VII.I Third-Party Service Provider Testing
Third-party service providers deliver critical services to many entities and should be included in the enterprise-wide exercise and testing program. The extent of inclusion in the entity’s program should be based on the criticality of the third-party service provider and the business function. Management should obtain assurance that third-party service providers are resilient and have adequate infrastructure and personnel to restore critical services consistent with business and contractual requirements. The right to perform or participate in testing with third-party service providers should be included in the contract governing the entity’s relationship with the third party.
Management should actively participate in the entity’s third-party service providers’ testing programs and should verify that testing strategies include likely significant disruptive events. Third-party service providers should be transparent about testing parameters and results because not all clients can participate in every testing activity (e.g., when there is a large client volume) and some exercises and tests may not be relevant to the services provided to a specific customer. Management should request and receive test results and reports, remediation action plans and status reports upon their completion, and related analysis or modeling. Management should track and resolve any issues identified during the exercise in a timely manner, according to the severity of the issues. Any test results that affect the entity should be presented to its board. In most instances, equating one entity’s recovery experience with another’s does not guarantee similar results; therefore, management should perform its own analysis. Refer to the IT Handbook’s “Outsourcing Technology Services” booklet for additional information.
VII.H Industry Exercises and Resilience
VII.J Testing for Core and Significant Firms