Upload
trinhminh
View
220
Download
3
Embed Size (px)
Citation preview
Federal Financial Institutions Examination Council
FFIEC
IT EXAMINATION
HANDBOOK
BCPBusinessContinuity PlanningFEBRUARY 2015
Table of ContentsTable of ContentsTable of ContentsTable of Contents
IntroductionIntroductionIntroductionIntroduction 1
Board and Senior Management ResponsibilitiesBoard and Senior Management ResponsibilitiesBoard and Senior Management ResponsibilitiesBoard and Senior Management Responsibilities 2
Business Continuity Planning ProcessBusiness Continuity Planning ProcessBusiness Continuity Planning ProcessBusiness Continuity Planning Process 3
Business Impact AnalysisBusiness Impact AnalysisBusiness Impact AnalysisBusiness Impact Analysis 5
Risk AssessmentRisk AssessmentRisk AssessmentRisk Assessment 8
Risk ManagementRisk ManagementRisk ManagementRisk Management 9
Business Continuity Plan Development 9
Assumptions 11
Internal and External Components 11
Mitigation Strategies 12
Risk Monitoring and TestingRisk Monitoring and TestingRisk Monitoring and TestingRisk Monitoring and Testing 12
Principles of the Business Continuity Testing Program 13
Roles and Responsibilities 14
Testing Policy 15
Execution, Evaluation, Independent Assessment, and Reporting of Test Results 20
Updating Business Continuity Plan and Test Program 22
Other Policies, Standards and ProcessesOther Policies, Standards and ProcessesOther Policies, Standards and ProcessesOther Policies, Standards and Processes 22
Security Standards 23
Project Management 23
Change Control Policies 24
Data Synchronization Procedures 24
Crisis Management 24
Incident Response 25
Remote Access 25
Employee Training 26
Notification Standards 26
Insurance 26
Business Continuity Planning Booklet
Government and Community 27
SummarySummarySummarySummary 27
Appendix A: Examination ProceduresAppendix A: Examination ProceduresAppendix A: Examination ProceduresAppendix A: Examination Procedures A-1
Appendix B: GlossaryAppendix B: GlossaryAppendix B: GlossaryAppendix B: Glossary B-1
Appendix C: Internal And External ThreatsAppendix C: Internal And External ThreatsAppendix C: Internal And External ThreatsAppendix C: Internal And External Threats C-1
Appendix D: Pandemic PlanningAppendix D: Pandemic PlanningAppendix D: Pandemic PlanningAppendix D: Pandemic Planning D-1
Appendix E: InterdependenciesAppendix E: InterdependenciesAppendix E: InterdependenciesAppendix E: Interdependencies E-1
Appendix F: Business Impact Analysis ProcessAppendix F: Business Impact Analysis ProcessAppendix F: Business Impact Analysis ProcessAppendix F: Business Impact Analysis Process F-1
Appendix G: Business Continuity Plan ComponentsAppendix G: Business Continuity Plan ComponentsAppendix G: Business Continuity Plan ComponentsAppendix G: Business Continuity Plan Components G-1
Appendix H: Testing Program - Governance and AttributesAppendix H: Testing Program - Governance and AttributesAppendix H: Testing Program - Governance and AttributesAppendix H: Testing Program - Governance and Attributes H-1
Appendix I: Laws, Regulations, and GuidanceAppendix I: Laws, Regulations, and GuidanceAppendix I: Laws, Regulations, and GuidanceAppendix I: Laws, Regulations, and Guidance I-1
Appendix J: Strengthening the Resilience of Outsourced Technology ServicesAppendix J: Strengthening the Resilience of Outsourced Technology ServicesAppendix J: Strengthening the Resilience of Outsourced Technology ServicesAppendix J: Strengthening the Resilience of Outsourced Technology Services J-1
Business Continuity Planning Booklet
IntroductionIntroductionIntroductionIntroduction
This booklet is one in a series of booklets that comprise the Federal Financial InstitutionsExamination Council (FFIEC) Information Technology (IT) Examination Handbook. Thisbooklet provides guidance to assist examiners in evaluating financial institution [1] andservice provider risk management processes to ensure the availability of critical financialservices. This booklet was also designed to provide helpful guidance to financialinstitutions regarding the implementation of their business continuity planning processes.
This booklet rescinds and replaces the previous "Business Continuity Planning Booklet,"which was issued in March 2003, and has been revised to reflect technological andregulatory changes with a focus on management's responsibilities regarding oversight ofthe continuity planning process for business operations. While significant revisions havebeen made, the focus of this booklet continues to be based on an enterprise-wide,process-oriented approach that considers technology, business operations, testing, andcommunication strategies that are critical to business continuity planning for the entirebusiness, instead of just the information technology department.
This booklet is divided into two parts. The first part, or narrative, describes the businesscontinuity planning process and addresses the responsibilities of the board of directors(board) and senior management. The second part includes examination procedures, aglossary, detailed appendices supporting the narrative, and a reference list of eachagency's applicable laws, regulations, and guidance. Each section in the narrativebegins with an "Action Summary" that highlights the major points in that section. Whilenot a substitute for reading the entire booklet, the action summaries may be used toquickly assess the most important issues discussed in that section. It is also important toread the detailed appendices, which can serve as a comprehensive reference guide forthe topics discussed in the narrative.
The overall goal of this booklet is to provide guidance to the financial services industryabout the importance of business continuity planning, which establishes the basis forfinancial institutions to recover and resume business processes when operations havebeen disrupted unexpectedly. Because financial institutions play a crucial role in theoverall economy, disruptions in service should be minimized in order to maintain publictrust and confidence in the financial system. As such, financial institution managementshould incorporate business continuity considerations into the overall design of theirbusiness model to proactively mitigate the risk of service disruptions.
Financial institution management should develop a comprehensive business continuityplan (BCP) as part of the business continuity planning process. The BCP should bebased on the size and complexity of the institution and should be consistent with thefinancial institution's overall business strategy. The goal of the BCP should be tominimize financial losses to the institution, serve customers and financial markets withminimal disruptions, and mitigate the negative effects of disruptions on businessoperations. Reviewing a financial institution's business continuity planning process,which includes an assessment of the BCP, is an established part of examinationsperformed by the FFIEC member agencies. [2]
Changes in business processes and technology increased terrorism concerns, recentcatastrophic natural disasters, and the threat of a pandemic have focused even greaterattention on the need for effective business continuity planning. Consequently, theseissues should be given greater consideration in the business continuity planning
Business Continuity Planning Booklet
Page 1
process. Financial institution management should consider the potential for area-widedisasters that could affect an entire region and result in significant losses to theinstitution. The business continuity planning process should address interdependencies,both market-based and geographic, among financial system participants andinfrastructure service providers. In most cases, recovery time objectives (RTOs) are nowmuch shorter than they were a few years ago, and for some institutions, RTOs are basedon hours and even minutes. Ultimately, all institutions should anticipate and plan for theunexpected and ensure that their business continuity planning process appropriatelyaddresses the lessons they have learned from past disasters.
Board and Senior Management ResponsibilitiesBoard and Senior Management ResponsibilitiesBoard and Senior Management ResponsibilitiesBoard and Senior Management Responsibilities
Action SummaryAction SummaryAction SummaryAction Summary
A financial institution's board and senior management are responsible for overseeingthe business continuity planning process, which includes:
Establishing policy by determining how the institution will manage and controlidentified risks;
Allocating knowledgeable personnel and sufficient financial resources to properlyimplement the BCP;
Ensuring that the BCP is independently reviewed and approved at least annually;
Ensuring employees are trained and aware of their roles in the implementation ofthe BCP;
Ensuring the BCP is regularly tested on an enterprise-wide basis;
Reviewing the BCP testing program and test results on a regular basis; and
Ensuring the BCP is continually updated to reflect the current operatingenvironment.
It is the responsibility of an institution's board and senior management to ensure that the institutionIt is the responsibility of an institution's board and senior management to ensure that the institutionIt is the responsibility of an institution's board and senior management to ensure that the institutionIt is the responsibility of an institution's board and senior management to ensure that the institutionidentifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planningidentifies,