Frequently Asked Questions
Do you conduct Business Impact Analysis?
SIX has worked out Business Impact Analyses (BIA) on a divisional level. Downtime and criticality of relevant processes are determined for each and every business service and interdependencies have been identified. Along with the BIA a continuity requirements analysis (CRA) is carried out. To allow cross-divisional comparison, the BIA process follows a common methodology. BIAs are maintained by the divisional BC managers and are updated on annual basis.
How do you determine what is required by the business to continue operations? Please describe your BIA methodology.
This Business Impact Analysis (BIA) helps SIX identify the business processes and applications that are essential to the survival of the business. The Business Impact Analysis identifies the amount of acceptable data loss (recovery point objective) as well as the speed at which systems must be restored (recovery time objective). Business impacts are identified based on a worst-case scenario assuming that the infrastructure supporting each department has been destroyed and all records, equipment, etc. are not immediately accessible. This Business Impact Analysis does not address recovery as these issues are addressed in the Business Continuity Plan and supporting documents. This Business Impact Analysis (BIA) identifies mission critical business functions and associated critical resources. Determining critical business functions and the impact on the organization is the first step in business continuity.
Please describe your Disaster Recovery strategy.
SIX operates a redundant number of production data centers to guarantee high availability of services in the case of disaster or crisis. These data centers are dedicated to cross-divisional data processing. Availability of data processing systems in space is aligned with availability in time. For each process found to be business-critical in the BIA the desired Recovery Time Objective (RTO) is defined. Accordingly, all data necessary for recovery operations have to be suitably backed up and stored regarding their Recovery Point Objective (RPO). This is the basis of strategic readiness and of operational flexibility. SIX has a set of concepts in place to cope with potential situations of loss of staff (e.g. remote working) and/or loss of premises (e.g. relocate operations). This involves over 3500 employees of 52 nationalities across 40 locations in 24 countries. Also, the potential loss of suppliers has been addressed by selecting different utility providers or by maintaining standby systems (e.g. electricity supply). SIX has assigned priorities to the different businesses for the event of a disaster to be able to recover its operations in an ordered fashion in the case of a disaster. To be able to react quickly and consistently in the case of a disaster, recovery plans are formulated. Again, these are specified per process. SIX has worked out business recovery plans on a divisional level to appreciate the different business demands and to satisfy the varying market expectations and customer needs. Planning and documentation of the recovery response are of utmost important in creating a resilient organization and is in line with the specifications of service level agreements. Incident Management is the first line of defense handling small scale incidents. Incidents may then be escalated to the corresponding divisional Emergency Management Team in charge. Large scale incidents are then being escalated to the topmost body, the Crisis Management Team of SIX. Alternatively, depending on the nature of the incident and depending on the impact expected or the time line anticipated, the Crisis Management Team of SIX is activated immediately after an incident has been detected/identified.
Please describe the testing/exercising component of your company’s BC/DR Program including the frequency and types of tests/exercises performed.
Successful implementation of business recovery plans includes testing them and training the people behind. SIX considers testing, training and exercising an essential part of the recovery response. Tests of different complexity such as desktop checks, walk-through, unit tests, end-to-end tests, etc. are carried out, mostly on an annual basis. In a maximum setup around 80 specialists from all divisions are training and rehearsing together up to 48 hours to proof effectiveness of IT disaster recovery plans.
Does your company have a formal Business Continuity training and awareness program?
SIX addresses the topic of BCM in a targeted and tailored fashion to the different audiences within the group (staff, management) and beyond (stakeholders). Resilience and emergency preparedness are general security topics embedded into the group-wide integrated security activities.
Where are your data centers located?
SIX co-locates within two geographically-diverse CenturyLink data centers (CH4 in Chicago, IL and NJ2 in Weehawken, NJ) for the collection, processing, and distribution of global financial information to its clients, who maintain connectivity to both data centers at all times.
Has your company established a communication plan for notifying its employees of an event?
SIX uses “EverBridge” for quick two-way SMS, email, and phone dispatching of alerts or emergency notifications. EverBridge works by broadcasting a message to all communication devices: mobile phones (via SMS text messages), landline phones (via voice messages), email accounts, text pagers, wireless PDAs, RSS readers, Web site pages, and more.
Does your company have a formal information security department?
Yes. Reporting to the Chief Security Officer (CSO), there are 23 FTEs in Corporate Security. In addition, there are 14 local security officers, many with deputies.
Does your company use an industry standard as a basis for your security program (e.g., ISO 27001/27002, ITIL, Cobit)?
Wherever possible and viable, we adhere to the ISO 27001, ISO 27002, COBIT, and ITIL standards.
How can we obtain a copy of your Business Continuity Plan?
Details regarding Business Continuity have to be contractually agreed beforehand and need to be covered in the respective customer Service Level Agreement (SLA). Without such an SLA, SIX is not allowed to disclose further details regarding BC plans, BC procedures and BC reports. Disclosure of SIX classified documents is subject to clearance by SIX Legal & Compliance.
Who can I contact at SIX with business continuity questions?
The Business Continuity Manager for SIX USA is Amy Ross. Please use the Contact Us form.