The banking system in Belgium has understood the message. At the end of 2015, the National Bank of Belgium (NBB) sent a circular to all Belgian financial institutions with guidelines for their operational business continuity and data security. Who would not want his hard-earned money to be safe? Banks have a critical role in the financial system and great social importance. It is therefore obvious that they take precautionary measures against operational damage, disruptions to the electricity grid or theft. The circular states that a financial institution must always have two data centers, at least Tier III, that are not within the same urban agglomeration and at least 15 km apart. Less than 15 km is allowed, but only if sufficient substantiated risk analysis is submitted to the NBB. Additional precautions and / or fall-back and recovery solutions are provided at a distance of at least 100 km. Less than 100 km is allowed, but also with sufficient substantiated risk analysis.
What about government data now? The federal government often uses 4 data centers that are centrally located in Brussels near the small ring road and a data center in Anderlecht. The distance between the buildings ranges from a few kilometers to the farthest distance of 5 to 6 km. This is certainly not covered by the National Bank standards described above.
Throw a bomb at Brussels and not only all major government institutions have been wiped off, including their sensitive data. Most governments are located in the heart of our capital, both with its own server rooms and external data centers. A lightning strike or a long-term disruption of the electricity network is already sufficient to paralyze a government institution, and thereby all critical data. Conclusion: the data centers and back-up data centers of our governments cannot cope with a breakdown on the same city power network. They are therefore both affected by a city-wide power failure. Brussels is also a high risk zone. This means that the chance of a natural disaster or a terrorist attack is much greater than in Aalst or Antwerp.
Can our governments afford these risks? They have sensitive data about you and me, tax returns, our social security, data about the financial health of our country, data about conversations between political parties, nations. In short: information that must always be consultable. Should this data not be extra protected? By duplicating in a back-up data center outside our capital for example?
The NBB sets the right example.
How come our governments don't seem to be awake about internal or external security risks? Do you also not think that the guidelines / rules for payment institutions, insurers and lenders should also apply to governments? There is a tendency within the government that it must manage the data centers itself. Is it not more efficient to leave this to external parties with good SLAs?