Welcome » IT Booklets » Business Continuity Planning » Appendix A: Examination Procedures
EXAMINATION OBJECTIVE: Determine the quality and effectiveness of the organization's business continuity planning process, and determine whether the continuity testing program is sufficient to demonstrate the financial institution's ability to meet its continuity objectives. These procedures will disclose the adequacy of the planning and testing process for the organization to recover, resume, and maintain operations after disruptions, ranging from minor outages to full-scale disasters.
This workprogram can be used to assess the adequacy of the business continuity planning process on an enterprise-wide basis or across a particular line of business. Depending on the examination objectives, a line of business can be selected to sample how the organization's continuity planning or testing processes work on a micro level or for a particular business function or process.
This workprogram is not intended to be an audit guide; however, it was developed to be comprehensive and assist examiners in determining the effectiveness of a financial institution's business continuity planning and testing program. Examiners may choose to use only certain components of the workprogram based upon the size, complexity, and nature of the institution's business.
The objectives and procedures are divided into Tier I and Tier II:
Tier I and Tier II objectives and procedures are intended to be a tool set examiners may use when selecting examination procedures for their particular examination. Examiners should use these procedures as necessary to support examination objectives.
TIER I OBJECTIVES AND PROCEDURES
Examination Scope
Objective 1: Determine examination scope and objectives for reviewing the business continuity planning program.
1. Review examination documents and financial institution reports for outstanding issues or problems. Consider the following:
2. Review management's response to audit recommendations noted since the last examination. Consider the following:
3. Interview management and review the business continuity request information to identify:
4. Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following:
5. Establish the scope of the examination by focusing on those factors that present the greatest degree of risk to the institution or service provider.
Board and Senior Management Oversight
Objective 2: Determine the quality of business continuity plan oversight and support provided by the board and senior management.
1. Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions.
2. Determine whether a senior manager or committee has been assigned responsibility to oversee the development, implementation, and maintenance of the BCP and the testing program.
3. Determine whether the board and senior management has ensured that integral groups are involved in the business continuity process (e.g. business line management, risk management, IT, facilities management, and audit).
4. Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institution's mission critical operations.
5. Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes.
6. Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations.
Business Impact Analysis (BIA) and Risk Assessment
Objective 3: Determine whether an adequate BIA and risk assessment have been completed.
1. Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment.
2. Review the BIA and risk assessment to determine whether the prioritization of business functions is adequate.
3. Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime.
4. Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including:
5. Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment.
Risk Management
Objective 4: Determine whether appropriate risk management over the business continuity process is in place.
1. Determine whether adequate risk mitigation strategies have been considered for:
2. Determine whether satisfactory consideration has been given to geographic diversity for:
3. Verify that appropriate policies, standards, and processes address business continuity planning issues including:
4. Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility.
5. Determine whether the continuity strategy addresses interdependent components, including:
6. Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following:
7. Determine whether audit involvement in the business continuity program is effective, including:
Business Continuity Planning (BCP) - General
Objective 5: Determine the existence of an appropriate enterprise-wide BCP.
1. Review and verify that the written BCP:
BCP - Hardware, Back-up and Recovery Issues
Objective 6: Determine whether the BCP includes appropriate hardware back-up and recovery.
1. Determine whether there is a comprehensive, written agreement or contract for alternative processing or facility recovery.
2. If the organization is relying on in-house systems at separate physical locations for recovery, verify that the equipment is capable of independently processing all critical applications.
3. If the organization is relying on outside facilities for recovery, determine whether the recovery site:
4. Determine how the recovery facility's customers would be accommodated if simultaneous disaster conditions were to occur to several customers during the same period of time.
5. Determine whether the organization ensures that when any changes (e.g. hardware or software upgrades or modifications) in the production environment occur that a process is in place to make or verify a similar change in each alternate recovery location.
6. Determine whether the organization is kept informed of any changes at the recovery site that might require adjustments to the organization's software or its recovery plan(s).
BCP - Security Issues
Objective 7: Determine that the BCP includes appropriate security procedures.
1. Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed.
2. Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility.
3. Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used.
4. Determine whether the methods by which personnel are granted temporary access (physical and logical), during continuity planning implementation periods, are reasonable.
5. Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access.
6. Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and if they also include business continuity planning responsibilities.
BCP - Pandemic Issues
Objective 8: Determine whether the BCP effectively addresses pandemic issues.
1. Determine whether the Board or a committee thereof and senior management provide appropriate oversight of the institution's pandemic preparedness program.
2. Determine whether the BCP addresses the assignment of responsibility for pandemic planning, preparing, testing, responding, and recovering.
3. Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization:
4. Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis.
5. Determine whether the BCP addresses management monitoring of alert systems that provide information regarding the threat and progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak.
6. Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues:
7. Determine whether the BCP incorporates management's analysis of the impact on operations if essential functions or services provided by outside parties are disrupted during a pandemic.
8. Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavailable for long periods.
9. Determine whether the BCP addresses modifications to normal compensation and absenteeism polices to be enacted during a pandemic.
10. Determine whether management has analyzed remote access requirements, including the infrastructure capabilities and capacity that may be necessary during a pandemic.
11. Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include:
BCP - Outsourced Activities
Objective 9: Determine whether the BCP addresses critical outsourced activities.
1. Determine whether the BCP addresses communications and connectivity with technology service providers (TSPs) in the event of a disruption at the institution.
2. Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the service provider's facilities.
3. Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption.
4. Determine whether the institution has a copy of the TSPs' BCP and incorporates it, as appropriate, into their plans.
5. Determine whether management has received and reviewed testing results of their TSPs.
6. When testing with the critical service providers, determine whether management considered testing:
7. Determine whether institution management has assessed the adequacy of the TSPs' business continuity program through their vendor management program (e.g. contract requirements, third-party reviews).
Risk Monitoring and Testing
Objective 10: Determine whether the BCP testing program is sufficient to demonstrate the financial institution's ability to meet its continuity objectives.
Testing Policy
1. Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management.
2. Determine whether the testing policy identifies key roles and responsibilities of the participants in the testing program.
3. Determine whether the testing policy establishes a testing cycle with increasing levels of test scope and complexity.
Testing Strategy
1. Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including:
2. Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives.
3. Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties.
4. Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines.
5. Determine whether the testing strategy addresses the documentation requirements for all facets of the continuity testing program, including test scenarios, plans, scripts, results, and reporting.
6. Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including:
7. Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel.
Execution, Evaluation, and Re-Testing
1. Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institution's recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production recovery, achievement of operational priorities, timely recovery of data).
2. Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented.
3. Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor).
4. Determine whether an appropriate level of re-testing is conducted in a timely fashion to address test problems or failures.
Testing Expectations for Core Firms and Significant Firms
Note: The following testing expectations only apply to core and significant firms as defined by interagency guidelines.
Core firms are defined as organizations that perform core clearing and settlement activities in critical financial markets. Significant firms are defined as organizations that process a significant share of transactions in critical financial markets.
For core and significant firms:
1. Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards.
2. Determine the extent to which core and significant firms have demonstrated through testing or routine use that they have the ability to recover and, if relevant, resume operations within the specified time frames addressed in the BCP guidelines and applicable industry standards.
3. Determine whether core and significant firm's strategies and plans address wide-scale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guidelines defined by the BCP and applicable industry standards, from geographically dispersed data centers and operations facilities.
4. Determine that back-up sites are able to support typical payment and settlement volumes for an extended period.
5. Determine that back-up sites are fully independent of the critical infrastructure components that support the primary sites.
6. Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: :
7. Determine that the test assumptions are appropriate for core and significant firms and consider:
For core firms:
8. Determine whether the core firm's testing strategy includes plans to test the ability of significant firms, which clear or settle transactions, to recover critical clearing and settlement activities from geographically dispersed back-up sites within a reasonable time frame.
For significant firms:
9. Determine whether the significant firm has an external testing strategy that addresses key interdependencies, such as testing with third-party market providers and key customers.
10. Determine whether the significant firm's external testing strategy includes testing from the significant firm's back-up sites to the core firms' back-up sites.
11. Determine whether the significant firm meets the testing requirements of applicable core firms.
12. Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical.
Conclusions
Objective 11: Discuss corrective action and communicate findings.
1. From the procedures performed:
2. Review your preliminary conclusions with the examiner-in-charge (EIC) regarding:
3. Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies.
4. Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the report of examination.
5. Organize and document your work papers to ensure clear support for significant findings and conclusions.
Tier ll Objectives and Procedures
Tier II objectives and examination procedures may be used to provide additional verification of the effectiveness of business continuity planning or identify potential root causes for weaknesses in the business continuity program. These procedures may be used in their entirety or selectively, depending on the scope of the examination and the need for additional verification. Examiners should coordinate this coverage with other examiners to avoid duplication of effort while reviewing various issues found in other work programs.
The procedures provided in this section should not be construed as requirements for control implementation. The selection of controls and control implementation should be guided by the risk profile of the institution. Therefore, the controls necessary for any single institution or any given area may differ from those noted in the following procedures.
Objective 1: Determine whether the testing strategy addresses various event scenarios, including potential issues encountered during a wide-scale disruption:
Event Scenarios
1. Determine whether the strategy addresses staffing considerations, including:
2. Determine whether the strategy addresses technology considerations, including:
3. Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including:
Test Planning
Objective 2: Determine if test plans adequately complement testing strategies.
Scenarios - Test Content
1. Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time.
2. Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including:
3. Determine that test scenarios reflect key interdependencies. Consider the following:
Plans: How the institution conducts Testing
1. Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: