Global Statement of Business Continuity

Similar documents
SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Table of Contents. Sample

Session 5: Business Continuity, with Business Impact Analysis

Risk Management. Continuity Management

Policy Title; Business Continuity Management Policy. Date Published/Reviewed; February 2018

Driving Global Resilience

Business Continuity Policy

Enterprise resilience and the role of Standards

Headline Verdana Bold

Business Continuity and Disaster Recovery

Building resilience. Delivering assurance.

Promoting the Art and Science of Business Continuity Management Worldwide. Partner of the DRJ

Policy. Business Resilience MB2010.P.119

Corporate Information Security Policy

GUIDANCE NOTE ON CYBERSECURITY

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Building a BC/DR Control Library and Regulatory Response Program

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

INTERNAL AUDIT DIVISION REPORT 2017/138

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

EU General Data Protection Regulation (GDPR) Achieving compliance

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Peer Collaboration The Next Best Practice for Third Party Risk Management

NYDFS Cybersecurity Regulations

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

MassMutual Business Continuity Disclosure Statement

Principles for BCM requirements for the Dutch financial sector and its providers.

Global Security Consulting Services, compliancy and risk asessment services

SFC strengthens internet trading regulatory controls

Canada Life Cyber Security Statement 2018

Regulatory Update Cyber Security

Position Description IT Auditor

Continuity of Business

Google Cloud & the General Data Protection Regulation (GDPR)

ISO/IEC INTERNATIONAL STANDARD

EQUINIX BUSINESS CONTINUITY ADVANCED SERVICES KEEP YOUR BUSINESS UP AND RUNNING

Using International Standards to Implement a Business Continuity Management System (BCMS)

Business Continuity Management Standards A Side-by-Side Comparison

Facilities Management and Business Continuity. 10 May 2017

Information Security Controls Policy

Information Technology Branch Organization of Cyber Security Technical Standard

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

Business Continuity Management

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Introduction to ISO/IEC 27001:2005

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

Risk Management in Electronic Banking: Concepts and Best Practices

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Conformity assessment Requirements for bodies providing audit and certification of management systems. Part 6:

BUSINESS CONTINUITY MANAGEMENT (BCM) INITIATIVES OF THE BANGKO SENTRAL NG PILIPINAS

Security and Privacy Governance Program Guidelines

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

National Policy and Guiding Principles

Information Security Policy

Implementation of Business Continuity Management System (BCMS) based on ISO 22301:2012 requirements

ISO Business Continuity Management System

Public Safety Canada. Audit of the Business Continuity Planning Program

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Regulating Cyber: the UK s plans for the NIS Directive

Build a viable plan for disaster recovery and crisis management.

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Introduction to Business Continuity Management

Level Access Information Security Policy

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Oracle Data Cloud ( ODC ) Inbound Security Policies

TEL2813/IS2820 Security Management

Information Technology General Control Review

ISO/IEC TR TECHNICAL REPORT. Information technology Security techniques Information security management guidelines for financial services

Global Security Advisor

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Cyber Risks in the Boardroom Conference

Information Security Strategy

BCM Program Development

Laws Influence Business Continuity and Disaster Recovery Planning Among Industries

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Why you should adopt the NIST Cybersecurity Framework

Security Management Models And Practices Feb 5, 2008

FDIC InTREx What Documentation Are You Expected to Have?

Business Services Resilience and Restoration. Financial Services Sector Preparation for an Extreme Event

HCPC's Risk Assurance Part 1

ROLE DESCRIPTION IT SPECIALIST

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

7 th BICSI Southeast Asia Conference 2009 Building the Next Generation Broadband Network

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

TSC Business Continuity & Disaster Recovery Session

POSITION DESCRIPTION

Data Security and Privacy Principles IBM Cloud Services

Cyber Crime Seminar 8 December 2015

Risk Advisory Academy Training Brochure

WORKSHARE SECURITY OVERVIEW

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

Implementing a BCM Programme

Transcription:

Business Continuity Management Version 1.0-2017 Date January 25, 2017 Status Author Business Continuity Management (BCM)

Table of Contents 1. Credit Suisse Business Continuity Statement 3 2. BCM Program Introduction 4 2.1 BCM Program Summary 4 3. Planning, Scope and Documentation 5 3.1 Business Continuity Management Global Policy 5 3.2 BCM Program Methodology 6 3.3 Lifecycle Overview 6 4. Crisis Management 7 4.1 Crisis Management Structure 7 5. Governance, Audits and External Reviews 8 5.1 Governance 8 5.2 Internal Audits 8 5.3 External Reviews 8 Page 2 of 8

1. Credit Suisse Business Continuity Statement The following global statement is applicable to all Credit Suisse locations, legal entities and subsidiaries. Credit Suisse fully recognizes the importance of maintaining a comprehensive Business Continuity Program in an integrated global financial service business environment. Credit Suisse has well established Business Continuity Management (BCM) practices, procedures and policies that provide appropriate resilience and recovery for critical business processes, systems and data. The Credit Suisse BCM program is derived from and adheres to a number of regulatory, governmental and industry standards and guidelines. These include but are not limited to: Global - Basel Joint Forum (2006): High-level Principles for Business Continuity - International Standard: (2012) ISO 22301 & ISO 22313 - Business Continuity Institute: (2013) Good Practice Guidelines Switzerland - FINMA Circular: (2008/10) Self-Regulation as a Minimum Standard - Swiss Bankers Association: (2013) Recommendations for BCM UK - British Standard: (2007) BS 25999 (now replaced by ISO 22301 and ISO 22313) - UK Government: (2004) Civil Contingencies Act - UK Authorities: Annual Market Wide Exercise and Resiliency Benchmarking - FSA (2006): BCM Practice Guide (FSA now PRA and FCA) Prudential Regulation Authority Handbook Americas - Fed, OCC and SEC: (2003) Interagency White Paper to Strengthen the Resiliency of the US Financial System - Federal Reserve Bank and NY State Banking Authority: (2015) FFIEC Business Continuity Planning IT Examination Handbook - FINRA: (2009) Rule 4370 - Business Continuity Plans Asia Pacific Singapore Monetary Authority: BCM Guidelines - Japan BOJ: Toward Effective Business Continuity Management: A Check list and Instructive Practices - APRA: Prudential Standard APS232 Business Continuity Management - HKMA: Business continuity planning supervisory policy manual TM-G-2 The Credit Suisse BCM program is regularly reviewed as part of internal audit schedules and external audit requirements. In addition, global Infectious Disease plans are externally reviewed as required. Credit Suisse actively engages with industry bodies to develop and enhance resiliency within the financial sector and partners closely with regulatory bodies to advance Business Continuity planning in all regions. Page 3 of 8

2. BCM Program Introduction Business Continuity Management (BCM) is a company-wide approach designed to ensure that critical business processes can be maintained in the event of a major internal or external incident. The aim of BCM is to maintain a duty of care to staff, to protect the customer and company assets and to minimise the financial, regulatory, reputational and strategic impact of such incidents. Overall BCM is intended to ensure the continuation or rapid recovery of critical business activities in crisis situations, on a previously agreed level of continuation or recovery. As result, BCM essentially involves all business and organizational areas within Credit Suisse in planning, testing and crisis management contexts. Credit Suisse BCM is divided into four regional teams accountable to the Global Head of BCM. 2.1 BCM Program Summary The Credit Suisse global BCM program is derived from the International Standard ISO-22301and complies with all applicable regional BCM standards and regulatory requirements. Senior Management provide program sponsorship and governance at both the global and regional levels. The Credit Suisse Business Continuity Program incorporates: Crisis Management procedures to direct recovery activities during any significant business disruption Documented procedures to back up and recover critical systems and data Documented strategies to sustain critical functions using a variety of applicable business strategies including relocation to alternate workplace facilities, process transference and split production Processes to communicate with key stakeholders, including employees and clients A dedicated team of business continuity professionals ensure that recovery plans are documented, reviewed and tested across Credit Suisse in line with the global minimum standards contained within the Global BCM Policy. The crisis management framework enables a rapid response to disruptive events in order to: Safeguard employees lives Protect customer and company assets Make timely and prudent financial and operational assessments Maintain obligations to the financial markets and regulators Quickly recover and resume operations Page 4 of 8

3. Planning, Scope and Documentation 3.1 Business Continuity Management Global Policy Scope: The Credit Suisse Global BCM Policy defines the minimum global BCM standards for all Credit Suisse regions and business divisions. Regional supplements complement the Global BCM Policy with regional requirements. Content: The policy defines and regulates business continuity roles and responsibilities for the implementation, maintenance and validation of planning, analysis, readiness assessment, communication, training and crisis management. Responsibilities: Local, regional and global risk management committees are responsible for the oversight of the Business Continuity Program with annual attestation at Board level. The regionally appointed senior managers own the BCM risk and are accountable for the regional implementation of the BCM program in line with global minimum standards. Business heads are accountable for their divisional recovery strategies, the validation of recovery capabilities and the provision of appropriate training and awareness, with expert advice given by the global BCM team. The regionally appointed senior IT managers are accountable for IT Disaster Recovery (DR) in their region, ensuring recoverability of critical applications according to the recovery time agreed with the Business. The global and regional BCM teams are responsible for the definition and implementation of the annual Business Continuity Program, reporting recovery capability and risks to regional and global governance committees and regulators where required. Regional BCM teams also participate in industry liaison activities. Impact Types / Event: The Global BCM Policy defines four Impact Types and one Global Event that form the foundation of the Business Continuity Program at Credit Suisse. The Impact Types are defined as Loss of Premises, Loss of Staff, Loss of IT services and Loss of External Supplier. Infectious Disease planning is defined under the Global Event. Recovery plans address each of the Impact Types and document business strategies for each event. Further detail is provided in Section 3.3 below. Page 5 of 8

3.2 BCM Program Methodology The BCM Lifecycle forms the foundation of the Credit Suisse BCM program. The lifecycle defines and ensures the comprehensive and iterative processes that maintain and enhance operational resilience within Credit Suisse. The BCM Lifecycle was adapted from the International Standard ISO-22301 3.3 Lifecycle Overview The BCM Lifecycle elements are conducted periodically in accordance with the Global BCM minimum standards as defined in the Global BCM Policy. Business Impact Assessments, Business Recovery Strategies and Business Recovery Plans are contained within internally developed tools that include an inventory of business Products, Processes and Activities their underlying resources, criticality, recovery strategies and recovery plan documentation for the following Impact Types: Loss of Premises Loss of Staff Loss of IT Services Loss of External Supplier An event is a combination of one or more impact types. Credit Suisse has defined one global event: Infectious Disease Recovery capabilities are validated via the annual testing program through a global Readiness Assessment methodology and reported on a regular basis to local, regional and global governance committees, internal and external audit teams and industry regulators. The annual training and awareness program includes a mandatory awareness session for all employees. In addition, a bespoke training program is in place to ensure all members of staff with a crisis role are aware and competent. Page 6 of 8

4. Crisis Management 4.1 Crisis Management Structure Crisis Management Teams (CMTs) convene when an incident has a significant impact on business operations. Credit Suisse has an established comprehensive Crisis Management structure and process capable of dealing with incidents ranging from global events such as Infectious Disease, to regional, country, city or building incidents. All crisis management teams have documented plans and processes and receive annual training in order to perform their role. The suitability of these plans and training is subject to an annual attestation. In the event of a Cybersecurity incident, Business Continuity Management s standard Crisis Management process would be utilized to address the threat via established escalation procedures, roles, responsibilities, and communication. Page 7 of 8

5. Governance, Audits and External Reviews 5.1 Governance The Credit Suisse BCM program is supported at board level with global and regional governance committees in place to approve the scope of the annual BCM program and oversee the execution of the book of work. Regional governance committees convene on a regular basis to manage business continuity risks, review progress and approve any changes to the BCM book of work. Governance models will adapt according to re-organisations and local requirements. 5.2 Internal Audits Credit Suisse Group Internal Audit applies a comprehensive risk assessment to all areas, including Credit Suisse s BCM function. BCM is audited on a rotational basis based on the result of this risk assessment and its significance to the Bank. Internal Audit forms part of the regional governance committee and periodically reviews the preparation, execution and reporting of the BCM readiness assessment program. Recovery plan documentation is audited as part of departmental reviews and audit issues are tracked within the Bank s internal tracking tool. 5.3 External Reviews The Credit Suisse BCM program is periodically reviewed by our regional regulators. External auditors review our global program on an annual basis. In addition, global Infectious Disease plans are externally reviewed as required. Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback