks. Even banks in developing countries are implementing online banking. It’s eliminate long lines in the bank and make it easy for customers to monitor their transactions. It is so convenient that some banks operate only online. Unfortunately, security is a big issue. This easy access to your bank account makes online banking a target for hackers.

In fact, as it is easy for the customers to access their accounts in few clicks, it is also easy for a hacker to find a way to penetrate the system. Online banking presents several security challenges like phishing scams, identity theft, credit card fraud which also shows that hackers are not only looking for your money but also your personal information. Online banking is a double-edge sword.

In our specific case, Mr. Salvi the Chief Information Security Officer (CISO) of HDFC Bank is facing many challenges with managing online banking in the bank. After a phishing attack in 2007, HDFC took corrective measures and contracted IS security solution provider to set up a 24/7 command centre. Mr. Salvi must find a balance between customer convenience and security. The more barriers you put between customers and their account, the more you irritate them.
Authentication is one of the biggest security challenges in online banking. The bank system must be sure that the person logging in is the right person. One of the solution to counter this challenge is to implement a two-factor authentication. It’s requires a second code when logging into your account. Mr. Salvi is planning to implement that solution in HDFC bank but faces another dilemma. Whether to provide secure access to every online user or limit it to active users.
Another security challenge in online banking is how to protect the IS infrastructure. In the HDFC bank case, Mr. Salvi is hesitating between having his servers at the bank data centres or hosted by an IS vendor. Both represent a risk and are vulnerable to hacker attacks. The servers (authentication servers and online servers) are crucial for the bank operation online. The challenge here is not where to store the servers but how to protect them from intruders.

Online banking security challenges also respond to the CIA triad. There is a confidentiality risk to the extent that personal information is being used. Confidentiality can be seen as privacy, and in online banking you don’t want your sensitive information to be shared with anyone. Once a non-authorized person has access to your information it affects the integrity of the information. This is why authentication is really important in online banking. The bank must prevent other people than you from accessing your account. The bank also needs to secure and protect its infrastructure in order to avoid disruption of the service. Customers want to be able to access their accounts 24/7, and it is the bank job to make sure customers access their accounts in a secure way.

In my humble opinion, customers are also a security challenge for online banking. People are the weakest link in IS and represent a danger to themselves. Most of the time, it is by people that hackers intrude systems. It is important that customers understand the danger of the Internet and protect their information before any additional protection from banks. The root of the problem is that people (customers) want convenience and don’t think about the consequences. Some people write down their passwords or use the same password for different accounts. Other save their passwords in their computers… I think banks should educate and provide weekly security tips (precautionary measures) to their customers.
The bank should also develop a strong IT system which will reduce the risk of security breaches. Another way counter cyber-criminality in online banking is to work together. Banks should create an organization where they will share their bad experiences and design together solutions.

Sources: Case study
http://classroom.synonym.com/security-issues-relating-internet-banking-15984.html

What are the security challenges in online banking?

Online banking offers benefits to both banks and their customers. Banks can offer more services with greater availability with less resources. Customers gain added convenience and availability to their money. Many transactions that used to require visiting a local bank branch to complete can now be done online or on a phone. Banks benefit by offer the same service without requiring a physical branch, and customers can complete the transaction anywhere and anytime. As the article noted, banks were uniquely suited to build and convince customers to use mobile banking applications because of a strong public perception of risk management and security. The Internet however, is an inherently insecure entity, and presents numerous risks to banks as more banking applications migrate to the Internet.

Banks face the same problem as many other industries with cyber security, the delicate balance between security and convenience/accessibility to customers. Too much security can often lower convenience for customers, making the process more cumbersome. Too little security with a convenient platform may create a better experience, but will likely expose customers to more cyber threats. Customers will not use a mobile banking platform that is not secure.

The article lists five areas for online banking security that must be addressed: authentication, authorization, privacy, integrity, and non-repudiation. Authentication ensures that the user access the bank account is the correct user. Before any transaction can proceed, the correct user identity must be established. Authorization then validates if that user has permission to complete the requested transaction. A customer should only be allowed to make transaction specific to his/her account, and should meet regulatory/compliance guidelines. Users also expect the bank to protect their privacy and not allow a third party to access financial transaction data without permission. Purchases, transfers, and other transactions are not public knowledge and people will not use a bank that does not protect customers’ privacy. Integrity refers to the inability to alter data related to the transaction. Both parties must trust the data is accurate or customers and the bank may lose confidence in the system. Last, non-repudiation prevents either from denying consent or communication regarding a transaction. A customer cannot sign a document with a digital signature and then later contend that they did not. Or the bank cannot authorize a transaction and then deny it at a later date.

Said, Thanks for the post. You’ve summarized the challenges of online banking very well. I agree with you that the people are the weakest link in any information security program. Aside from the people using a bank’s online resources, you have the people internal to the bank that may be subject to, intentional or unintentional, fraudulent activities. Some other major concerns, regarding people, in this mobile banking environment is the sheer size of mobile applications that people install on their devices. Apps tend to continue to share more and more information with each other causing concerns of what information is actually being shared about you. Say for example you downloaded an app, and without your knowledge or consent, the app collects information on the apps you have installed on your phone. The information collected had online applications for banks such as Bank of America or Citibank, and is sent to a hacker. Now the hacker has personal information about you, from signing on with Facebook, and knows what banks you use. They can use this to target you with phishing scams to get you to reveal your account information for Bank of America or Citibank.

Alex,

I respect your opinion in that regard. However, I do believe banks have different issues that are more situational and not universal. What one bank lacks, another could not. Generally speaking, the IT industry is very new and constantly evolving so the security challenges do apply but, like mentioned above they might need to be handled differently because they must align with the business’s objectives, location and size. Nowadays, banks are facing plenty of challenges such as not making enough revenue, consumer expectations, competition from financial technology companies, and regulatory pressure. Though these issues may be prevalent across all boards, they need be handled in a manner that positively impacts their business.

Thanks Priya. Great additions. I completely agree with your context in regards to the approach. One must take into account the other factors when implementing strategies. As of the expertise aspect, you hit the nail on the head with that one, The CISO should have acknowledged his lack of experience within the Online Banking realm and should have sought out guidance. It is never wrong to need help and ultimately, if he had done so, they wouldn’t have probably a victim of phishing scams.

Well summarized Said!
Towards the end you suggested that, “banks should educate and provide weekly security tips (precautionary measures) to their customers”, which is a great control in the disclaimer aspect. Personally, I would love if my banks did that or even have yearly password updates.

As for the banks coming together to discuss knowledge, in theory that sounds amazing. However, at the end of the day banks would rather not disclose their information especially, to their competitors. It’s sad how the business world works in that regard but, it most been done to stay prevalent.

Question: What are the security challenges in online banking?

As the rank top 15 bank in India, HDFC had $15.64 billion Deposits in 2007. In the same year, 1.28 million customers, which is 28% of the HDCF Bank’s retail customers claimed that they were the target of a phishing attack, many of them hold the online banking account of HDFC Bank. In this case, the bank’s online banking system and its information assets are challenged.

Generally, the security challenges in online banking are both existing for the customers and the bank’s online banking system itself. From the customers’ perspective, the first challenge is protecting the personal identify information (PII) like the account number and online passwords. Besides, ensure the physical protection of debit and credit cards are also important for the online banking users. On the other hand, the online banking system also faces security challenges from internet attack like unethical hacking.

In order to avoid the identity theft, online banking users should carefully keep their personal identify information like the account and passwords of the online banking system. Especially for those who operating on PCs, before input the sensitive personal information, ensure the antivirus software is protecting the system. Attackers may monitor the system data flaw through malware and copy the passwords. According to the article, many online banking users in the HDFC Bank got phishing attack. The process and concept of the phishing attack is not complicated: Phisher designs campaign and sends to huge quantity of bank account holders via different approach like spam email or spam message with a link. If the user clicks on the link, the PC or mobile device will be attacked by Trojan. After that, if customer input the sensitive information like online banking account and passwords, the Trojan will record the information and send it to the Phisher. With the bank account information, Phisher can log in the online banking system through the customer’s personal identify information. Therefore, if the online banking users in the HDFC Bank loss the PII by phishing attacks, attacker may allow to access in the system and transfer the money on victims’ online bank account. This will damage the HDFC’s reputation and cause huge negative influence in its online banking service, because HDFC’s online banking system failed in protecting customer’s assets.

To mitigate the risk of attackers logging in the online banking system through victim’s online banking account, effectiveness of secure access and server location are very important. In the most cases, attacker will log in the online banking system in a different location. For example, if the user usually logs in the system in New York City, but it suddenly logged in from the UK in the same day, the system should double check the identify information by sending a confirm email or text.

Source:
http://yourbusiness.azcentral.com/security-issues-relating-internet-banking-21683.html

Is Online Banking Secure? 5 Risks That Should Worry You

Security challenges in online banking are :

• to have a trustworthy IT system that is not cumbersome to use for a customer –
Banking systems need to be able to strike a balance between being safe and convenient.
• to have the system robust enough to handle the different types of cyber attacks such as phishing, malware, pharming
• to have a system that ensures privacy in transactions such that the transaction data between two people is only available to the concerned two parties and no-one else
• to employ different validation and authentication checks for different types of transactions
• to ensure that dormant accounts were protected aswell as they were susceptible to being hacked without getting noticed or reported
• to employ, in the event of an attack, a mechanism where by the attack is detected quickly and subsequent action is taken to stop further damage

Mengxue,

I like how you mention “Harmonization”. This reminds me of companies located in different states and have different taxing procedures with goods / services.

Here is an example:

Everyone has a cell phone and the taxes associated with the phone & service are based on individual State regulations. One person in PA will have to pay taxes on a new phone, but a person in DE won’t.

The rules and regulations surrounding communications varies from a Federal standpoint to a State standpoint.