Table of Contents. Sample

Similar documents
Appendix 3 Disaster Recovery Plan

Introduction to Business continuity Planning

Global Statement of Business Continuity

Business Continuity Management Standards A Side-by-Side Comparison

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

TSC Business Continuity & Disaster Recovery Session

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Introduction to Business Continuity Management

FDIC InTREx What Documentation Are You Expected to Have?

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Headline Verdana Bold

Cyber Resilience. Think18. Felicity March IBM Corporation

IT CONTINUITY, BACKUP AND RECOVERY POLICY

Business continuity management and cyber resiliency

Business Continuity Management Program Overview

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Business Continuity: How to Keep City Departments in Business after a Disaster

3.4 DISASTER RECOVERY (L , M.3.9, comp_req_id 806)

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Business Continuity Planning

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Cybersecurity for Health Care Providers

Florida State University

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Build a viable plan for disaster recovery and crisis management.

MassMutual Business Continuity Disclosure Statement

NEN The Education Network

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Continuity of Business

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Disaster Recovery and Business Continuity Planning (Mile2)

Why you should adopt the NIST Cybersecurity Framework

Keys to a more secure data environment

NYDFS Cybersecurity Regulations

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Emergence of Business Continuity to Ensure Business and IT Operations. Solutions to successfully meet the requirements of business continuity.

EQUINIX BUSINESS CONTINUITY ADVANCED SERVICES KEEP YOUR BUSINESS UP AND RUNNING

Heavy Vehicle Cyber Security Bulletin

Business Continuity Management

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Lakeshore Technical College Official Policy

Cybersecurity Assessment Tool

Prepare your Emergency respons, continuity plan, recovery plan

Business Services Resilience and Restoration. Financial Services Sector Preparation for an Extreme Event

Information Technology General Control Review

Principles for BCM requirements for the Dutch financial sector and its providers.

Cybersecurity and Examinations

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Symantec Business Continuity Solutions for Operational Risk Management

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

National Level Exercise 2018 After-Action Findings

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

PT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017

University of Pittsburgh Security Assessment Questionnaire (v1.7)

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Cyber Security Program

Symantec Data Center Migration Service

Our key considerations include:

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

How to Conduct a Business Impact Analysis and Risk Assessment

Template. IT Disaster Recovery Planning: A Template

Canada Life Cyber Security Statement 2018

Cyber Risks in the Boardroom Conference

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

Integration of Business Continuity, Emergency Preparedness, and Emergency Response

Emergencies: Protecting Staff & Assets. Presented By: Tom Heebner, CSP, ARM, ABCP AVP / Risk Consultant HUB International Limited

Emergency Management Response and Recovery. Mark Merritt, President September 2011

Standard CIP Cyber Security Critical Cyber Asset Identification

BUSINESS CONTINUITY MANAGEMENT

A Practical Guide to Avoiding Disasters in Mission-Critical Facilities. What is a Disaster? Associated Business Issues.

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Emergency Operations Plan 2018 Annex IV - Business Continuity Plan

DISASTER RECOVERY PRIMER

Business Continuity Plan

Sage Data Security Services Directory

Standard CIP Cyber Security Critical Cyber Asset Identification

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Information Technology Disaster Recovery Planning Audit Redacted Public Report

Public Safety Canada. Audit of the Business Continuity Planning Program

Continuity of Operations During Disasters: Electronic Systems and Medical Records

Railroad Infrastructure Security

Threat and Vulnerability Assessment Tool

Certified Information Systems Auditor (CISA)

Information for entity management. April 2018

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

INTELLIGENCE DRIVEN GRC FOR SECURITY

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

GUIDANCE NOTE ON CYBERSECURITY

The Common Controls Framework BY ADOBE

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Emergency Support Function #2 Communications Annex INTRODUCTION. Purpose. Scope. ESF Coordinator: Support Agencies: Primary Agencies:

Transcription:

TABLE OF CONTENTS... 1 CHAPTER 1 INTRODUCTION... 4 1.1 GOALS AND OBJECTIVES... 5 1.2 REQUIRED REVIEW... 5 1.3 APPLICABILITY... 5 1.4 ROLES AND RESPONSIBILITIES SENIOR MANAGEMENT AND BOARD OF DIRECTORS... 6 CHAPTER 2 ACCOUNTABILITY AND MONITORING... 7 2.1 INTERNAL CONTROLS... 7 2.2 REPORTING REQUIREMENTS... 8 CHAPTER 3 STAFF AND TRAINING... 9 3.1 ONGOING TRAINING... 9 3.2 NEW HIRE TRAINING... 10 CHAPTER 4 BUSINESS CONTINUITY PLANNING PROCESSES... 11 4.1 RISK ASSESSMENT PROCESS... 11 4.2 BUSINESS IMPACT ANALYSIS PROCESS... 12 4.3 RECOVERY STRATEGY DEVELOPMENT PROCESS... 12 4.4 BUSINESS CONTINUITY PLAN DEVELOPMENT... 13 4.5 TESTING PROCESS... 14 CHAPTER 5 BUSINESS CONTINUITY PLAN OVERVIEW... 15 5.1 SCOPE... 15 5.2 BUSINESS CONTINUITY PLANNING AND TECHNOLOGY RECOVERY DEFINITIONS... 16 5.3 BUSINESS CONTINUITY PLAN OBJECTIVE... 16 CHAPTER 6 BUSINESS DESCRIPTION... 17 6.1 OFFICE LOCATIONS... 17 6.2 DATA CENTER LOCATIONS... 17 CHAPTER 7 EVENT TYPES... 18 7.1 BUSINESS INTERRUPTIONS... 18 7.2 TECHNOLOGY DISASTERS... 18 CHAPTER 8 PLAN LOGISTICS... 19 and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 1

8.1 APPROVALS, MAINTENANCE, REVISIONS, AND EXECUTION AUTHORITY... 19 8.2 PLAN LOCATION, DISTRIBUTION AND ACCESS... 19 CHAPTER 9 RISK ASSESSMENT... 20 9.1 RISK SCENARIOS... 20 9.2 GAP ANALYSIS... 21 CHAPTER 10 BUSINESS IMPACT ANALYSIS... 23 10.1 DETERMINE LEVELS OF IMPORTANCE BY BUSINESS FUNCTION... 24 10.2 ESTIMATE DOWNTIME TOLERANCES BY BUSINESS FUNCTION... 24 10.2.1 Recovery Time Objectives... 24 10.2.2 Recovery Point Objectives... 25 10.3 IDENTIFY RESOURCE REQUIREMENTS... 25 10.4 ESTABLISH THE CRITICAL PATH FOR RECOVERY... 26 CHAPTER 11 BUSINESS CONTINUITY ORGANIZATION... 27 11.1 ORGANIZATIONAL RESPONSIBILITIES... 27 11.2 EMPLOYEE RESPONSIBILITIES... 28 11.3 DUTIES... 28 CHAPTER 12 EVENT PHASES OBJECTIVES... 29 12.1 RESPONSE PHASE OBJECTIVES... 29 12.2 BUSINESS RESUMPTION PHASE OBJECTIVES... 29 12.3 RELOCATION PHASE OBJECTIVES... 29 12.4 RETURN TO BUSINESS AS USUAL PHASE OBJECTIVES... 30 CHAPTER 13 TEST PLANS AND EXECUTION... 31 13.1 TEST PLAN COMPLEXITY... 31 13.2 PHASE 1: TABLE TOP TESTING... 32 13.3 PHASE 2: TECHNOLOGY FAILOVER... 32 13.4 PHASE 3: TECHNOLOGY FAILOVER AND OFF SITE BUSINESS OPERATIONS... 33 13.5 CONTINUING REFINEMENTS... 33 CHAPTER 14 GENERAL EVENT PREPAREDNESS... 34 14.1 EMERGENCY MANAGEMENT/CRISIS RESPONSE TEAM CALL TREE... 35 14.2 CRITICAL PATH TO RECOVERY... 36 14.3 LIST OF EMPLOYEES AND CONTACT INFORMATION... 36 14.4 LIST OF VENDORS AND SERVICE PROVIDERS AND CONTACT INFORMATION... 37 14.5 LIST OF CUSTOMERS AND CONTACT INFORMATION... 38 and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 2

14.6 LIST OF EQUIPMENT SUPPLIERS AND DATA STORAGE LOCATIONS... 39 14.7 LIST OF COMMUNICATIONS CARRIERS, ISPS, INTERNET HOSTING... 40 14.8 EVENT CHECKLIST... 41 14.9 TECHNOLOGY AND INFRASTRUCTURE RECOVERY CHECKLIST... 42 CHAPTER 15 FFIEC TOOLS AND RESOURCES... 43 15.1 BCP BOOKLET... 43 15.2 CYBERSECURITY ASSESSMENT TOOL... 43 15.3 LESSONS LEARNED FROM HURRICANE KATRINA BROCHURE... 44 CHAPTER 16 AGENCY AND REGULATORY BCP REQUIREMENTS... 45 16.1 FANNIE MAE BCP REQUIREMENTS... 45 16.2 FREDDIE MAC BCP REQUIREMENTS... 45 16.3 OCC REQUIREMENTS... 47 and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 3

Introduction Chapter 1 Introduction is committed to the highest standards of federal consumer compliance and requires all management, employees, and third party vendors follow these policies and adhere to these standards. In today s environment, businesses leaders are increasingly aware of potential threats to their businesses that may appear in many forms; terrorism, catastrophic natural disasters, pandemics, and cyberattacks. Regulators likewise have taken a more careful view of the financial services industry s overall ability to respond to and recover from disruptive events that could impact the entire financial system and undermine the public s trust. recognizes the value of having a plan in place to protect its assets, to minimize its financial losses, to maintain its business operations and to recover its technology in the case of unplanned disruptive events. It is essential to to maintain continuity of its operations in support of its customers, business associates, stakeholders, regulatory obligations, and [ Client] s own financial status and reputation. This policy is intended to serve as the framework for developing s unique Business Continuity Plan (the Plan). It is the policy of to develop and maintain a Plan that considers strategies and procedures to recover, resume, and maintain its critical business functions, processes, and responsibilities. This policy is intended to provide the framework for developing and maintaining a Plan that is specific to the business needs, strategic goals and risk appetite of, and that is relative to its size and complexity. Senior management and the board of directors are committed to establishing and maintaining emergency procedures, backup facilities, and a comprehensive plan that allows for the timely recovery and resumption of operations and the fulfillment of the responsibilities and obligations of [ Client]. Management fully supports and participates in the development, monitoring, testing, and regular maintenance of the Plan. The Plan will initially be developed in house; however, may determine that an outsourced vendor provides the best solution and implementation for the company. In developing the Plan, management remains cognizant of and guided by specific information provided by the Federal Financial Institutions Examination Council (FFIEC). As defined on the FFIEC website, the Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 4

Processes Risk Assessment Process Chapter 4 Processes While the restoration of technology components is commonly seen as the focus of disaster recovery efforts, the recovery of systems and data is not always enough to restore business operations. [ Client] recognizes that the Plan must include the recovery, resumption, and maintenance of all aspects of the business. The Plan considers critical processes as well as all business units and departments, and how the enterprise as a whole will be able to respond to unplanned events. As part of the Plan, management will prioritize the business objectives and critical operations that are essential to the recovery and restoration efforts. Since it may not be possible to restore all business operations simultaneously, it is critical to identify and plan for the restoration of technologies and business units that are most urgent to the survival of the enterprise, the critical path. The planning process should include participation from s management, from business unit managers and supervisors, and from subject matter experts. Depending on the size and complexity of the organization a knowledgeable BCP Coordinator or a BCP Team is assigned to coordinate the overall effort, from development through testing and ongoing maintenance of the Plan. The planning process includes the following general areas: Risk Assessment Business Impact Analysis Recovery Strategy Development Business Continuity and Technology Recovery Plan Development Testing and Maintaining the Plan The process, however, is a continuous one that is reviewed and modified over time and in response to changing operations, results of testing, recommendations from independent reviews of the Plan, and the possibility of new types of threats. These areas are described generally below, and are explained in more depth in later sections. 4.1 Risk Assessment Process Risk assessment is the identification of probable threats that could impact the facilities and staff of. Threats may be of various types, severity, and likelihood. Risk assessment will consider threats by analyzing impact, severity, and likelihood. The risk assessment should consider non specific threats as well as specific threats. Non specific threats are those where the impact to the business is similar, regardless of the specific nature of the and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 11

Event Types Business Interruptions Chapter 7 Event Types The Plan anticipates interruptions to business operations, facilities, and technical infrastructures. Physical damage, depending on severity, will affect business operations to a greater or lesser degree. 7.1 Business Interruptions Business interruptions would affect s ability to communicate and conduct business, during events such as a power or communications outage, or an event requiring evacuation or denied access to the building housing personnel and internal networks. Business interruptions affect the ability of to conduct business as usual and to provide service to its customers. Some examples of business interruptions include: Utility service provider outage, localized Power grid fails due to overload or storms Communications/internet service failures Information security breaches and cyber attacks Access to building is denied due to criminal activity in the area Nearby toxic spill impacts access to facility Pandemic warnings indicate quarantine of building 7.2 Technology Disasters Technology Disasters are disruptions affecting the operation of the office facility, main data center, workstations, communications infrastructure, or other physical assets, and that require rebuilding and restoring communications and technology infrastructure in addition to restoring business operations. Some examples include the following: Fire in the facility Physical damage to a building resulting from environmental or natural disaster, or criminal activity Loss of power to the data center and ancillary generator power, if used as a mitigation strategy Prolonged loss of network connectivity to the primary data center and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 18

General Event Preparedness Continuing Refinements Chapter 14 General Event Preparedness The following activities, lists, and procedures should be made a part of the Plan for quick reference. The BPC coordinator holds responsibility for maintaining these types of supporting lists and checklists with current information. These lists are provided as starting points. For larger organizations, these lists will be maintained and supplied by key personnel in various departments. For example, technology service providers and equipment providers will be maintained by IT and employee contact information will be maintained by Human Resources. Emergency Management / Crisis Response Team Critical Path to recovery Lists of: o employees and contact information o customers and contact information o vendors and contact information o equipment suppliers and data storage locations o communications carriers, ISPs, internet hosting contact information, if available Business Continuity Checklist Technology Recovery Checklist and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of and its outside of. 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback