Management should evaluate whether there are appropriate resources to ensure resilience, including an accessible, off-site repository of software, configuration settings, and related documentation, appropriate backups of data, and off-site infrastructure to operate recovery systems.
Furthermore, management should discuss potential disaster scenarios with the entity’s third-party service providers to prepare for an event. Subsequently, management should assess the entity’s immediate or short-term space requirements, systems, and personnel capacity to assume or transfer failed operations. Additionally, management should assess critical third-party service providers’ susceptibility to simultaneous attacks and verify their resilience capabilities.
Examiners should review the following:
- Appropriateness of resilience practices, including the adequacy of recovery infrastructure and backup processes.
- Integration with disaster recovery services to protect against data destruction.
- Assessment of alternate data communications infrastructure between the entity and critical third-party service providers.
- Evaluation of the entity’s susceptibility to multiple threat scenarios in resilience planning, testing, and recovery strategies.
- Designation of emergency personnel, including for critical business process-level employees.
IV Business Continuity Strategies