OMIClear assumes, as strategic objective, to ensure an adequate response to any incident or disaster situation that affects people, material assets, information and/or business processes that depends on their activities. In this sense, OMIClear bet on the implementation of a Business Continuity Management System (BCMS) within a large system of Information Security Manager (ISMS) based on ISO standard 22301, guaranteeing the recovery of its critical functions within the defined Recovery Time Objective and respecting the legal requirements that the Clearing House is obliged within the framework of its activity on the market.
The Business Continuity Management System passes through the identification and assessment of the OMIClear´s critical tasks, the interdependence of the organization with the external entities to which it relates, and for the development of recovery strategies based on disruptive disaster scenarios, which may affect their physical and technological infrastructure.
OMIClear is committed to responding quickly and efficiently to a disaster or any serious incident, thereby minimizing potential negative impacts of these incidents, both for the Organization and its internal functions as for its members and other participants of the market.
Responsibilities for Business Continuity Management
- Senior Management - responsible for ensuring that the Business Continuity Management System is established and implemented according to the approved Policy into force, and for providing all necessary resources to comply with the BCMS;
- Business Continuity Manager - responsible for the operational implementation and maintenance of the Business Continuity Management System;
- Business Continuity Management Team - reviews the BCMS at least once a year or at each time a significant change occurs, also preparing a review report for this circumstance. The purpose of the management review is to establish the suitability, adequacy and effectiveness of the BCMS.
If Business Continuity Plans are activated, a working body called Crisis Management Team is formed, which is authorized to make any decisions to resolve the situation. The Crisis Management Team is managed by the Crisis Manager.
The Crisis Management Support Team has the function of relieving the Crisis Management Team from administrative and other operational activities, in order to focus on managing the disruptive incident.
Business Continuity Manager is responsible for monitoring nonconformities, false alarms, actual incidents, or any other similar situations, and for raising preventive actions as required.
Risk Assessment and Business Impact Analysis
Risk Assessment and Business Impact Analysis define the methodology and process for assessing the impacts of possible disrupting OMIClear activities, also determining the continuity and recovery priorities, objectives and targets.
The highest risks which could lead to a disruptive incident, i.e., business disruption identified during the risk assessment are the following:
- Bomb threat;
- Loss of Power Supply;
- Social Disorder;
- Breakdown of communication links;
In a disaster situation, the critical tasks and essential functions of OMIClear are recovered within the Recovery Time Objective (RTO) of 2 Hours.
Business impact analysis is applied to the entire scope of the Business Continuity Management System (BCMS), i.e., to all activities that support OMIClear products and services.
Business Continuity Strategy and Plan
The Business Continuity Strategy defines how OMIClear ensures that all conditions for the resumption of business activities in the case of disaster or other disruptive incident are met. It forms the basis for preparing the Business Continuity Plan and Recovery Plans.
OMIClear´s Business Continuity Strategy is applied to the entire BCMS scope, as defined in the Business Continuity Management Policy.
The Continuity Plan defines precisely how OMIClear manages incidents in the case of a disaster or other disruptive incident, and how it will recover its activities within set deadlines. The objective of the Plan is to keep the damage of a disruptive incident at an acceptable level, in order to not compromised OMIClear´s activity in the market.
OMIClear´s Business Continuity Plan is applied to all critical activities inside the scope of the Business Continuity Management System (BCMS).
Information Security Management System (ISMS)
At the time of the implementation of the Business Continuity Management System (BCMS), with the purpose of reducing the risk of a failure related to information security and to ensure the confidentially, availability and integrity of the information assets, OMIClear proactively decided to define and implement internal procedures within an Information Security Management System (ISMS). OMIClear’s ISMS is based on the standard ISO/IEC 27001, since it is one of the best-known standards providing requirements for an information security management system.
The ISMS implementation includes all people, processes and systems of OMIClear and it is designed to create and maintain a set of management tools that allows OMIClear to operate its markets and services according to the industry best practices and regulations. It also promotes confidence in the users of OMIClear services and reduces the probability of incidents and potential damage caused by them. These features are in line with the organization's business objectives.
The information security system applies to:
- All information which results from the normal business and services provided by OMIClear;
- All organizational units of OMIClear in accordance with the organizational structure of the company;
- All the organization's business locations (headquarter office, main datacenter, secondary datacenter and secondary office);
- All assets identified in the Inventory of Assets.
With the implementation of the ISMS, OMIClear is equipped with a wide range of internal procedures that allows the efficient management of risks related with information security, namely on the following major areas:
- Risk Assissment
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
In order to establish the concepts and guidelines of OMIClear’s ISMS, an Information Security Policy was defined and formally approved by the Board of Directors. This policy applies to all OMIClear’s employees, interns, service providers and other partners, as well as all assets and information systems, operational, inactive or in development, whether lodged in OMIClear’s equipments and facilities or from outsourcing suppliers.