IV.A     Resilience

Action Summary


Management should evaluate whether there are appropriate resources to ensure resilience, including an accessible, off-site repository of software, configuration settings, and related documentation, appropriate backups of data, and off-site infrastructure to operate recovery systems.


Furthermore, management should discuss potential disaster scenarios with the entity’s third-party service providers to prepare for an event. Subsequently, management should assess the entity’s immediate or short-term space requirements, systems, and personnel capacity to assume or transfer failed operations. Additionally, management should assess critical third-party service providers’ susceptibility to simultaneous attacks and verify their resilience capabilities.


Examiners should review the following:

  • Appropriateness of resilience practices, including the adequacy of recovery infrastructure and backup processes.
  • Integration with disaster recovery services to protect against data destruction.
  • Assessment of alternate data communications infrastructure between the entity and critical third-party service providers.
  • Evaluation of the entity’s susceptibility to multiple threat scenarios in resilience planning, testing, and recovery strategies.
  • Designation of emergency personnel, including for critical business process-level employees.
Resilience is “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”Refer to the Presidential Policy Directive/PPD-21, Presidential Policy Directive -- Critical Infrastructure Security and Resilience February 12, 2013. The business strategy, not technology solutions, should drive resilience. Resilience extends beyond recovery capabilities to incorporate proactive measures for mitigating the risk of a disruptive event in the overall design of operations and processes. Resilience strategies, including maintaining security standards, should extend across the entire business, including outsourced activities. Management should evaluate whether the entity has appropriate resources (e.g., human, financial, time) for resilience. When developing the entity’s resilience strategies, management should consider lessons learned from previous events.


Previous Section
IV Business Continuity Strategies
Next Section
IV.A.1 Physical