Business Continuity Planning
Financial institutions should:
- Establish ongoing and effective business continuity and information security monitoring programs;
- Effectively manage multiple service provider relationships; and
- Assess, monitor, and effectively control cross-border risks when foreign service providers are used.
Each financial institution should have an effective business continuity plan as outlined in the IT Handbook's "Business Continuity Planning Booklet." The financial institution should also establish ongoing effective business continuity monitoring programs to ensure TSPs adequately control the risks, including information security aspects, associated with the technology services provided. The financial institution has responsibility not only for those portions of the business continuity program performed in-house, but for any portions of the plan developed by a service provider or otherwise outsourced. Financial institutions should consider TSP-related business continuity programs when developing internal plans and programs.
The outsourcing risk management program should identify, for Business Continuity Planning (BCP) purposes, the specific responsibilities of all parties, particularly in the areas of information security and business continuity planning. Financial institutions must also consider which of their critical financial services rely on TSP services, including key telecommunication and network service providers.
The institution should understand all relevant service provider business continuity requirements, incorporate those requirements within its own business continuity plan, and ensure the service provider tests its plan annually. Management should require the service provider to report all test plan results and to notify the institution after any business continuity plan modifications. The institution should integrate the provider's business continuity plan into its own plan, communicate functions to the appropriate personnel, and maintain and periodically review the combined plan.
Many financial institutions rely on outside data processing providers and any extended interruption or termination of service can disrupt normal operations. Termination of services should occur according to the terms of the service contract, but can result from unanticipated events.
If the provider complies with basic industry standards and maintains an effective business continuity plan, disruption of services should be minimal and the contract will remain intact. The business continuity plan should require the provider to maintain current data files and programs at an alternative site and arrange for processing at another location. At a minimum, these provisions should allow the provider to process the most important data applications. The institution's business continuity plan, which should complement the provider's plan, is an essential recovery tool when disruption occurs with minimal advance notice.
Events that can cause interruption in the availability of an institution's technology include natural disasters, accidents, software errors, hardware failure, utility outages, and social, political, and economic instability. Even with an outsourcing arrangement, the institution should ensure appropriate backup provisions have been established for their critical data and related processing functions. Effective backup procedures will allow the institution to continue processing applications in the event the data communication system fails. Numerous options are available for management to consider, such as using batch rather than real-time processing methods, operating PCs in an offline mode, capturing data at the controller if transmission lines are lost, or altering communication links through redundant data communication lines, backup modems, or rerouted circuits from the local telephone carrier. Institutions that perform data capture or other functions in-house, should address alternative sites or other means in their backup plan to recover or continue these functions.
Regardless of the method used, an institution should have a comprehensive backup plan with procedures that detail how to obtain and use personnel and equipment. Institutions should test backup capabilities periodically to ensure protection is available and employees are familiar with the plan.
With respect to monitoring and maintaining business continuity plans, institutions should:
- Regularly review the business continuity plans of the service provider or vendor to ensure any services considered "mission critical" for the financial institution could be restored within an acceptable timeframe.
- Review the service provider's program for contingency plan testing. For critical services, annual or more frequent tests of the contingency plan are required.
- Assess service provider/vendor interdependencies for mission critical services and applications.
Outsourcing the Business Continuity Function