Appendix B: Glossary

 

A  B  C  D  E  F  G  H  I  M  N  O  P  R  S  T  U  V  W  

A

Alternate Site Test / Exercise - A business continuity testing activity that tests the capability of staff, systems, and facilities, located at sites other than those generally designated for primary processing and business functions, to effectively support production processing and workloads. During the exercise, business line staff located at recovery site(s) participate in testing business functions and the supporting systems by performing typical production activities, including accessing applications and completing pending transactions. Staff members participate in testing alternate site facilities through the use of PCs, phones, and other equipment needed to perform testing of business activities.

Asynchronous data replication - A process for copying data from one source to another while the application processing continues; an acknowledgement of the receipt of data at the copy location is not required for processing to continue. Consequently, the content of databases stored in alternate facilities may differ from those at the original storage site, and copies of data may not contain current information at the time of a disruption in processing as a result of the time (in fractions of a second) required to transmit the data over a communications network to the alternate facility. This technology is typically used to transfer data over greater distances than that allowed with synchronous data replication.

B

Back-up Generations - A tape rotation methodology that creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers." This back-up methodology is frequently used to refer to master files for financial applications.

Business Continuity Plan (BCP) - A comprehensive written plan to maintain or resume business in the event of a disruption. BCP includes both the technology recovery capability (often referred to as disaster recovery) and the business unit(s) recovery capability.

Business Continuity Strategy - Comprehensive strategies to recover, resume, and maintain all critical business functions.

Business Continuity Test - A test of an institution's disaster recovery plan or BCP.

Business Impact Analysis (BIA) - The process of identifying the potential impact of uncontrolled, non-specific events on an institution's business processes.

Business Recovery Test/Exercise - An activity that tests an institution's BCP.

C

Call Tree - A documented list of employees and external entities that should be contacted in the event of an emergency declaration.

Capacity Testing - Activities structured to determine whether resources (human and IT) can support required processing volumes in recovery environments.

Change management - The broad processes for managing organizational change. Change management encompasses planning, oversight or governance, project management, testing, and implementation.

Checklist Review - A preliminary procedure to testing that employs information checklists to guide staff activities. For example, checklists can be used to verify staff procedures, hardware and software configurations, or alternate communication mechanisms.

Component - An element or part of a business process.

Component Test/Exercise - A testing activity designed to validate the continuity of individual systems, processes, or functions, in isolation. For example, component tests may focus on recovering specific network devices, application restoration procedures, off-site tape storage, or proving the validity of data for a particular business line.

Concentrator - In data transmission, a concentrator is a functional unit that permits a common path to handle more data sources than there are channels currently available within the path. A device that connects a number of circuits, which are not all used at once, to a smaller group of circuits for economy.

Connectivity Testing - A testing activity designed to validate the continuity of network communications.

Core firm - Core clearing and settlement organization that serves critical financial markets.

Crisis management - The process of managing an institution's operations in response to an emergency or event that threatens business continuity. An institution's ability to communicate with employees, customers, and the media, using various communications devices and methods, is a key component of crisis management.

Crisis Management Test/Exercise - A testing exercise that validates the capabilities of crisis management teams to respond to specific events. Crisis management exercises typically test the call tree notification process with employees, vendors, and key clients. Escalation procedures and disaster declaration criteria may also be validated.

Critical Financial Markets - Financial markets whose operations are critical to the economy. Critical financial markets provide the means for financial institutions to adjust their cash and securities positions and those of their customers in order to manage liquidity, market, and other risks to their organizations. Critical financial markets also provide support for the provision of a wide range of financial services to businesses and consumers in the United States and support the implementation of monetary policy. Examples of "critical financial markets" include: • Federal funds, foreign exchange, and commercial paper; • U.S. Government and agency securities; and • Corporate debt and equity securities.

Critical Market Participants - Participants in the financial markets that perform critical operations or provide critical services. Their inability to perform these operations or services could result in major disruptions in the financial system.

Critical Path - The critical path represents the business processes or systems that must receive the highest priority during the recovery phase.

Cross-Market Tests - Cross-market tests are also called market-wide tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.

Custom redirect service - This service enables control over the location of incoming calls or the redirection of calls to various locations or pre-established phone numbers to ensure customer service continuity.

D

Data mirroring - A back-up process that involves writing the same data to two physical disks or servers simultaneously.

Data replication - The process of copying data, usually with the objective of maintaining identical sets of data in separate locations. Two common data replication processes used for information systems are synchronous and asynchronous mirroring.

Data synchronization - The comparison and reconciliation of interdependent data files at the same time so that they contain the same information.

Database - A collection of information organized to be easily accessed, managed, and updated.

Digital subscriber line (DSL) - A technology that uses existing copper telephone lines and advanced modulation schemes to provide high-speed telecommunications to businesses and homes.

Disaster recovery exercise - A test of an institution's disaster recovery or BCP.

Disaster recovery plan - A plan that describes the process to recover from major processing interruptions.

Disk shadowing - A back-up process that involves writing images to two physical disks or servers simultaneously.

Diversity - A description of financial services sectors in which primary and back-up telecommunications capabilities do not share a single point of failure.

Dual control - Dividing the responsibility of a task into separate, accountable actions to ensure the integrity of the process.

E

Electronic vaulting - A back-up procedure that copies changed files and transmits them to an off-site location using a batch process.

Emergency plan - The steps to be followed during and immediately after an emergency such as a fire, tornado, bomb threat, etc.

Encryption - A data security technique used to protect information from unauthorized inspection or alteration. Information is encoded so that data appears as a meaningless string of letters and symbols during delivery or transmission. Upon receipt, the information is decoded using an encryption key.

End-to-end recoverability - The ability of an institution to recover a business process from initiation, such as customer contact, through process finalization, such as transaction closure.

Enterprise-wide - Across an entire organization, rather than a single business department or function.

F

Financial Authority - A supervisory organization that is responsible for safeguarding and maintaining consumer confidence in the financial system.

Financial industry participants - Financial institutions and other companies that are involved in the banking, securities, and/or insurance industry and are regulated by supervisory authorities.

Frame relay - A high-performance wide area network protocol that operates at the physical and data link layers of the Open Systems Interconnect (OSI) reference model. Frame Relay is an example of a packet-switched technology. Packet-switched networks enable end stations to dynamically share the network medium and the available bandwidth. Frame relay uses existing T-1 and T-3 lines and provides connection speeds from 56 Kbps to T-1.

Full-interruption/full-scale test (IT and Staff) - A business continuity test that activates all the components of the disaster recovery plan at the same time. Hardware, software, staff, communications, utilities, and alternate site processing should be thoroughly tested in this type of testing activity. The exercise should include the business line end users and the IT group to ensure that each business line tests its key applications and is prepared to recover and resume its business operations in the event of an emergency. The full test verifies that systems and staff can recover and resume business within established recovery time objectives. End users should verify the integrity of the data at the alternate site after the IT group has restored systems and applications needed for the staff to perform production activities.

Functional drill/parallel test - This test involves the actual mobilization of personnel at other sites in an attempt to establish communications and coordination as set forth in the BCP.

Functionality testing - A test designed to validate that a business process or activity accomplishes expected results.

G

Gap analysis - A comparison that identifies the difference between actual and desired outcomes.

Government Emergency Telecommunications Service (GETS) - Acronym for the Government Emergency Telecommunications Service card program. GETS cards provide emergency access and priority processing for voice communications services in emergency situations.

Grandfather-father-son - Retaining multiple versions of the back-up files off-site on a "grandfather-father-son" rotating basis is recommended. This tape methodology creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers."

H

Hierarchical storage management (HSM) - HSM is used to dynamically manage the back-up and retrieval of files based on how often they are accessed using storage media and devices that vary in speed and cost.

HVAC - Heating, ventilation, and air conditioning.

I

Industry testing - A test designed to validate that business processes, integrated across firms and within the financial industry, which supports the business continuity objectives of the firms, both individually and collectively.

Integrated test/exercise - This integrated test/exercise incorporates more than one component or module, as well as external dependencies, to test the effectiveness of the continuity plans for a business line or major function.

Interdependencies - When two or more departments, processes, functions, or third-party providers support one another in some fashion.

Internet protocol (IP) - IP is a standard format for routing data packets between computers. IP is efficient, flexible, routable, and widely used with many applications, and is gaining acceptance as the preferred communication protocol.

M

Magnetic ink character recognition (MICR) - Magnetic codes found on the bottom of checks, deposit slips, and general ledger debit and credit tickets that allow a machine to scan (capture) the information. MICR encoding on a check includes the account number, the routing number, the serial number of the check, and the amount of the check. The amount of the check is encoded when the proof department processes the check.

Market-wide tests - Market-wide tests are also called cross-market tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.

Media - Physical objects that store data, such as paper, hard disk drives, tapes, and compact disks (CDs).

Microwave technology - Narrowband technology that requires a direct line-of-sight to transmit voice and data communications and is used to integrate a broad range of fixed and mobile communication networks.

Modeling - The process of abstracting information from tangible processes, systems and/or components to create a paper or computer-based representation of an enterprise-wide or business line activity.

Module - A combination of various components of a business process or supporting system.

Module test/exercise - A test designed to verify the functionality of multiple components of a business line or supporting function at the same time.

Multiplexers - A device that encodes or multiplexes information from two or more data sources into a single channel. They are used in situations where the cost of implementing separate channels for each data source is more expensive than the cost and inconvenience of providing the multiplexing/de-multiplexing functions.

N

Network attached storage (NAS) - NAS systems usually contain one or more hard disks that are arranged into logical, redundant storage containers much like traditional file servers. NAS provides readily available storage resources and helps alleviate the bottlenecks associated with access to storage devices.

O

Object Program - A program that has been translated into machine language and is ready to be run (i.e., executed) by the computer.

P

Pandemic - An epidemic or infectious disease that can have a worldwide impact.

Permanent virtual circuit (PVC) - PVC is a pathway through a network that is predefined and maintained by the end systems and nodes along the circuit, but the actual pathway through the network may change due to routing problems. The PVC is a fixed circuit that is defined in advance by the public network carrier. Refer to switched virtual circuit for an additional virtual circuit option.

Private branch exchange (PBX) - A telephone system within an enterprise that switches calls between enterprise users on local lines while allowing all users to share a certain number of external phone lines.

R

Reciprocal agreement - An agreement whereby two organizations with similar computer systems agree to provide computer processing time for the other in the event one of the systems is rendered inoperable. Processing time may be provided on a "best effort" or as "time available" basis; therefore, reciprocal agreements are not usually acceptable as a primary recovery option.

Recovery point objective (RPO) - The amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).

Recovery site - An alternate location for processing information (and possibly conducting business) in an emergency. Usually distinguished as "hot" sites that are fully configured centers with compatible computer equipment and "cold" sites that are operational computer centers without the computer equipment.

Recovery time objective (RTO) - The maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable).

Recovery vendors - Organizations that provide recovery sites and support services for a fee.

Remote access - The ability to obtain access to a computer or network from a remote location.

Remote control software - Software that is used to obtain access to a computer or network from a remote distance.

Remote deposit capture (RDC) - A service that enables users at remote locations to scan digital images of checks and transmit the captured data to a financial institution or a merchant that is a customer of a financial institution.

Remote journaling - Process used to transmit journal or transaction logs in real time to a back-up location.

Resilience - The ability of an institution to recover from a significant disruption and resume critical operations.

Resilience testing - Testing of an institution's business continuity and disaster recovery resumption plans.

Risk assessment - A prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat.

Routing - The process of moving information from its source to the destination.

S

SAS 70 report - An audit report of a servicing institution prepared in accordance with guidance provided in the American Institute of Certified Public Accountant's Statement of Auditing Standards Number 70. Replaced by SSAE 16.

Satellite technology - These links efficiently extend the reach of typical communication systems to distant areas and provide alternative traffic routing in an emergency.

Server - A computer or other device that manages a network service. An example is a print server, which is a device that manages network printing.

Significant firms - Firms that process a significant share of transactions in critical financial markets.

Simulated loss of data center site(s) test/exercise - A type of disaster recovery test that involves the simulation of the loss of the primary, alternate, and/or tertiary data processing sites to verify that the institution can continue its data processing activities.

Simulation - The process of operating a model of an enterprise-wide or business line activity in order to test the functionality of the model. Computer systems may support the simulation of business models to aid in evaluating the BCP.

Sound practices - Defined in the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," which was issued by the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Securities and Exchange Commission.

Source program - A program written in a programming language (such as C, Pascal, or COBOL). A compiler translates the source code into a machine-language object program.

Split Processing - The ongoing operational practice of dividing production processing between two or more geographically dispersed facilities.

Storage area network (SAN) - A high-speed special-purpose network (or sub-network) that connects different types of data storage devices with associated data servers on behalf of a larger network of users.

Stovepipe application - Stand-alone programs that may not easily integrate with other applications or systems.

Street tests - Street tests are also called cross-market tests or market-wide tests that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.

Sustainability - The period of time for which operations can continue at an alternate processing facility.

Switched virtual circuit (SVC) - SVC is a temporary connection between workstations that is disabled after communication is complete. Refer to Permanent Virtual Circuit (PVC) for an additional communication method using circuits.

Synchronous data replication - A process for copying data from one source to another in which an acknowledgement of the receipt of data at the copy location is required for application processing to continue. Consequently, the content of databases stored in alternate facilities is identical to those at the original storage site, and copies of data contain current information at the time of a disruption in processing.

Synchronous Optical NETwork (SONET) - SONET is a standard for telecommunications transmissions over fiber optic cables. SONET is self-healing so that if a break occurs in the lines, it can use a back-up redundant ring to ensure that the transmission continues. SONET networks can transmit voice and data over optical networks.

T

T-1 line - A special type of telephone line for digital communication and transmission. T-1 lines provide for digital transmission with signaling speed of 1.544Mbps (1,544,000 bits per second). This is the standard for digital transmissions in North America. Usually delivered on fiber optic lines.

Table top exercise/structured walk-through test -

Terminal services - A component of Microsoft Windows operating systems (both client and server versions) that allows a user to access applications or data stored on a remote computer over a network connection.

Test assumptions - The concepts underlying an institution's test strategies and plans.

Test plan - A document that is based on the institution's test scope and objectives and includes various testing methods.

Test scenario - A potential event, identified as the operating environment for a business continuity or disaster recovery test, which the institution's recovery and resumption plan must address.

Test scripts - Documents that define the specific activities, tasks, and steps that test participants will conduct during the testing process.

Test strategy - Testing strategies establish expectations for individual business lines across the testing life cycle of planning, execution, measurement, reporting, and test process improvement. Testing strategies include the testing scope and objectives, which clearly define what functions, systems, or processes are going to be tested and what will constitute a successful test.

Transaction testing - A testing activity designed to validate the continuity of business transactions and the replication of associated data.

Two-way polling - An emergency notification system that allows management to ensure that all employees are contacted and have confirmed delivery of pertinent messages.

U

Ultra forward service - This service allows control over the re-routing of incoming phone calls to pre-determined alternate locations in the event of a telecommunications outage.

Uninterruptible power supply (UPS) - A device that allows your computer to keep running for at least a short time when the primary power source is lost. A UPS may also provide protection from power surges. A UPS contains a battery that "kicks in" when the device senses a loss of power from the primary source allowing the user time to save any data they are working on and to exit before the secondary power source (the battery) runs out. When power surges occur, a UPS intercepts the surge so that it doesn't damage your computer.

Utility - A program used to configure or maintain systems, or to make changes to stored or transmitted data.

V

Virtual private network (VPN) - A computer network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network.

Voice over Internet Protocol (VoIP) - The transmission of voice telephone conversations using the Internet or Internet Protocol networks.

W

Walk-through drill/simulation test - This test represents a preliminary step in the overall testing process that may be used for training employees but not as a preferred testing methodology. During this test, participants choose a specific scenario and apply the BCP to it.

Wallet card - Portable information cards that provide emergency communications information for customers and employees.

Wide-scale disruption - An event that disrupts business operations in a broad geographic area.

Wireless communication - The transfer of signals from place to place without cables, usually using infrared light or radio waves.

Work transfer - Work-transfer is a process whereby the staff located at a recovery site accepts the workload of staff located at a primary production site, and a data center located at a recovery site accepts the workload of the primary data processing site.


 

 

Previous Section
Appendix A: Examination Procedures
Next Section
Appendix C: Internal And External Threats