2005 Self-assessment of the Reserve Bank Information and Transfer System Core Principle VII

The system should have a high degree of security and operational reliability and should have contingency arrangements for timely completion of daily processing.

7.1 Assessment of Compliance

While this principle requires considerable subjective assessment, the Reserve Bank's assessment is that RITS complies. Developments post release of the Core Principles have led to reassessment both domestically and internationally of the robustness of critical infrastructure. Emerging best practice for disaster recovery is to have an ‘out of region’ site to which staff can be relocated and operations resumed. Taking into account the location of financial system infrastructure and concentration of Reserve Bank operations, the Reserve Bank has decided to establish a backup site at the limits of the greater Sydney metropolitan region. RITS has full redundancy of components at the primary site and backup is currently provided at a backup site over 10 kilometres from the Sydney central business district (CBD), where there is also redundancy of components. Contingency arrangements are tested regularly.

7.2 Security

RITS is monitored using a variety of automated tools, graphs and manual checks at least every 15 minutes. Security policies are regularly reviewed. The system currently provides a high level of integrity, authentication, non-repudiation, availability and auditability.

Internal audit reviews are conducted regularly. External security reviews of both internal systems and network occur annually. The Security Section within the Reserve Bank's information technology (IT) department regularly reviews security risks.

RITS members are responsible for the security of their own environment, including their users' access to RITS and any internal proprietary systems used to create and receive RITS transactions. Rather than apply prescriptive standards to RITS members, who in the main are major financial organisations, the Reserve Bank has to date relied on the internal standards applied by those financial institutions to be consistent with their corporate policy. However, as part of a project to update the RITS user interface[1], the Reserve Bank is introducing digital certificates to strengthen authentication, integrity and protection from non-repudiation. The legal framework for this under the RITS Regulations will reference a RITS Security Policy to be complied with by members. The Reserve Bank also produces a daily Security Audit Report that records failed login attempts, security modifications and security audit administration.

A range of security measures are in place to limit operational risk. These include dual controls, authorisations, independent daily checking of audit trails, and separation of responsibilities and duties (between business, operations and settlements).

Currently traffic across the online network (Austraclear National Network Infrastructure)[2] is not encrypted. It should be noted this is a closed network with low visibility and a correspondingly lower threat. The project noted above, to update the RITS user interface, Will provide ‘end-to-end encryption’ of online traffic using SSL[3].

All SWIFT messages are secured using standard SWIFT security.

7.3 Operational Reliability

The table below shows operational availability over the past three years. Availability is measured relative to total hours available when the system is open for settlement and reporting. The Reserve Bank's goal is 99.9 per cent availability. The table is split between components under the Reserve Bank's control (application software and hardware) and external network components (comprising the Austraclear and SWIFT networks) that are outside the Reserve Bank's control.

RITS System Availability
Per cent
Year RBA Controlled Components External Networks
2002 99.978 99.765
2003 99.916 99.862
2004 99.937 99.876

The Reserve Bank conducts a full series of rigorous tests, including acceptance, compatibility, regression, contingency, capacity and performance testing prior to making any significant change (hardware, communication network or software) or software upgrade to the production system. A narrower scoped set of tests are conducted prior to other changes. Weekend implementation tests occur for the majority of changes. Capacity and performance tests ensure that the system can process a peak day's transactions in less than two hours.

The Reserve Bank operates the RITS Help Desk to assist participants with any issues concerning their use of RITS and connection to it. Participants are required to notify the Help Desk of any technical problem affecting their RITS transaction activity. The Help Desk also monitors system activity and performance and logs incidents as they occur. All incidents are advised to senior management of the department (Payments Settlements Department) that operates RITS. Following any serious event, incident reports are generated and distributed, including to the Audit Department, Risk Management Unit and the Assistant Governor, Business Services Group in addition to the senior management of Payments Settlements Department.

The RITS Help Desk monitors system and business activity and performance throughout the processing day with the aid of tabular data, graphical presentations and online enquiries. This provides both high-level and detailed individual member information which enables the RITS Help Desk to identify potential problems affecting a member or the system as they occur.

The IT department of the Reserve Bank has automated alarms in place to alert the computer operators in the event of a component or other technical failure. Alerts may be visual, audible, or sent by SMS and email. SMS and email alerts are also sent to other sections of the IT department as relevant. Email alerts are generally sent to internal group email addresses (by section) to allow for easy update when there are staff movements.

The RITS Help Desk also maintains information on the reliability of members' systems by recording incidents they become aware of in a System Incidents database. This information provides an input into a regular report distributed to Payments Settlements Department management.

Events impacting the ability of participants to provide uninterrupted transaction flows are recorded in the above database. Information recorded in the database includes source of problem, description of problem, solution to problem, downtime, impact on RITS sessions, and links to associated documents including, where appropriate, incident reports.

7.4 Business Resumption

A high-level Business Continuity Plan focuses on situation management, communication and information dissemination. There are detailed Contingency Event Plans and comprehensive failover procedures. Business continuity tests are conducted at least four times each year using production systems on a weekend. Contingency drills exist whereby a contingency event is simulated at desk to test that all staff are aware of the communication arrangements and procedures. Contingency tests, which test systems rather than staff responses to a scenario, are conducted prior to any system upgrade. Regular visits to alternate sites are made by relevant staff.

There is no single point of failure within the primary site, with dual components in place for all key systems. In addition to this ‘redundant’ capability at the primary site, there is a geographically remote backup site with real-time disc mirroring of production data and the same processing capacity as the primary and redundant systems at the primary site. Only a very limited number of staff can be accommodated at the backup site.[4] It is extremely unlikely that a contingency event would render both the primary site and backup site inoperable. However, in that event, procedures provide initially for waiting until restoration. In extremis, and RTGS processing was abandoned for the day, participants may bilaterally agree to exchange payments using low-value clearing streams, or other exchange mechanism, and interbank settlement would take place on a deferred net basis the following business day. There is no central alternative payment system for customer payments.

In the event of a component failure at the primary site, recovery should be within 15 minutes. In the event of a failure at the primary site which cannot be recovered at that site, the benchmark time for full recovery at the backup site is within 40 minutes of the decision being taken to relocate processing (this does not include relocation of staff as the backup systems can be operated from the primary site). In an extreme circumstance where it is necessary to relocate staff to the backup site to operate the backup systems, full recovery should take no more than 60 minutes.

The Reserve Bank's current business recovery site, providing alternative workplace accommodation for critical staff including those operating RITS (except for a very limited number who can be accommodated at the backup site), is located close to the Sydney CBD and provides robust protection against the unavailability of the Reserve Bank's head office building. As its separation from the CBD is no longer considered adequate, a project is underway to implement a combined technical (that is systems) and business backup site for the Reserve Bank (including RITS) at a single site remote from the Sydney CBD. This will provide the ability to have RITS staff (operations, business and technical) permanently located at a site remote from head office.

Detailed plans have been developed for the activation and operation of each site to support full recovery. All procedures are fully documented. Hard copies are kept at the backup site. They also reside in an Electronic Document Management System which is automatically replicated to the Reserve Bank's backup site. Key staff hold a copy of the relevant documentation in the form of a USB storage device.

The Reserve Bank expects members of RITS to have robust backup arrangements commensurate with their business operations and importance to the system as a whole. APCA rules impose failover requirements on members of the HVCS.

As part of its routine monitoring, the Reserve Bank contacts any member where a potential operational problem is identified. There is intensive follow-up where there is the potential for the efficient operations of the system to be compromised. Following major system upgrades, all members are required to prove access to systems at both sites.

Footnotes

This is due for completion in 2006. [1]

Infrastructure owned by Austraclear. [2]

Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a public key to encrypt data that is transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL and many Web sites use the protocol to safely transmit confidential information, such as credit card numbers. [3]

The second site for RITS is located within the greater Sydney metropolitan region, but remote from the primary site and with different power, water and telecommunications sources. [4]