III.C.4 Business Continuity
The board should approve policies, while senior management should establish and implement policies, procedures, and responsibilities for the enterprise-wide business continuity program. The board should annually approve the institution's business continuity program. Management should document, maintain, and test the plans and backup systems periodically to mitigate the consequences of system interruptions, natural and other disasters, and unauthorized intrusions that could result in the loss, damage, or degradation of data, systems, or services. Management should also provide to the board on an annual basis a written report on the overall status of the business continuity program and the results of testing of the plan and backup systems. Refer to the IT Handbook's "Business Continuity Planning" booklet for more information.
III.C.3 Information Security
III.C.5 Software Development and Acquisition