Information technology business continuity plan
Desktop computers, laptops and wireless devices are used by employees to create, process, manage and communicate information. Information technology disaster recovery plan (it drp) should be developed in conjunction with the business continuity plan. Priorities and recovery time objectives for information technology should be developed during the business impact analysis. Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business sses large and small create and manage large volumes of electronic information or data. A plan for data backup and restoration of electronic information is ces for information technology disaster recovery planningcomputer security resource center - national institute of standards and technology (nist), computer security division special publicationscontingency planning guide for federal information systems - nist special publication 800-34 rev. 1guide to test, training, and exercise programs for it plans and capabilities – nist special publication 800-84building an information technology security awareness and training program - nist special publication 800-50it standards, guidelines, and tools and techniques for audit and assurance and control professionals - information systems audit and control associationit recovery strategiesrecovery strategies should be developed for information technology (it) systems, applications and data. Priorities for it recovery should be consistent with the priorities for recovery of business functions and processes that were developed during the business impact analysis. The recovery time for an it resource should match the recovery time objective for the business function or process that depends on the it ation technology systems require hardware, software, data and connectivity. However, there are other solutions available for small to medium sized businesses with critical business applications and data to al recovery strategiesmany businesses have access to more than one facility. This information can be accessed at the primary business site or any alternate site using a web browser. These vendors can also provide data filtering and detection of malware threats, which enhance cyber ping an it disaster recovery planbusinesses should develop an it disaster recovery plan.
Nist business continuity plan
The plan should include a strategy to ensure that all critical information is backed fy critical software applications and data and the hardware required to run them. Prioritize hardware and software nt the it disaster recovery plan as part of the business continuity plan. Test the plan periodically to make sure that it backupbusinesses generate large amounts of data and data files are changing throughout the workday. Loss or corruption of data could result in significant business backup and recovery should be an integral part of the business continuity plan and information technology disaster recovery plan. Developing a data backup strategy begins with identifying what data to backup, selecting and implementing hardware and software backup procedures, scheduling and conducting backups and periodically validating that data has been accurately backed ping the data backup planidentify data on network servers, desktop computers, laptop computers and wireless devices that needs to be backed up along with other hard copy records and information. The plan should include regularly scheduled backups from wireless devices, laptop computers and desktop computers to a network server. Backing up hard copy vital records can be accomplished by scanning paper records into digital formats and allowing them to be backed up along with other digital s for data backuptapes, cartridges and large capacity usb drives with integrated data backup software are effective means for businesses to backup data. The frequency of backups, security of the backups and secure off-site storage should be addressed in the plan. Software installed on the client server or computer is automatically backed should be backed up as frequently as necessary to ensure that, if data is lost, it is not unacceptable to the business. The business impact analysis should evaluate the potential for lost data and define the “recovery point objective. Data restoration times should be confirmed and compared with the it and business function recovery time s in business community m coordinator & mance m ncy response communications ss continuity disaster recovery ee assistance & ss continuity planning ss ript must be enabled in your browser in order to use some e to ffiec it examination handbook delivery of introductory, reference, and educational training material on specific topics of interest to field examiners from the ffiec member , business continuity planning, development and acquisition, e-banking, information security, management, operations, outsourcing technology services, retail payment systems, supervision of technology service providers, and wholesale payment to follow procedures to help determine the quality and effectiveness of the financial institution’s it risk up for ffiec it handbook infobase email updates and what’s new rss 's newlink to a feed containing any updates to the ffiec it handbook infobase (e.
Of terms found in or relating to it booklet , regulations, & guidancelink to the regulatory resources by it booklet and further sorted by regulatory ncesthis page contains topical materials that supplement booklet content and are for informational uctionit audit roles and responsibilitiesboard of directors and senior managementaudit managementinternal it audit staffoperating managementexternal auditorsindependence and staffing of internal it auditindependencestaffinginternal audit programrisk assessment and risk-based auditingprogram elementsrisk scoring systemaudit participation in application development, acquisition, conversions, and testingoutsourcing internal it auditindependence of the external auditor providing internal audit servicesexamples of arrangementsthird-party reviews of technology service providersappendix a: examination proceduresappendix b: glossaryappendix c: laws, regulations, and ss continuity uctionboard and senior management responsibilitiesbusiness continuity planning processbusiness impact analysisrisk assessmentrisk managementbusiness continuity plan developmentassumptionsinternal and external componentsmitigation strategiesrisk monitoring and testingprinciples of the business continuity testing programroles and responsibilitiestesting policyexecution, evaluation, independent assessment, and reporting of test resultsupdating business continuity plan and test programother policies, standards and processessecurity standardsproject managementchange control policiesdata synchronization procedurescrisis managementincident responseremote accessemployee trainingnotification standardsinsurancegovernment and communitysummaryappendix a: examination proceduresappendix b: glossaryappendix c: internal and external threatsappendix d: pandemic planningappendix e: interdependenciesappendix f: business impact analysis processappendix g: business continuity plan componentsappendix h: testing program - governance and attributesappendix i: laws, regulations, and guidanceappendix j: strengthening the resilience of outsourced technology servicesadditional pment and uctionexamination objectivesstandardsaccounting for software costsinformation securityproject managementsystem development life cyclealternative development methodologiesroles and responsibilitiesproject plansproject management standardsproject planning standardsconfiguration management standardsquality assurance standardsrisk management standardstesting standardsdocumentation standardsproject management toolsgantt chartsproject evaluation review techniquesgroupwareproject management effectivenesscapability maturity modelinternational organization for standardizationdevelopment proceduresdevelopment standardssystems development life cycleinitiation phaseplanning phasedesign phasedevelopment phasetesting phaseimplementation phasemaintenance phasedisposal phaselarge-scale integrated systemssoftware development techniquesobject-oriented programmingcomputer-aided software engineeringrapid application developmentdatabasesdatabase management systemsacquisitionacquisition standardsacquisition project guidanceescrowed documentationsoftware development contracts and licensing agreementsoverviewsoftware licenses - generalsoftware licenses and copyright violationssoftware development specifications and performance standardsdocumentation, modification, updates, and conversionbankruptcyregulatory requirementspaymentsrepresentations and warrantiesdispute resolutionagreement modificationsvendor liability limitationssecuritysubcontracting and multiple vendor relationshipsrestrictions on adverse commentsmaintenancemajor modificationsroutine modificationsemergency modificationspatch managementlibrary controlsconversionsutility controlsdocumentation maintenanceappendix a: examination proceduresappendix b: uctiondefinition of e-bankinginformational websitestransactional websitese-banking componentse-banking support servicesweblinkingaccount aggregationelectronic authenticationwebsite hostingpayments for e-commercewireless e-bankinge-banking riskstransaction/operations riskcredit riskliquidity, interest rate, price/market riskscompliance/legal riskstrategic riskreputation riskrisk management of e-banking activitiesboard and management oversighte-banking strategycost-benefit analysis and risk assessmentmonitoring and accountabilityauditmanaging outsourcing relationshipsdue diligence for outsourcing solutionscontracts for third-party servicesoversight and monitoring of third partiesinformation security programsecurity guidelinesinformation security controlsauthenticating e-banking customersadministrative controlsinternal controlsbusiness continuity controlslegal and compliance issuestrade names on the internetwebsite contentcustomer privacy and confidentialitytransaction monitoring and consumer disclosuresappendix a: examination proceduresappendix b: glossaryappendix c: laws, regulations, and guidanceappendix d: aggregation servicesappendix e: wireless uctioni governance of the information security programi. 7 reportingappendix a: examination proceduresappendix b: glossaryappendix c: uctionroles and responsibilitiesboard of directors and senior managementoperations managementrisk managementrisk identificationenvironmental surveytechnology inventoryhardwaresoftwarenetwork components and topologymediarisk assessmentprioritizing risk mitigation effortsrisk mitigation and control implementationpolicies, standards, and procedurespoliciesstandardsprocedurescontrols implementationenvironmental controlspreventive maintenancesecurityphysical securitylogical securitydatabase managementpersonnel controlschange managementchange controlpatch managementconversionsinformation distribution and transmissionoutputtransmissionstorage/back-updisposal of mediaimagingevent/problem managementuser support/help deskother controlsschedulingnegotiable instrumentsrisk monitoring and reportingperformance monitoringcapacity planningcontrol self-assessmentsappendix a: examination procedurestier i objectives and procedurestier ii objectives and proceduresappendix b: glossaryappendix c: item processingappendix d: advanced data storage rcing technology uctionboard and management responsibilitiesrisk managementrisk assessment and requirementsquantity of risk considerationsrequirements definitionservice provider selectionrequest for proposaldue diligencecontract issuesservice level agreements (slas)pricing methodsbundlingcontract inducement concernsongoing monitoringkey service level agreements and contract provisionsfinancial condition of service providersgeneral control environment of the service providerpotential changes due to the external environmentrelated topicsbusiness continuity planningoutsourcing the business continuity functioninformation security/safeguardingmultiple service provider relationshipsoutsourcing to foreign service providersappendix a: examination proceduresappendix b: laws, regulations, and guidanceappendix c: foreign-based third-party service providersappendix d: managed security service providersmssp engagement criteriamssp examination payment uctionretail payment systems overviewpayment instruments, clearing, and settlementcheck-based paymentsremotely created checkselectronically created payment ordersremote deposit capturecheck clearing housesthe automated clearing house (ach)the ach networknacha rule and product changescard-based electronic paymentsgeneral purpose credit cardsco-branded/affinity credit cardsdebit and atm cardseft/pos networksprepaid (stored value) cardspayroll cardsgeneral spending reloadable cardsonline person-to-person (p2p), account-to-account (a2a) payments and electronic cashemerging retail payment technologiescontactless payment cards, proximity payments and other devicesbiometrics for payment initiation and authenticationemerging network technologiesretail payment systems risk managementpayment system risk (psr) policystrategic riskreputation riskcredit riskliquidity risklegal (compliance) riskoperational riskauditinformation securitybusiness continuity planningvendor and third-party managementretail payment instrument specific risk management controlschecksachthird-party ach processingcredit cardsdebit/atm cardscard/pin issuancemerchant acquiringeft/pos and credit card networksappendix a: examination proceduresappendix b: glossaryappendix c: schematic of retail payments access channels & payments methodappendix d: laws, regulations, and guidanceappendix e: mobile financial ision of technology service uctionsupervisory policyexamination responsibilitya. Independent tsps, including those in the multi-regional data processing servicers programsupervisory programsmdps programregional tsp programsupervision of foreign-based tsp programshared application software review programroles and responsibilitiesagency-in-chargecentral point of contactexaminer-in-charge of site or activityrisk-based supervisionrisk-based-examination priority rankinguniform rating system for information technologyfrequency of examinationsrisks associated with tspsrisk managementaudit and internal controlsreport of examinationroe distributioncustomer listappendix a: ursitintroductionuse of composite ratingsuse of component ratingscomposite ratings definitionscomponent ratings definitionscomponent rating areas of coverageauditmanagementdevelopment and acquisitionsupport and ale payment uctioninterbank payment and messaging systemsfedwire and clearing house interbank payments system (chips)fedwire funds servicechipsother clearinghouse, settlement, and messaging systemsnational settlement service (nss)society for worldwide interbank financial telecommunication (swift)telex-based messaging systemscontinuous linked settlement (cls) banksecurities settlement systemsu. Government securitiesfixed income clearing corporation (ficc)fedwire securities servicecorporate and municipal securitiesnational securities clearing corporation (nscc)depository trust company (dtc)intrabank payment and messaging systemsinternally developed and off-the-shelf funds transfer systemspayment messaging systemsin-house terminalsnon-automated payment order originationfunds transfer operations (wire room)computer and network operations supporting funds transferwholesale payment systems risk managementpayments system risk (psr) policyreputation riskstrategic riskcredit riskcustomer daylight overdraftssettlement riskliquidity risklegal (compliance) riskoperational (transaction) riskinternal and operational controlsauditinformation securitybusiness continuity planning (bcp)vendor and third-party managementappendix a: examination procedurestier i examination objectives and procedurestier ii examination objectives and proceduresappendix b: glossaryappendix c: laws, regulations and guidanceappendix d: legal framework for interbank payment systemsappendix e: federal reserve board payment system risk policy: daylight overdraftsappendix f: payment system all the resources associated with the individual ce to examiners and financial institutions on the characteristics of an effective information technology (it) audit ss continuity ce to examiners on the principles of bcm and approaches of business continuity planning and resilience; and examination procedures to help determine the effectiveness of business continuity and pment and ce to examiners to determine whether an institution effectively identifies and controls development and acquisition ce to examiners on identifying and controlling the risks associated with e-banking ce to examiners on factors to assess information security risks and procedures to evaluate the adequacy of the information security ce to examiners outlining the principles of overall governance and it governance and provides examination procedures to evaluate it governance and processes for ce to examiners on risk management processes for the it operations universe at institutions and procedures to evaluate controls mitigating risks of it architecture, infrastructure, and rcing technology ce and examination procedures for examiners evaluate risk management processes to establish, manage, and monitor third-party service provider payment ce to examiners on identifying and controlling risks associated with retail payment systems and related banking ision of technology service es the agencies' risk-based supervisory program and includes the examination ratings used for regulated financial institutions and their third-party service ale payment ce to examiners on the risks and risk management practices when originating and transmitting large-value booklets that have been superseded by a newer to use the it examination handbook it examination handbook infobase home page (this screen) provides users with access to one place. At the bottom of the screen, the user can link to a page containing all of the workprograms available for single or bulk multiple it booklets to download ss continuity ss continuity s in business community m coordinator & mance m ncy response communications ss continuity disaster recovery ee assistance & ss continuity planning ss say it can better back up their ss continuity and disaster recovery planning: the basics. Biggest information security threats through leadership live with bernie gracy, chief digital officer of agero | ep rarely get advance notice that a disaster is ready to strike. Even with some lead time, though, multiple things can go wrong; every incident is unique and unfolds in unexpected is where a business continuity plan comes into play. To give your organization the best shot at success during a disaster, you need to put a current, tested plan in the hands of all personnel responsible for carrying out any part of that plan. The lack of a plan doesn't just mean your organization will take longer than necessary to recover from an event or incident. Continuity (bc) refers to maintaining business functions or quickly resuming them in the event of a major disruption, whether caused by a fire, flood or malicious attack by cybercriminals. A business continuity plan outlines procedures and instructions an organization must follow in the face of such disasters; it covers business processes, assets, human resources, business partners and people think a disaster recovery (dr) plan is the same as a business continuity plan, but a dr plan focuses mainly on restoring an it infrastructure and operations after a crisis.
It's actually just one part of a complete business continuity plan, as a bc plan looks at the continuity of the entire organization. The bc plan addresses these types of that a business impact analysis (bia) is another part of a bc plan. A bia identifies the impact of a sudden loss of business functions, usually quantified in a cost. Such analysis also helps you evaluate whether you should outsource non-core activities in your bc plan, which can come with its own risks. The bia essentially helps you look at your entire organization's processes and determine which are most business continuity planning matterswhether you operate a small business or a large corporation, you strive to remain competitive. There's an increase in consumer and regulatory expectations for security today," says lorraine o'donnell, global head of business continuity at experian. Organizations must understand the processes within the business and the impact of the loss of these processes over time. Anatomy of a business continuity planif your organization doesn't have a bc plan in place, start by assessing your business processes, determining which areas are vulnerable, and the potential losses if those processes go down for a day, a few days or a week. This involves six general steps:Identify the scope of the fy key business fy critical fy dependencies between various business areas and ine acceptable downtime for each critical a plan to maintain chatbot startup that has the fortune 500 cio bets big on digital workplace to lure tech it projects still fail. Guide to business continuity publication provides a summary and general guidelines for business continuity planning (bcp). Although they differ in goals and functions, bcp can be applied by all s in the world of business continuity ng a business continuity to do when a disruption s in the world of business continuity ss continuity planning versus business resumption planning and disaster recovery planning.
A disaster recovery plan deals with recovering information technology (it) assets after a disastrous interruption. Both imply a stoppage in critical operations and are izing that some services or products must be continuously delivered without interruption, there has been a shift from business resumption planning to business continuity planning. Instead of focusing on resuming a business after critical operations have ceased, or recovering after a disaster, a business continuity plan endeavors to ensure that critical operations continue to be effects of september 11, ber 11, 2001 demonstrated that although high impact, low probability events could occur, recovery is possible. Even though buildings were destroyed and blocks of manhattan were affected, businesses and institutions with good continuity plans lessons learned include:Plans must be updated and tested frequently;. Shortcomings, business continuity plans in place pre september 11 were indispensable to the continuity effort; sed uncertainty (following a high impact disruption such as terrorism) may lengthen time until operations are uous service delivery assurance (csda) is a commitment to continuous delivery of critical services that avoids immediate severe disruption to an organization. A bcp includes both risk evaluation, management and control and effective plans, measures and arrangements for business uous risk management lowers the risk of disruption and assesses the potential impacts of disruptions when they occur. An example would be the business impact analysis component of a bcp is business continuity planning? Business continuity planning is a proactive planning process that ensures critical services or products are delivered during a disruption. Business continuity plan includes:Plans, measures and arrangements to ensure the continuous delivery of critical services and products, which permits the organization to recover its facility, data and fication of necessary resources to support business continuity, including personnel, information, equipment, financial allocations, legal counsel, infrastructure protection and a bcp enhances an organization's image with employees, shareholders and customers by demonstrating a proactive attitude. Additional benefits include improvement in overall organizational efficiency and identifying the relationship of assets and human and financial resources to critical services and is business continuity planning organization is at risk from potential disasters that include:Natural disasters such as tornadoes, floods, blizzards, earthquakes and and energy ications, transportation, safety and service sector nmental disasters such as pollution and hazardous materials attacks and hacker ng and maintaining a bcp helps ensure that an institution has the resources and information needed to deal with these ng a business continuity plan. Bcp contains a governance structure often in the form of a committee that will ensure senior management commitments and define senior management roles and bcp senior management committee is responsible for the oversight, initiation, planning, approval, testing and audit of the bcp.
It also implements the bcp, coordinates activities, approves the bia survey, oversees the creation of continuity plans and reviews the results of quality assurance managers or a bcp committee would normally:Approve the governance structure;. The creation of a list of appropriate committees, working groups and teams to develop and execute the plan;. Quality assurance activities; e conflicting interests and bcp committee is normally comprised of the following members:Executive sponsor has overall responsibility for the bcp committee; elicits senior management's support and direction; and ensures that adequate funding is available for the bcp coordinator secures senior management's support; estimates funding requirements; develops bcp policy; coordinates and oversees the bia process; ensures effective participant input; coordinates and oversees the development of plans and arrangements for business continuity; establishes working groups and teams and defines their responsibilities; coordinates appropriate training; and provides for regular review, testing and audit of the ty officer works with the coordinator to ensure that all aspects of the bcp meet the security requirements of the information officer (cio) cooperates closely with the bcp coordinator and it specialists to plan for effective and harmonized ss unit representatives provide input, and assist in performing and analyzing the results of the business impact bcp committee is commonly co-chaired by the executive sponsor and the ss impact purpose of the bia is to identify the organization's mandate and critical services or products; rank the order of priority of services or products for continuous delivery or rapid recovery; and identify internal and external impacts of fy the mandate and critical aspects of an step determines what goods or services it must be delivered. Information can be obtained from the mission statement of the organization, and legal requirements for delivering specific services and tize critical services or the critical services or products are identified, they must be prioritized based on minimum acceptable delivery levels and the maximum period of time the service can be down before severe damage to the organization results. To determine the ranking of critical services, information is required to determine impact of a disruption to service delivery, loss of revenue, additional expenses and intangible fy impacts of impact of a disruption to a critical service or business product determines how long the organization could function without the service or product, and how long clients would accept its unavailability. Additional a business function or process is inoperable, how long would it take before additional expenses would start to add up? The burden of proof when making claims lies with the policyholder and requires valid and accurate e an expert or an insurance team when developing the response all relevant information has been collected and assembled, rankings for the critical business services or products can be produced. Minimum service levels and maximum allowable downtimes are then fy is important to identify the internal and external dependencies of critical services or products, since service delivery relies on those al dependencies include employee availability, corporate assets such as equipment, facilities, computer applications, data, tools, vehicles, and support services such as finance, human resources, security and information technology al dependencies include suppliers, any external corporate assets such as equipment, facilities, computer applications, data, tools, vehicles, and any external support services such as facility management, utilities, communications, transportation, finance institutions, insurance providers, government services, legal services, and health and safety for business step consists of the preparation of detailed response/recovery plans and arrangements to ensure continuity. These plans and arrangements detail the ways and means to ensure critical services and products are delivered at a minimum service levels within tolerable down times. Continuity plans should be made for each critical service or ting threats and s and risks are identified in the bia or in a full-threat-and-risk assessment. Include them in the bcp if they are continuity for the continuity of services and products are based on the results of the bia.
Ensure that plans are made for increasing levels of severity of impact from a disruption. If the flooding is severe, the relocation of critical parts of the business to another area until flooding subsides may be the best r example would be a company that uses paper forms to keep track of inventory until computers or servers are repaired, or electrical service is restored. For other institutions, such as large financial firms, any computer disruptions may be unacceptable, and an alternate site and data replication technology must be risks and benefits of each possible option for the plan should be considered, keeping cost, flexibility and probable disruption scenarios in mind. Team members should be selected from trained and experienced personnel who are knowledgeable about their number and scope of teams will vary depending on organization's size, function and structure, and can include:Command and control teams that include a crisis management team, and a response, continuation or recovery management oriented teams that include an alternate site coordination team, contracting and procurement team, damage assessment and salvage team, finance and accounting team, hazardous materials team, insurance team, legal issues team, telecommunications/ alternate communications team, mechanical equipment team, mainframe/ midrange team, notification team, personal computer/ local area network team, public and media relations team, transport coordination team and vital records management duties and responsibilities for each team must be defined, and include identifying the team members and authority structure, identifying the specific team tasks, member's roles and responsibilities, creation of contact lists and identifying possible alternate the teams to function in spite of personnel loss or availability, it may be necessary to multitask teams and provide cross-team an organization's main facility or information technology assets, networks and applications are lost, an alternate facility should be available. Hardened sites may have alternate power supplies; back-up generation capability; high levels of physical security; and protection from electronic surveillance or ss continuity plans can be smoothly and effectively implemented by:Having all employees and staff briefed on the contents of the bcp and aware of their individual employees with direct responsibilities trained for tasks they will be required to perform, and be aware of other teams' training, exercises should be developed and scheduled in order to achieve and maintain high levels of competence and readiness. While exercises are time and resource consuming, they are the best method for validating a plan. The following items should be incorporated when planning an exercise:The part of the bcp to be anticipated results. Objectives should be challenging, specific, measurable, achievable, realistic and fies the departments or organizations involved, the geographical area, and the test conditions and s which exercise aspects are artificial or assumed, such as background information, procedures to be followed, and equipment ipant ns that the exercise provides an opportunity to test procedures before an actual participants the necessary background information, sets the environment and prepares participants for action. Participant feedback should also be incorporated in the exercise se complexity level can also be enhanced by focusing the exercise on one part of the bcp instead of involving the entire y assurance of the bcp should assess the plan's accuracy, relevance and effectiveness. Substantive changes to the organization take place; an exercise to incorporate auditing the bcp, consultants nominally verify:Procedures used to determine critical services and ology, accuracy, and comprehensiveness of continuity to do when a disruption tions are handled in three steps:Continuation of critical ry and nt response involves the deployment of teams, plans, measures and arrangements. Communications management requirements may necessitate building redundancies into communications systems and creating a communications plan to adequately address all ions emergency operations center (eoc) can be used to manage operations in the event of a disruption.
Having a centralized eoc where information and resources can be coordinated, managed and documented helps ensure effective and efficient that all time-sensitive critical services or products are continuously delivered or not disrupted for longer than is ry and goal of recovery and restoration operations is to, recover the facility or operation and maintain critical service or product delivery. Recovery and restoration includes:Re-deploying ng whether to repair the facility, relocate to an alternate site or build a new ing the additional resources necessary for restoring business -establishing normal ng operations at pre-disruption critical services and products cannot be delivered, consequences can be severe. A business continuity plan is a tool that allows institutions to not only to moderate risk, but also continuously deliver products and services despite cial/territorial emergency management organizations (emos).
