TABLE OF CONTENTS... 1 CHAPTER 1 INTRODUCTION... 4 1.1 GOALS AND OBJECTIVES... 5 1.2 REQUIRED REVIEW... 5 1.3 APPLICABILITY... 5 1.4 ROLES AND RESPONSIBILITIES SENIOR MANAGEMENT AND BOARD OF DIRECTORS... 6 CHAPTER 2 ACCOUNTABILITY AND MONITORING... 7 2.1 INTERNAL CONTROLS... 7 2.2 REPORTING REQUIREMENTS... 8 CHAPTER 3 STAFF AND TRAINING... 9 3.1 ONGOING TRAINING... 9 3.2 NEW HIRE TRAINING... 10 CHAPTER 4 BUSINESS CONTINUITY PLANNING PROCESSES... 11 4.1 RISK ASSESSMENT PROCESS... 11 4.2 BUSINESS IMPACT ANALYSIS PROCESS... 12 4.3 RECOVERY STRATEGY DEVELOPMENT PROCESS... 12 4.4 BUSINESS CONTINUITY PLAN DEVELOPMENT... 13 4.5 TESTING PROCESS... 14 CHAPTER 5 BUSINESS CONTINUITY PLAN OVERVIEW... 15 5.1 SCOPE... 15 5.2 BUSINESS CONTINUITY PLANNING AND TECHNOLOGY RECOVERY DEFINITIONS... 16 5.3 BUSINESS CONTINUITY PLAN OBJECTIVE... 16 CHAPTER 6 BUSINESS DESCRIPTION... 17 6.1 OFFICE LOCATIONS... 17 6.2 DATA CENTER LOCATIONS... 17 CHAPTER 7 EVENT TYPES... 18 7.1 BUSINESS INTERRUPTIONS... 18 7.2 TECHNOLOGY DISASTERS... 18 CHAPTER 8 PLAN LOGISTICS... 19 and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 1
8.1 APPROVALS, MAINTENANCE, REVISIONS, AND EXECUTION AUTHORITY... 19 8.2 PLAN LOCATION, DISTRIBUTION AND ACCESS... 19 CHAPTER 9 RISK ASSESSMENT... 20 9.1 RISK SCENARIOS... 20 9.2 GAP ANALYSIS... 21 CHAPTER 10 BUSINESS IMPACT ANALYSIS... 23 10.1 DETERMINE LEVELS OF IMPORTANCE BY BUSINESS FUNCTION... 24 10.2 ESTIMATE DOWNTIME TOLERANCES BY BUSINESS FUNCTION... 24 10.2.1 Recovery Time Objectives... 24 10.2.2 Recovery Point Objectives... 25 10.3 IDENTIFY RESOURCE REQUIREMENTS... 25 10.4 ESTABLISH THE CRITICAL PATH FOR RECOVERY... 26 CHAPTER 11 BUSINESS CONTINUITY ORGANIZATION... 27 11.1 ORGANIZATIONAL RESPONSIBILITIES... 27 11.2 EMPLOYEE RESPONSIBILITIES... 28 11.3 DUTIES... 28 CHAPTER 12 EVENT PHASES OBJECTIVES... 29 12.1 RESPONSE PHASE OBJECTIVES... 29 12.2 BUSINESS RESUMPTION PHASE OBJECTIVES... 29 12.3 RELOCATION PHASE OBJECTIVES... 29 12.4 RETURN TO BUSINESS AS USUAL PHASE OBJECTIVES... 30 CHAPTER 13 TEST PLANS AND EXECUTION... 31 13.1 TEST PLAN COMPLEXITY... 31 13.2 PHASE 1: TABLE TOP TESTING... 32 13.3 PHASE 2: TECHNOLOGY FAILOVER... 32 13.4 PHASE 3: TECHNOLOGY FAILOVER AND OFF SITE BUSINESS OPERATIONS... 33 13.5 CONTINUING REFINEMENTS... 33 CHAPTER 14 GENERAL EVENT PREPAREDNESS... 34 14.1 EMERGENCY MANAGEMENT/CRISIS RESPONSE TEAM CALL TREE... 35 14.2 CRITICAL PATH TO RECOVERY... 36 14.3 LIST OF EMPLOYEES AND CONTACT INFORMATION... 36 14.4 LIST OF VENDORS AND SERVICE PROVIDERS AND CONTACT INFORMATION... 37 14.5 LIST OF CUSTOMERS AND CONTACT INFORMATION... 38 and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 2
14.6 LIST OF EQUIPMENT SUPPLIERS AND DATA STORAGE LOCATIONS... 39 14.7 LIST OF COMMUNICATIONS CARRIERS, ISPS, INTERNET HOSTING... 40 14.8 EVENT CHECKLIST... 41 14.9 TECHNOLOGY AND INFRASTRUCTURE RECOVERY CHECKLIST... 42 CHAPTER 15 FFIEC TOOLS AND RESOURCES... 43 15.1 BCP BOOKLET... 43 15.2 CYBERSECURITY ASSESSMENT TOOL... 43 15.3 LESSONS LEARNED FROM HURRICANE KATRINA BROCHURE... 44 CHAPTER 16 AGENCY AND REGULATORY BCP REQUIREMENTS... 45 16.1 FANNIE MAE BCP REQUIREMENTS... 45 16.2 FREDDIE MAC BCP REQUIREMENTS... 45 16.3 OCC REQUIREMENTS... 47 and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 3
Introduction Chapter 1 Introduction is committed to the highest standards of federal consumer compliance and requires all management, employees, and third party vendors follow these policies and adhere to these standards. In today s environment, businesses leaders are increasingly aware of potential threats to their businesses that may appear in many forms; terrorism, catastrophic natural disasters, pandemics, and cyberattacks. Regulators likewise have taken a more careful view of the financial services industry s overall ability to respond to and recover from disruptive events that could impact the entire financial system and undermine the public s trust. recognizes the value of having a plan in place to protect its assets, to minimize its financial losses, to maintain its business operations and to recover its technology in the case of unplanned disruptive events. It is essential to to maintain continuity of its operations in support of its customers, business associates, stakeholders, regulatory obligations, and [ Client] s own financial status and reputation. This policy is intended to serve as the framework for developing s unique Business Continuity Plan (the Plan). It is the policy of to develop and maintain a Plan that considers strategies and procedures to recover, resume, and maintain its critical business functions, processes, and responsibilities. This policy is intended to provide the framework for developing and maintaining a Plan that is specific to the business needs, strategic goals and risk appetite of, and that is relative to its size and complexity. Senior management and the board of directors are committed to establishing and maintaining emergency procedures, backup facilities, and a comprehensive plan that allows for the timely recovery and resumption of operations and the fulfillment of the responsibilities and obligations of [ Client]. Management fully supports and participates in the development, monitoring, testing, and regular maintenance of the Plan. The Plan will initially be developed in house; however, may determine that an outsourced vendor provides the best solution and implementation for the company. In developing the Plan, management remains cognizant of and guided by specific information provided by the Federal Financial Institutions Examination Council (FFIEC). As defined on the FFIEC website, the Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 4
Processes Risk Assessment Process Chapter 4 Processes While the restoration of technology components is commonly seen as the focus of disaster recovery efforts, the recovery of systems and data is not always enough to restore business operations. [ Client] recognizes that the Plan must include the recovery, resumption, and maintenance of all aspects of the business. The Plan considers critical processes as well as all business units and departments, and how the enterprise as a whole will be able to respond to unplanned events. As part of the Plan, management will prioritize the business objectives and critical operations that are essential to the recovery and restoration efforts. Since it may not be possible to restore all business operations simultaneously, it is critical to identify and plan for the restoration of technologies and business units that are most urgent to the survival of the enterprise, the critical path. The planning process should include participation from s management, from business unit managers and supervisors, and from subject matter experts. Depending on the size and complexity of the organization a knowledgeable BCP Coordinator or a BCP Team is assigned to coordinate the overall effort, from development through testing and ongoing maintenance of the Plan. The planning process includes the following general areas: Risk Assessment Business Impact Analysis Recovery Strategy Development Business Continuity and Technology Recovery Plan Development Testing and Maintaining the Plan The process, however, is a continuous one that is reviewed and modified over time and in response to changing operations, results of testing, recommendations from independent reviews of the Plan, and the possibility of new types of threats. These areas are described generally below, and are explained in more depth in later sections. 4.1 Risk Assessment Process Risk assessment is the identification of probable threats that could impact the facilities and staff of. Threats may be of various types, severity, and likelihood. Risk assessment will consider threats by analyzing impact, severity, and likelihood. The risk assessment should consider non specific threats as well as specific threats. Non specific threats are those where the impact to the business is similar, regardless of the specific nature of the and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 11
Event Types Business Interruptions Chapter 7 Event Types The Plan anticipates interruptions to business operations, facilities, and technical infrastructures. Physical damage, depending on severity, will affect business operations to a greater or lesser degree. 7.1 Business Interruptions Business interruptions would affect s ability to communicate and conduct business, during events such as a power or communications outage, or an event requiring evacuation or denied access to the building housing personnel and internal networks. Business interruptions affect the ability of to conduct business as usual and to provide service to its customers. Some examples of business interruptions include: Utility service provider outage, localized Power grid fails due to overload or storms Communications/internet service failures Information security breaches and cyber attacks Access to building is denied due to criminal activity in the area Nearby toxic spill impacts access to facility Pandemic warnings indicate quarantine of building 7.2 Technology Disasters Technology Disasters are disruptions affecting the operation of the office facility, main data center, workstations, communications infrastructure, or other physical assets, and that require rebuilding and restoring communications and technology infrastructure in addition to restoring business operations. Some examples include the following: Fire in the facility Physical damage to a building resulting from environmental or natural disaster, or criminal activity Loss of power to the data center and ancillary generator power, if used as a mitigation strategy Prolonged loss of network connectivity to the primary data center and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 18
General Event Preparedness Continuing Refinements Chapter 14 General Event Preparedness The following activities, lists, and procedures should be made a part of the Plan for quick reference. The BPC coordinator holds responsibility for maintaining these types of supporting lists and checklists with current information. These lists are provided as starting points. For larger organizations, these lists will be maintained and supplied by key personnel in various departments. For example, technology service providers and equipment providers will be maintained by IT and employee contact information will be maintained by Human Resources. Emergency Management / Crisis Response Team Critical Path to recovery Lists of: o employees and contact information o customers and contact information o vendors and contact information o equipment suppliers and data storage locations o communications carriers, ISPs, internet hosting contact information, if available Business Continuity Checklist Technology Recovery Checklist and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 34