Payroll Disaster Recovery Plan Of An E-Commerce Organization
The purpose of this paper is to research disaster recovery plan in payroll department with all the strategies and recovery phases of an E-commerce Organization. This paper is intended to give some quick facts and interesting information to a wide audience.
To protect a business from any disaster, recovery planners must identify all threats, vulnerabilities, critical business processes and components of a business. This is typically called risk assessment or management. Risk is how likely a given threat actually could occur, and the resulting impact that adverse event would have on the organization. Risk management is closely related to disaster recovery because they both deal with the prevention of risk. Disaster Recovery is the process of regaining access to the data, hardware and software necessary to resume critical business operations after a natural or a human caused disaster. A Disaster Recovery Plan should also include plans for coping with the unexpected. This paper aims to investigate the most common challenges associated with having an effective DRP and the opportunities associated with this plan.
Introduction
We are a Payroll team working for E-commerce Organization. A fictitious E-commerce organization headquartered in San Jose, California. E-commerce Organization has over 200 employees throughout the organization and generates $100 million USD in annual revenue. The company has two additional locations in Portland, Oregon and Seattle, Washington. Which is support a mix of corporate operations. Each corporate facility is located near a co-location data center, where production systems are located and managed by third-party data center hosting vendors. Our three main products: Treasury Optimizer, NetPay, and NetConnect.
Treasury Optimizer is the primary source of revenue for the company. This is fund transfer services for direct deposit. The service handles secure electronic order messages that originate from its customers, such as large production companies. Which are then routed to manufacturing. NetPay is a Web portal used by many of the company’s Treasury Optimizer customers to support the management of secure payments and billing. The NetPay Web portal, hosted at E-commerce production sites, accepts various forms of payments and interacts with credit-card processing organizations much like a Web commerce shopping cart.
NetConnect is an online directory that lists products, locations, and other production facilities to allow E-commerce customers to find the requirement at the right locations. It contains certifications, and types of services that the manufactures offer. This disaster plan will be solely for the use of E-commerce, including but not limited to, all operational departments, the organization’s network/remote access, all personnel employed by or under the control of E-commerce Organization, and any facility and land under the control of E-commerce Organization. Any other organizations, not mentioned above, will be denied access due to the high security risk they may present by possibly allowing unauthorized personnel access the E-commerce systems, information, files, and/or data.
Payroll Overview
The payroll process typically includes calculating employee pay, recording payroll transactions and determining and paying payroll taxes. A company must have in place a timekeeping system that accurately reflects the hours put in by nonexempt employees as well as the regular salary payments for exempt workers. In-HouseSome smaller businesses conduct their payroll using a manual system. With a computerized system, the employer can utilize payroll software to process its payroll on-site. Some larger companies can afford the computer systems and staff to process payroll on their own. Because they spread their costs over a large workforce, they experience lower per-check expenses than smaller firms.
Outsourced
Outsourcing takes place when a business hires a third-party payroll service provider to process its payroll. Such firms typically can handle all aspects of the payroll cycle as well as other reporting services. With an external system, the employer sends payroll data to a service provider to process payments for the upcoming payday. This data includes hours worked as well as benefits, taxes and withholding information.
Hybrid
Some businesses utilize a hybrid method that takes advantage of elements from both in-house and outsourced payroll systems. This allows employers to split the payroll functions between themselves and the vendor, keeping outsourcing costs lower and allowing for more internal control over payroll data.
Disaster Recovery Plan
A Disaster recovery plan, or scheme, helps an organization respond effectively when a disaster occurs. Disaster may include system failure, network failure, infrastructure failure and natural disaster. The primary emphasis of such a plan is reestablishing services and minimizing losses. Several common models are used in designing backup plans. Each has its own Pros and Cons. The frequency at which you do backup should be based on the amount of data that you are willing to lose. If you do backups only weekly, then you could lose up to a week worth data. Similarly, of you do them every day, the most data you would lose is 24 hours’ worth. Regardless of the frequency at which you back up, three methods exist to back up information on most systems. Almost every backup plans have two KPI which they include in their plans, like RPO (Recovery point objective) and RTO (Recovery time objective), they seem similar but they have major differences, RPO is set for backups on a routine and RTO is set for recovery once a disaster is occur. During a full backup, every single file on the system is copied over, and the archive bit on each file is turned off. The archive bit is essentially a flag associated with every file that is turned on when the file is created or accessed. The two more back up plans apart from full back up are incremental and differential backups. When these backup methods are used in conjunction with each other, the risk of loss can be greatly reduced, but you can never combine incremental and differential backups in the same set. one of the major factors in determine, which combination of these three methods to use is time – in an idea situation, a full backup would be performed every day.
Scope and Objectives
The primary objective of Disaster Recovery Planning in an organization is to be able to sustain any disastrous event and continue the daily business operations. First thing to do when such an incident happens is to “declare it with an assurance of fixing it”. This might sound simple, but it’s staggering how reluctant management teams are to following the process and pull the trigger on declaring a disaster. Once the incident has been declared, the DR team would assess the impact of it and then activate the disaster recovery process.
The main objectives of the DR (Disaster Recovery) Plan are
- Try and continue the vital business operations.
- Prepare the people in senior management to response immediately and effectively.
- To minimize any immediate damages.
- To make sure the people at the disaster location are safe and sound.
- To limit/minimize the magnitude of the disaster incident on the organization as a whole.
- To reduce the time of serious damages and hindrance in business operations.
- To minimize financial impact of the interruption.
- To train employees regarding emergency procedures and make them aware of the disaster.
Recovery Strategy
As a payroll department we need to create the recovery phase to resolve the Incident this response will create to find the severity level and respond it accordingly. Recovery activities will be conducted in a phased approach. The emphasis will be to recover the critical incidents effectively and efficiently. Critical applications will be recovered over a period of time which is assigned to the severity level of incident.
Phase I – High
Move operations to the Disaster Recovery Backup Data Centers and the Emergency Operations Center. This activity will begin with activation of the Disaster Recovery Plan. There is a period of up to 24 hours allowed for organization and the turnover of the disaster recovery backup site.
Phase II – Moderate
To recover critical Incident, restoration of the critical applications and critical Network connectivity. The goal here is to recover the systems and network so that our team can continue business.
Phase III – Low
Data processing activities to the primary facilities or another computer facility. Creating an Incident response document to resolve the known application issues. The Plan provides recovery procedures to be used at the present data center site after repairs have been made or at the Disaster Recovery Backup Site and the Emergency Operations Center. It also provides recovery procedures for the restoration of venerable incidents using either data recovered from the damaged data center or from the backup data stored off-site.
Scenarios and Recovery Procedures
Though the probability of a serious damage is low but in case it happens then the ramification could be disastrous. It would affect the both the organization’s name in public and the operations. The DR plan will also include the roles, responsibilities, procedures and any checklist that we will be using to control the disaster occurrence and prevent or minimize the damages.
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Scenario.
- Webserver Recovery
- Database Backup
- Fraud by mistake or purpose
- Invalid Payroll
- Payroll Calculation
- Create a maintenance plan for the current plan, including risk assessments, business impact assessments, plan reviews, plan exercises, contact list updates, plan training and awareness activities. You can build your maintenance programmers with something as simple as a spreadsheet use the following headings as a starting point.
- Coordinate disaster recovery maintenance activities with existing IT activities such as change management and hardware/software maintenance as well as with your help desk.
- Report all upkeep activities, including when (date/time) support was performed summary of maintenance activities and approvals as needed.
- Prepare the quarterly maintenance reports to management, highlighting the status of maintenance activities and issues that need to be addressed.
Incident Response
An incident response plan, outlining actions steps or incident response procedures will define how an organization should response to an incident. These policies may involve third parties, and they need to be comprehensive. The tern incident somewhat nebulous in scope. For our purpose an incident is may attempt to violate a security policy, a successful penetration, a compromise of a system, or any unauthorized access to information. This includes system failure and disruption of services in the organization. It is important that an incident response plan establish at least the following items:Guidelines for documenting the incident type and defining its category.
According to CERT, a Computer Security Incident Response Team (CSIRT) can be a formalized or an ad hoc team. The six steps of any incident response process should be as follows:
The disaster recovery scenario that will be specifically addressed, within the scope of this plan, is the loss of access to the computer center and the data processing capabilities of those systems and the network connectivity. Although loss of access to communicate with Bank may be more probable, this Disaster Recovery Plan will only address recovery of the critical systems and essential communications. In the event of a declared Disaster, key personnel will take immediate action to alert the Disaster Recovery Center. Restoration of the Critical Coverage will be provided after a Disaster is declared and after turnover of the disaster recovery backup site. It will include, without limitation, the following:
Access down to bank for direct deposit upload: Treasury Optimizer is the wire transfer application which use for direct deposit in bank. Treasury Optimizer is expected to recover in case of any disaster within 24 hours, and is annually tested to ensure those expectations are met. Severity level of this scenarios is High. Because of this application it will be effected may people at one time. Resolving time should be One business day. This called emergency fix.
Access down to Time sheet entry: Field-glass is the time sheet entry application for employee of our organization. Which deals with the HR department to get approval. This application need to access weekly Once by each employee to submit their time sheets. If access down to this application, employees unable to submit their working hours for approval. Employee will access this application once in a week. Severity level of these scenarios is Moderate. Because of this application it will be effected may people in week. Resolving time should be at least three business day.
Vulnerable application and data handling: Payroll department should use our own data center and internal application for data handling and data processing. Due to it handle employee bank details with all required information. It should have data backup in backup data center or in cloud. This data should be encrypted and access though multi-factor authentication by the payroll department if necessary. This required pentation test to find the Vulnerabilities in application and encryption method. Severity level is low. Should resolve with in 10-15 days.
Payday week: Payday in a week it should be decided by payroll department make sure of all Risk assessment is evaluated by selecting that day. This is selection of day to create a pay check for particular day it should be direct deposit in bank with Third party application. Dividing the payday week for each department to reduce the load for payroll team if it is large firm.
Data-Recovery Plan
The webservers need to be kept in Auto scaling group so whenever a server gets down or if there is heavy load on website then it launches a new servers. A Floating IP needs to be configured, so it checks the health and servers traffic accordingly. And an application load balancer can be kept in between the two Auto scaling groups for high availability of website.
Database backup is the process of backing up the operational state, architecture and stored data of database software. It enables the creation of a duplicate instance or copy of a database in case the primary database crashes, is corrupted or is lost.
Risk Involved in Payroll
One of the risk associated with payroll system is fraud. Fraud mainly involves deception or deliberate intention to unlawful gain advantage of a system. The following shows some of the risks involved in maintenance of a payroll system and the mitigation plan.
System checks must be in place. Access to the payroll system and data is limited by task and configured to avoid the risk of fraud. The entry / modification should not only be verified by the person who made the actual entry, but should also be subjected to a peer review and a high level examination/Operator approval.
There should be some samples to confirm the accuracy of salary calculations each month through simulation programs outside the payroll toolInaccurate taxationSecure control to validate the corresponding tax calculation. Make sure the tax returns and declarations are prepared in time to avoid fines.
Review the accounting records to validate the correct accounts used and verify that the accounting records are reconciled with the supporting documents. For automated payroll records without manual intervention, check before uploading a file to GL. In the case of manual reviews, you should have a proper backup to justify the insertion of the magazine and its approval by a responsible person. Payment deductions are not processed in accordance with legal provisions. A process that ensures that all payroll documents are handled properly during the required period and are easily accessible when needed. Confidential information on payroll that is not adequately protected may result in loss of reputation, loss of competitive advantage, loss of revenue or legal consequences.
Primitive Measures for Maintaining of payroll system
The company should sort the data according to its sensitivity and in general information, salary, including personal information should be kept confidential and handled with care when stored or transferred to third parties Impressions should be locked properly. Information sent by out-of-company mail (for example, email to vendors) must be encrypted and password protected to avoid the risk of listening. Examples of personal information: national identification; the driving license; debit / credit card, no bank account, if stored, password protected or with limited control and, if sent to the company, must be encrypted.
Disaster recovery maintenance plan
When developing a disaster recovery plan, it is imperative that you obtain management approval and review. Some of the main activities for successful disaster recovery plan maintenance include the following:
Conclusion with Future Development
In future we as an organization focusing on some important points to take care to avoid any disaster to occur are as follows: Technology platform, Automation & standardization, Aggregation, More effective compliance, Co-location. The main goal of DR plan is to minimize the damages that an organization suffers in an event of a disaster/crisis. Yet there is no magic cure, no all-encompassing black box, and no single technology that can provide the solution. The solution is understanding the issues, the vulnerabilities, and the challenges.