|
Booklet:
Outsourcing
Technology Services Section: Related Topics Subsection: Business Continuity Planning |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Action
Summary 
Each financial institution should have an effective business continuity
plan as outlined in the IT Handbook’s “Business Continuity
Planning Booklet.” The financial institution should also establish
ongoing effective business continuity monitoring programs to ensure TSPs
adequately control the risks, including information security aspects,
associated with the technology services provided. The financial institution
has responsibility not only for those portions of the business continuity
program performed in-house, but for any portions of the plan developed
by a service provider or otherwise outsourced. Financial institutions
should consider TSP-related business continuity programs when developing
internal plans and programs.
The outsourcing risk management program should identify, for Business
Continuity Planning (BCP) purposes, the specific responsibilities of all
parties, particularly in the areas of information security and business
continuity planning. Financial institutions must also consider which of
their critical financial services rely on TSP services, including key
telecommunication and network service providers.
The institution should understand all relevant service provider business
continuity requirements, incorporate those requirements within its own
business continuity plan, and ensure the service provider tests its plan
annually. Management should require the service provider to report all
test plan results and to notify the institution after any business continuity
plan modifications. The institution should integrate the provider’s
business continuity plan into its own plan, communicate functions to the
appropriate personnel, and maintain and periodically review the combined
plan.
Many financial institutions rely on outside data processing providers
and any extended interruption or termination of service can disrupt normal
operations. Termination of services should occur according to the terms
of the service contract, but can result from unanticipated events.
If the provider complies with basic industry standards and maintains an
effective business continuity plan, disruption of services should be minimal
and the contract will remain intact. The business continuity plan should
require the provider to maintain current data files and programs at an
alternative site and arrange for processing at another location. At a
minimum, these provisions should allow the provider to process the most
important data applications. The institution’s business continuity
plan, which should complement the provider’s plan, is an essential
recovery tool when disruption occurs with minimal advance notice.
Events that can cause interruption in the availability of an institution’s
technology include natural disasters, accidents, software errors, hardware
failure, utility outages, and social, political, and economic instability.
Even with an outsourcing arrangement, the institution should ensure appropriate
backup provisions have been established for their critical data and related
processing functions. Effective backup procedures will allow the institution
to continue processing applications in the event the data communication
system fails. Numerous options are available for management to consider,
such as using batch rather than real-time processing methods, operating
PCs in an offline mode, capturing data at the controller if transmission
lines are lost, or altering communication links through redundant data
communication lines, backup modems, or rerouted circuits from the local
telephone carrier. Institutions that perform data capture or other functions
in-house, should address alternative sites or other means in their backup
plan to recover or continue these functions.
Regardless of the method used, an institution should have a comprehensive
backup plan with procedures that detail how to obtain and use personnel
and equipment. Institutions should test backup capabilities periodically
to ensure protection is available and employees are familiar with the
plan.
With respect to monitoring and maintaining business continuity plans,
institutions should:
|
|
Regularly review the business continuity plans of the service provider or vendor to ensure any services considered “mission critical” for the financial institution could be restored within an acceptable timeframe. |
|
|
Review the service provider’s program for contingency plan testing. For critical services, annual or more frequent tests of the contingency plan are required. |
|
|
Assess service provider/vendor interdependencies for mission critical services and applications. |
