| Booklet:
Business
Continuity Planning
Section: Other Policies, Standards and Processes Subsection: |
|||||||||||||||||||||||||||
Action Summary
Security standards should be an integral part of the entire business continuity planning process. During a disaster, security becomes very important due to potential changes in the working environment, personnel, and equipment. Consequently, different security risks will emerge that should be considered during the risk assessment process. Ultimately, mitigating strategies should incorporate the various risks identified to ensure that adequate security controls are in place if an event triggers the implementation of the BCP. Additionally, security standards should be incorporated into the BCP training and testing program.
Project management should incorporate business continuity considerations. Evaluating business continuity needs during the planning stages of a project will allow management to determine compliance with business continuity requirements prior to implementation and to make adjustments in acquisition or development plans accordingly. In addition, advance project planning facilitates the development of a more robust system that supports the institutions business strategy and business continuity objectives. During the project initiation stage, project plans should address the following issues at a minimum:
- Business unit requirements for resumption and recovery alternatives;
- Information on back-up and storage;
- Hardware and software requirements at recovery locations;
- Maintenance of documentation supporting project decisions;
- Disaster recovery testing; and
- Staffing and facilities.
To maintain the viability of the BCP, change control policies should address potential changes to the operating environment. When a change is made to an application, operating system, or utility in the production environment, a methodology should exist to ensure that all back-up copies of those systems are also updated. In addition, if a new or changed system is implemented and results in new hardware, new capacity requirements, or other technology changes, management should ensure that the BCP is updated and the recovery site can support the new production environment. Change control policies should also allow for changes to be implemented quickly in the event of an emergency; however, these changes should still be properly monitored and documented.
Data Synchronization Procedures
Data synchronization processes should include business continuity considerations due to the potential challenges that emerge when dealing with an active environment. The larger or more complex an institution is (i.e., shorter acceptable operational outage period, greater volume of data, and greater distances between primary and back-up locations), the more difficult synchronization can become. If back-up copies are produced as of the close of a business day and a disruption occurs relatively late the next business day, all the transactions that took place after the back-up copies were made would have to be recreated, perhaps manually, in order to synchronize the recovery site with the primary site. In some situations, the data latency may be seconds, minutes or even hours; therefore, reconciliation procedures should be established to ensure that post-disaster data is accurate. Additionally, testing of contingency arrangements is critical to ensure that data can be synchronized with the primary work environment within a reasonable amount of time.
Business continuity planning should include the development of a crisis management team and crisis management process. The crisis management team is typically responsible for the actual declaration of an event, and its duties internally are to implement the BCP and externally to deal with outside agencies, government offices, and emergency communications. The team should include a cross section of individuals from various departments throughout the financial institution, including senior management (decision making), facilities management (locations and safety), human resources (personnel issues and travel), marketing (media contact), finance/accounting (funds disbursement and financial decisions), and any other area appropriate for the institution. The key to a good crisis management team is in the planning. Individuals should be able to make instantaneous decisions, possibly based on limited information, often without the support of others. Each recovery scenario requires a specific media plan and notification plan as well. The BCP allows the institution to recover critical business operations, and the crisis management team deals with the crisis at hand. A crisis management test can be used to validate the overall process, including disaster declaration and escalation procedures.
Every financial institution should develop an incident response policy that is properly integrated into the business continuity planning process. A security incident represents the attempted or successful unauthorized access, use, modification, or destruction of information systems or customer data. If unauthorized access occurs, the financial institution’s computer systems could potentially fail and confidential information could be compromised. In the event of a security incident, management must decide how to properly protect information systems and confidential data while also maintaining business continuity. Management’s ultimate goal should be to minimize damage to the institution and its customers through containment of the incident and proper restoration of information systems. A key element of incident response involves assigning responsibility for evaluating, responding, and managing security incidents and developing guidelines for employees to follow regarding escalation and reporting procedures. Management should determine who will be responsible for declaring an incident and restoring affected computer systems once the incident is resolved. Individuals who are assigned this responsibility should have the expertise and training necessary to quickly respond in an appropriate manner. Financial institutions should assess the adequacy of their preparation by testing incident response guidelines to ensure that the procedures correspond with business continuity strategies.
Remote access policies and standards should be established as an important part of BCP implementation. In the event of a disaster, personnel may be able to work from a remote location and vendors may be allowed remote access to back-up facilities. As such, remote access guidelines should be developed addressing acceptable configuration and software requirements for certain remote devices that may introduce security risks. Remote access policies should address various security guidelines including prior management approval requirements, controls for third-party access, and virus controls. If employees are allowed to use personal computers for remote access during a disaster, management should ensure that only secure connections are used e.g., VPN. In addition, clear guidance should be established and disseminated to employees regarding appropriate procedures to follow when accessing or transmitting confidential information from a remote location.
Financial institutions should provide business continuity training for personnel to ensure that all parties are aware of their primary and back-up responsibilities should a disaster occur. Key employees should be involved in the business continuity development process as well as periodic tests and training exercises. The training program should incorporate enterprise-wide training as well as specific training for individual business units. Employees should be aware of which conditions call for implementing all or parts of the BCP, who is responsible for implementing the BCP for business units and the institution, and what to do if these key employees are not available at the time of a disaster. Cross training should be used to anticipate restoring operations in the absence of key employees. Employee training should be regularly scheduled and updated to address changes to the BCP.
Formal notification standards should be developed and integrated into the business continuity planning process. Various communication methods, such as pagers, satellite phones, cell phones, e-mail, or two-way radios, can be used to promptly notify employees and applicable third parties of a disaster situation. Comprehensive notification standards should address the maintenance and distribution of contact lists that include primary phone numbers, emergency phone numbers, e-mail addresses, and physical addresses of institution personnel, vendors, emergency services, transportation companies, and regulatory agencies. As part of this process, employee evacuation plans should be documented to ensure that financial institution management knows where employees plan to relocate and how to contact employees during an emergency. Reporting or calling locations should also be established to ensure that institution personnel are accounted for and that employees are trained to understand post-disaster communication procedures.
Various methods can be used to distribute this information, such as wallet cards, Intranet postings, e-mail messages, cell phone text messages, and calling trees. Many financial institutions work with their human resources departments to ensure that accurate contact records are properly updated and that personal information is securely maintained. Management should ensure that contact information is readily accessible during a disaster by maintaining copies at off-site locations.
Notification standards should also include an awareness program to ensure that customers, service providers, and regulators know how to contact the institution if normal communication channels are inoperable. Financial institution management should designate a media contact to communicate with these outside parties and employees should be properly trained to refer any inquiries to appropriate personnel.
Insurance is an important component of the business continuity planning process. While insurance is not a substitute for an effective BCP, it may allow management to recover losses that cannot be completely prevented and expenses related to recovering from a disaster. Generally, insurance coverage is obtained for risks that cannot be entirely controlled, yet represent a potential for financial loss or other disastrous consequences. While the decision to obtain insurance is based on several factors, one consideration should be the probability and degree of loss identified during the BIA. Financial institutions should determine potential exposure based on various exclusions, deductibles, limits, and riders. Available insurance options should be reviewed to ensure that appropriate insurance coverage is provided given the risk profile of the institution. Institutions should perform an annual insurance review to ensure that the level and types of coverage are commercially reasonable and consistent with any legal, management, and board requirements.
Insurance can reimburse an institution for some or all of the financial losses incurred as the result of a disaster or other significant event. To facilitate the claims process, institutions should create and retain a comprehensive hardware and software inventory list in a secure off-site location and detailed expenses should be documented to support insurance claims.
An institution should establish an on-going relationship with community and government officials and the news media to ensure the successful implementation of the BCP. Since financial institutions must often compete with the restoration of other critical components in the area, some institutions and emergency staff located in close geographic proximity have formed coalitions to discuss business continuity planning issues and to facilitate critical infrastructure planning efforts. Ideally, these relationships should be initially established during the planning or testing phases of business continuity planning so institution management understands the proper protocol required if a citywide or region-wide event affects the institution’s operations. Financial institutions are encouraged to contact state and local authorities during the risk assessment process to inquire about specific risks or exposures for all their geographic locations and special requirements for accessing emergency zones. During the recovery phase, facilities access and the availability of power and telecommunications systems should be coordinated with various entities to ensure timely resumption of operations. Facilities access should be coordinated with the police and fire department, local and state government agencies, and, depending on the nature and extent of the disaster, possibly the Federal Emergency Management Agency (FEMA).