Outsourcing the Business Continuity Function
In addition to ensuring that outsourced financial and technology services include appropriate business continuity plans; financial institutions that outsource all or a portion of their business continuity capability should consider the following factors.
- Staffing-The provider should have sufficient and knowledgeable staff available to provide appropriate onsite technical support to ensure timely resumption of operations at the recovery site.
- Processing Time Availability-The provider should allocate sufficient processing time, resources, and security controls to accommodate the potential for multiple clients. The institution should ensure it could process normal volumes of work within appropriate time requirements.
- Access Rights-The provider should disclose any access limitations. The provider should guarantee the institution's right to use the site in case of an emergency. Alternatively, the institution should understand any priority arrangements. For example, some sites operate on a first-come, first-serve basis until the site is at full capacity, but others have pre-arranged priorities based on contractual agreements.
- Hardware and Software-The recovery site should have compatible hardware and software. The institution should monitor the compatibility of the site to handle its specific computer hardware and software requirements. To facilitate the monitoring, the provider should be required by contract to notify the institution of any changes in the hardware, software, and equipment at the recovery site.
- Security Controls-The institution should ensure it can maintain adequate physical and logical security controls at the recovery site.
- Testing-The service provider contract should address access to the recovery site for periodic testing. At a minimum, the institution needs sufficient access to perform at least one full-scale test of the recovery site annually, including verification of telecommunications capabilities. Similarly, the institution should ensure the service provider also performs periodic tests of its own BCP and submits test results to customer financial institutions.
- Confidentiality of Data-The institution should ensure the provider can maintain the confidentiality of its business and customer data. The service provider should maintain controls sufficient to ensure the security and confidentiality of the information assets consistent with the institution's information security program. Confidentiality of data is particularly important when multiple clients operate from the same recovery site. Institution management should establish whether the service provider has addressed these issues in its contract, particularly the provisions concerning the Interagency Guidelines Establishing Standards for Safeguarding Customer Information.See 66 Federal Register 8616 (Feb. 1, 2001); 12 CFR Part 30, app. B (OCC); 12 CFR Part 208, app. D-2 and Part 225, app. F. (Board); 12 CFR Part 364, app. B (FDIC); 12 CFR Part 570, app. B (OTS). See 66 Federal Register 8152 (Jan. 30, 2001); 12 CFR Part 748, app. A (NCUA).
- Telecommunications-The institution should review telecommunications redundancy and capacity at the recovery site, including how communications from the institutions to the recovery site will be established. The service provider should take steps to ensure the recovery site will have adequate telecommunications services (both voice and data) for all of its clients.
- Reciprocal Agreements-Financial institutions contracting with another institution for a recovery site should consider the above issues of staffing, processing availability, access rights for recovery or testing, compatibility, security, capacity, etc. Both institutions should ensure they maintain sufficient capacity to meet recovery time objectives and minimum service levels in the event one institution needs to recover operations
- Space-The recovery site should have adequate space to accommodate the affected institution's recovery staff.
- Printing Capacity / Capability-The recovery site should maintain adequate printing capacity to meet the demand of the affected institution under acceptable levels of service.
- Contacts-Institution management should know the procedures for declaring a disaster including who has the authority to declare a disaster and initiate use of the recovery site. Also, the institution should maintain an updated list of contacts names and numbers for the recovery site provider and know the procedures for communicating with the provider.
Outsourced business continuity arrangements can be cost-effective for smaller institutions when compared to establishing and maintaining dedicated alternate recovery sites. Institutions should periodically conduct a thorough test of outsourced disaster recovery services (at least annually).
Business Continuity Planning