Back

North America > US Federal Financial Institutions Examination Council (FFIEC)

FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015



AD ID

0002861

AD STATUS

FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015

ORIGINATOR

US Federal Financial Institutions Examination Council (FFIEC)

TYPE

Audit Guideline

AVAILABILITY

Free

SYNONYMS

FFIEC Business Continuity Planning Handbook 2015

FFIEC Business Continuity Planning (BCP) IT Examination Handbook

EFFECTIVE

2015-02-01

ADDED

The document as a whole was last reviewed and released on 2018-01-23T00:00:00-0800.

AD ID

0002861

AD STATUS

Free

ORIGINATOR

US Federal Financial Institutions Examination Council (FFIEC)

TYPE

Audit Guideline

AVAILABILITY

SYNONYMS

FFIEC Business Continuity Planning Handbook 2015

FFIEC Business Continuity Planning (BCP) IT Examination Handbook

EFFECTIVE

2015-02-01

ADDED

The document as a whole was last reviewed and released on 2018-01-23T00:00:00-0800.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
252 Mandated Controls - bold    
123 Implied Controls - italic     1085 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
1460 Total
  • Acquisition or sale of facilities, technology, and services
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 Business Processes Preventive
    Establish, implement, and maintain an electronic commerce program. CC ID 08617 Business Processes Preventive
    Establish, implement, and maintain payment transaction security measures. CC ID 13088 Technical Security Preventive
    Protect the integrity of application service transactions. CC ID 12017
    [Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 2]
    Business Processes Preventive
  • Audits and risk management
    272
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 Establish Roles Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Establish Roles Preventive
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152
    [Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3]
    Testing Detective
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Establish Roles Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Establish/Maintain Documentation Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Establish/Maintain Documentation Preventive
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [Review the BIA and risk assessment to determine whether the prioritization of business functions is adequate. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:2]
    Testing Detective
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Establish/Maintain Documentation Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199
    [{internal auditor} From the procedures performed: Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 3]
    Establish/Maintain Documentation Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200
    [{matters requiring attention}Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 2
    Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the report of examination. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:4
    Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: The potential impact of your conclusions on composite and component ratings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 3
    {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4
    {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4
    {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an audit program. CC ID 00684 Establish/Maintain Documentation Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [Establish the scope of the examination by focusing on those factors that present the greatest degree of risk to the institution or service provider. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:5]
    Establish/Maintain Documentation Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and Risk Management Preventive
    Include materiality levels in the audit terms. CC ID 01238 Establish/Maintain Documentation Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239
    [Interview management and review the business continuity request information to identify: Any material changes in the audit program, scope, or schedule related to business continuity activities; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 2]
    Establish/Maintain Documentation Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Audit in scope audit items and compliance documents. CC ID 06730 Audits and Risk Management Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [Organize and document your work papers to ensure clear support for significant findings and conclusions. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:5]
    Actionable Reports or Measurements Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Establish/Maintain Documentation Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Establish/Maintain Documentation Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Establish/Maintain Documentation Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038
    [Organize and document your work papers to ensure clear support for significant findings and conclusions. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:5]
    Records Management Preventive
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986
    [Review management's response to audit recommendations noted since the last examination. Consider the following Resolution of root causes rather than just specific audit deficiencies; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 2]
    Testing Detective
    Establish and maintain organizational audit reports. CC ID 06731 Establish/Maintain Documentation Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and Risk Management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146
    [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Prior regulatory reports of examination; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 2
    Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Pre-examination planning memos; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 1
    {work paper}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Prior examination workpapers; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 3]
    Audits and Risk Management Detective
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Establish/Maintain Documentation Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620
    [{internal auditor} From the procedures performed: Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 3]
    Audits and Risk Management Detective
    Review past audit reports. CC ID 01155
    [{internal audit report}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Internal and external audit reports, including third-party reports; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 4
    {internal audit report}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Internal and external audit reports, including third-party reports; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 4]
    Establish/Maintain Documentation Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Establish/Maintain Documentation Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Establish/Maintain Documentation Detective
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117
    [Discuss corrective action and communicate findings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Log Management Detective
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Communicate Preventive
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Communicate Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Behavior Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Establish/Maintain Documentation Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Establish/Maintain Documentation Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148
    [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1
    Review management's response to audit recommendations noted since the last examination. Consider the following: Existence of any outstanding issues; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 3
    Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: Violations of law, rulings, regulations; TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 1]
    Establish/Maintain Documentation Detective
    Implement a corrective action plan in response to the audit report. CC ID 06777
    [Review management's response to audit recommendations noted since the last examination. Consider the following Adequacy and timing of corrective action; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 1
    Review management's response to audit recommendations noted since the last examination. Consider the following Adequacy and timing of corrective action; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 1
    Discuss corrective action and communicate findings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13
    Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3
    Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3]
    Establish/Maintain Documentation Corrective
    Assign responsibility for remediation actions. CC ID 13622 Human Resources Management Preventive
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Actionable Reports or Measurements Corrective
    Review management's response to issues raised in past audit reports. CC ID 01149
    [Review management's response to audit recommendations noted since the last examination. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2]
    Audits and Risk Management Detective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Establish/Maintain Documentation Preventive
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Testing Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159
    [Determine whether audit involvement in the business continuity program is effective, including: Audit coverage of the business continuity program; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 1]
    Audits and Risk Management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622
    [Determine whether audit involvement in the business continuity program is effective, including: Documentation of audit findings TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 4]
    Audits and Risk Management Preventive
    Establish, implement, and maintain the audit plan. CC ID 01156 Testing Detective
    Include the audit criteria in the audit plan. CC ID 15262 Establish/Maintain Documentation Preventive
    Include a list of reference documents in the audit plan. CC ID 15260 Establish/Maintain Documentation Preventive
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Establish/Maintain Documentation Preventive
    Include the allocation of resources in the audit plan. CC ID 15251 Establish/Maintain Documentation Preventive
    Include communication protocols in the audit plan. CC ID 15247 Establish/Maintain Documentation Preventive
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Establish/Maintain Documentation Preventive
    Include meeting schedules in the audit plan. CC ID 15245 Establish/Maintain Documentation Preventive
    Include the time frames for the audit in the audit plan. CC ID 15244 Establish/Maintain Documentation Preventive
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Establish/Maintain Documentation Preventive
    Include the locations to be audited in the audit plan. CC ID 15242 Establish/Maintain Documentation Preventive
    Include the processes to be audited in the audit plan. CC ID 15241 Establish/Maintain Documentation Preventive
    Include audit objectives in the audit plan. CC ID 15240 Establish/Maintain Documentation Preventive
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Communicate Preventive
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051
    [{third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4]
    Establish/Maintain Documentation Preventive
    Include the scope of risk management activities in the risk management program. CC ID 13658 Establish/Maintain Documentation Preventive
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Business Processes Detective
    Integrate the risk management program with the organization's business activities. CC ID 13661 Business Processes Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659 Business Processes Preventive
    Include managing mobile risks in the risk management program. CC ID 13535 Establish/Maintain Documentation Preventive
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and Risk Management Preventive
    Include regular updating in the risk management system. CC ID 14990 Business Processes Preventive
    Establish, implement, and maintain risk management strategies. CC ID 13209 Establish/Maintain Documentation Preventive
    Include off-site storage of supplies in the risk management strategies. CC ID 13221
    [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: Supplies; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 2]
    Establish/Maintain Documentation Preventive
    Include data quality in the risk management strategies. CC ID 15308 Data and Information Management Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217
    [Determine whether management has considered the possibility of transferring critical aspects of the institution's operation to alternate backup providers or other industry participants to ensure continuity of operations in extreme situations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:4]
    Establish/Maintain Documentation Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development]
    Establish/Maintain Documentation Preventive
    Include off-site storage in the risk mitigation strategies. CC ID 13213
    [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: System documentation (e.g. topologies; inventory listing; firewall, router, and network configurations; operating procedures). TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 4]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and Risk Management Detective
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 Establish Roles Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [Determine whether the financial institution's and TSP's risk management strategies are designed to achieve resilience, such as the ability to effectively respond to wide-scale disruptions, including cyber attacks and attacks on multiple critical infrastructure sectors. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10]
    Establish/Maintain Documentation Preventive
    Address past incidents in the risk assessment program. CC ID 12743 Audits and Risk Management Preventive
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Human Resources Management Detective
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Establish/Maintain Documentation Preventive
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Establish/Maintain Documentation Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230 Audits and Risk Management Preventive
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain insurance requirements. CC ID 16562 Establish/Maintain Documentation Preventive
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Communicate Preventive
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Communicate Preventive
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Acquisition/Sale of Assets or Services Corrective
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Business Processes Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Business Processes Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903
    [Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Large scale disruptive events that could affect the ability to service clients; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 1
    {state-of-the-art}Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Significant downtime that would threaten the financial institution's business resiliency. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 3
    {state-of-the-art}Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Cyber events that could impact the ability to service clients; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 2]
    Business Processes Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Process or Activity Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Establish/Maintain Documentation Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Establish/Maintain Documentation Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Establish/Maintain Documentation Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Establish/Maintain Documentation Preventive
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Communicate Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Establish/Maintain Documentation Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Establish/Maintain Documentation Preventive
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 Establish/Maintain Documentation Preventive
    Use the risk taxonomy when managing risk. CC ID 12280 Behavior Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Establish/Maintain Documentation Preventive
    Include compliance requirements in the risk assessment policy. CC ID 14121 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Establish/Maintain Documentation Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Establish/Maintain Documentation Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Establish/Maintain Documentation Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Communicate Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Establish/Maintain Documentation Preventive
    Analyze the organization's information security environment. CC ID 13122 Technical Security Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Establish/Maintain Documentation Preventive
    Document cybersecurity risks. CC ID 12281 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Establish/Maintain Documentation Preventive
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Human Resources Management Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and Risk Management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Establish/Maintain Documentation Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities]
    Establish/Maintain Documentation Preventive
    Document organizational risk criteria. CC ID 12277 Establish/Maintain Documentation Preventive
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Technical Security Preventive
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Investigate Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and Risk Management Preventive
    Review the risk profiles, as necessary. CC ID 16561 Audits and Risk Management Detective
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4]
    Audits and Risk Management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Establish/Maintain Documentation Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Technical events such as communication failure, power failure, equipment and software failure, transportation system disruptions, and water system disruptions; TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 2
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4]
    Audits and Risk Management Preventive
    Approve the threat and risk classification scheme. CC ID 15693 Business Processes Preventive
    Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and Risk Management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Establish/Maintain Documentation Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Establish/Maintain Documentation Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Establish/Maintain Documentation Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Establish/Maintain Documentation Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Establish/Maintain Documentation Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and Risk Management Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Communicate Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458
    [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5]
    Establish/Maintain Documentation Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [Determine whether an adequate BIA and risk assessment have been completed. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3
    Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:1
    Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:5]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Pandemics. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 4]
    Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [{risk profile}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: The financial institution's overall risk assessment and profile. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 6]
    Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Create a risk assessment report based on the risk assessment results. CC ID 15695 Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Communicate Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Business Processes Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 Behavior Preventive
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Investigate Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and Risk Management Preventive
    Conduct a Business Impact Analysis, as necessary. CC ID 01147
    [Determine whether an adequate BIA and risk assessment have been completed. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3
    Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:5]
    Audits and Risk Management Detective
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Establish/Maintain Documentation Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Establish/Maintain Documentation Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Establish/Maintain Documentation Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Establish/Maintain Documentation Preventive
    Include pandemic risks in the Business Impact Analysis. CC ID 13219
    [{continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4]
    Establish/Maintain Documentation Preventive
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3
    Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 Communicate Preventive
    Establish, implement, and maintain a risk register. CC ID 14828 Establish/Maintain Documentation Preventive
    Document organizational risk tolerance in a risk register. CC ID 09961 Establish/Maintain Documentation Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Business Processes Preventive
    Review the Business Impact Analysis, as necessary. CC ID 12774
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment
    Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    Review the BIA and risk assessment to determine whether the prioritization of business functions is adequate. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:2]
    Business Processes Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701 Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment]
    Audits and Risk Management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:1]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Investigate Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and terrorism; and TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 3]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468
    [Determine whether the financial institution and service provider consider their susceptibility to an insider threat and what impact this may have on business continuity and broader resilience. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:7
    {internal threat}Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Internally identified threats; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 2]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [{external threat} Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Externally identified threats (including security alerts, pandemic alerts, or emergency warnings published by information sharing organizations or local, state, and federal agencies). TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 3]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills; TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 1]
    Actionable Reports or Measurements Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis]
    Establish/Maintain Documentation Preventive
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Investigate Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Behavior Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment]
    Establish/Maintain Documentation Detective
    Document the results of the gap analysis. CC ID 16271 Establish/Maintain Documentation Preventive
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and Risk Management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Process or Activity Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Process or Activity Detective
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and Risk Management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601 Testing Detective
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and Risk Management Preventive
    Establish, implement, and maintain a risk treatment plan. CC ID 11983 Establish/Maintain Documentation Preventive
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Establish/Maintain Documentation Preventive
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and Risk Management Preventive
    Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 Audits and Risk Management Preventive
    Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 Audits and Risk Management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Establish/Maintain Documentation Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Establish/Maintain Documentation Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Establish/Maintain Documentation Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Establish/Maintain Documentation Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Establish/Maintain Documentation Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Establish/Maintain Documentation Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Establish/Maintain Documentation Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Establish/Maintain Documentation Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Establish/Maintain Documentation Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 Communicate Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and Risk Management Preventive
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 Establish/Maintain Documentation Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485
    [{risk profile}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: The financial institution's overall risk assessment and profile. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 6]
    Establish/Maintain Documentation Preventive
    Include risk responses in the risk management program. CC ID 13195 Establish/Maintain Documentation Preventive
    Document residual risk in a residual risk report. CC ID 13664 Establish/Maintain Documentation Corrective
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Business Processes Preventive
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Establish/Maintain Documentation Preventive
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Establish/Maintain Documentation Preventive
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Business Processes Preventive
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and Risk Management Detective
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and Risk Management Detective
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and Risk Management Preventive
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Establish/Maintain Documentation Preventive
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Establish/Maintain Documentation Preventive
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Communicate Preventive
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Communicate Preventive
    Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 Establish/Maintain Documentation Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Establish/Maintain Documentation Preventive
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Establish/Maintain Documentation Preventive
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Communicate Preventive
    Evaluate the cyber insurance market. CC ID 12695 Business Processes Preventive
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Business Processes Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Business Processes Preventive
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Establish/Maintain Documentation Preventive
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Establish/Maintain Documentation Preventive
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Establish/Maintain Documentation Preventive
    Include management commitment in the supply chain risk management policy. CC ID 14709 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Establish/Maintain Documentation Preventive
    Include the scope in the supply chain risk management policy. CC ID 14707 Establish/Maintain Documentation Preventive
    Include the purpose in the supply chain risk management policy. CC ID 14706 Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Communicate Preventive
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Establish/Maintain Documentation Preventive
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Establish/Maintain Documentation Preventive
    Include dates in the supply chain risk management plan. CC ID 15617 Establish/Maintain Documentation Preventive
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Establish/Maintain Documentation Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190 Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Communicate Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Human Resources Management Preventive
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Process or Activity Detective
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Communicate Preventive
  • Human Resources management
    24
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Establish Roles Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 Establish Roles Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine the quality of business continuity plan oversight and support provided by the board and senior management. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2
    {BCP and testing program} Determine whether a senior manager or committee has been assigned responsibility to oversee the development, implementation, and maintenance of the BCP and the testing program. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:2
    {board committee} Determine whether the Board or a committee thereof and senior management provide appropriate oversight of the institution's pandemic preparedness program. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:1]
    Human Resources Management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources Management Preventive
    Assign the roles and responsibilities for the change control program. CC ID 13118
    [Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1]
    Human Resources Management Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: Staff and management succession plans; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 6]
    Human Resources Management Preventive
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 Establish Roles Preventive
    Implement a staff rotation plan. CC ID 12772 Human Resources Management Preventive
    Rotate duties amongst the critical roles and positions. CC ID 06554
    [{business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4]
    Establish Roles Preventive
    Train all personnel and third parties, as necessary. CC ID 00785 Behavior Preventive
    Establish, implement, and maintain an education methodology. CC ID 06671 Business Processes Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786
    [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5
    {business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4]
    Behavior Preventive
    Establish, implement, and maintain training plans. CC ID 00828 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness program. CC ID 11746 Establish/Maintain Documentation Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an occupational health and safety management system. CC ID 16201 Business Processes Preventive
    Establish, implement, and maintain an occupational health and safety policy. CC ID 00716 Establish/Maintain Documentation Preventive
    Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073
    [Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:6]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Establish/Maintain Documentation Preventive
    Provide protective face masks for critical personnel, as necessary. CC ID 06803
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Human Resources Management Preventive
    Establish, implement, and maintain an insider threat program. CC ID 10687
    [Determine whether the financial institution and service provider consider their susceptibility to an insider threat and what impact this may have on business continuity and broader resilience. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:7]
    Human Resources Management Preventive
  • Leadership and high level objectives
    40
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Analyze organizational objectives, functions, and activities. CC ID 00598 Monitor and Evaluate Occurrences Preventive
    Analyze the business environment in which the organization operates. CC ID 12798
    [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    {configuration change}{component change}Interview management and review the business continuity request information to identify: IT environments and changes to configuration or components; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 3]
    Business Processes Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Process or Activity Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Process or Activity Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Process or Activity Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942 Process or Activity Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Process or Activity Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Process or Activity Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Process or Activity Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Process or Activity Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Process or Activity Preventive
    Align assets with business functions and the business environment. CC ID 13681 Business Processes Preventive
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Communicate Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863
    [Interview management and review the business continuity request information to identify: Any significant changes in management, business strategies or internal business processes that could affect the business recovery process; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 1]
    Monitor and Evaluate Occurrences Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Monitor and Evaluate Occurrences Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Establish Roles Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765 Establish Roles Detective
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151
    [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5]
    Establish/Maintain Documentation Detective
    Establish, implement, and maintain a strategic plan. CC ID 12784 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a decision management strategy. CC ID 06913 Establish/Maintain Documentation Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909
    [{business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Crisis management decision process; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 3]
    Process or Activity Preventive
    Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 Establish/Maintain Documentation Preventive
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Establish/Maintain Documentation Preventive
    Align business continuity objectives with the business continuity policy. CC ID 12408
    [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process]
    Establish/Maintain Documentation Preventive
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630
    [{test strategy} Determine if test plans adequately complement testing strategies. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2]
    Business Processes Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain financial reports. CC ID 14770
    [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1]
    Establish/Maintain Documentation Preventive
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Establish/Maintain Documentation Preventive
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Establish/Maintain Documentation Preventive
    Include the business need justification for lost value in the financial report. CC ID 15588 Establish/Maintain Documentation Preventive
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Communicate Preventive
    Include financial statements in the financial report, as necessary. CC ID 14775 Establish/Maintain Documentation Preventive
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Establish/Maintain Documentation Preventive
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Establish/Maintain Documentation Preventive
    Include material contingencies in the financial statement. CC ID 16596 Establish/Maintain Documentation Preventive
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Establish/Maintain Documentation Preventive
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Establish/Maintain Documentation Preventive
    Include assets and liabilities in the call report. CC ID 16729 Establish/Maintain Documentation Preventive
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Communicate Preventive
  • Monitoring and measurement
    217
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Monitor the usage and capacity of critical assets. CC ID 14825 Monitor and Evaluate Occurrences Detective
    Monitor the usage and capacity of Information Technology assets. CC ID 00668
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Data centers and computer operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 1
    Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Data centers and computer operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 1
    Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Back-room operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 2
    {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to handle increased workloads supporting critical operations for extended periods. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 8
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 2]
    Monitor and Evaluate Occurrences Detective
    Monitor all outbound traffic from all systems. CC ID 12970 Monitor and Evaluate Occurrences Preventive
    Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 Behavior Detective
    Monitor systems for errors and faults. CC ID 04544
    [{Mission-Critical Application} Determine whether management has reviewed all interrelated components of each mission critical application and the underlying continuity strategy to determine "single point of failure" exposure. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:8]
    Monitor and Evaluate Occurrences Detective
    Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 Communicate Corrective
    Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Log Management Detective
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitor and Evaluate Occurrences Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Monitor and Evaluate Occurrences Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225
    [{BCP and testing program} Determine whether the financial institution and service provider consider their susceptibility to simultaneous attacks in their business resilience planning, testing, and recovery strategies. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:6]
    Monitor and Evaluate Occurrences Detective
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitor and Evaluate Occurrences Preventive
    Address operational anomalies within the incident management system. CC ID 11633 Audits and Risk Management Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitor and Evaluate Occurrences Detective
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Human Resources Management Detective
    Detect unauthorized access to systems. CC ID 06798 Monitor and Evaluate Occurrences Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitor and Evaluate Occurrences Detective
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Audits and Risk Management Preventive
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitor and Evaluate Occurrences Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitor and Evaluate Occurrences Preventive
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 Log Management Detective
    Establish, implement, and maintain event logging procedures. CC ID 01335 Log Management Detective
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 Log Management Preventive
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Testing Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about filing Suspicious Activity Reports (SARs); TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 6]
    Establish/Maintain Documentation Corrective
    Include identity information of suspects in the suspicious activity report. CC ID 16648 Establish/Maintain Documentation Preventive
    Monitor and evaluate system performance. CC ID 00651
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Monitor and Evaluate Occurrences Detective
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Communicate Preventive
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Communicate Preventive
    Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 Establish/Maintain Documentation Detective
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitor and Evaluate Occurrences Detective
    Implement file integrity monitoring. CC ID 01205
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Monitor and Evaluate Occurrences Detective
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Technical Security Detective
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitor and Evaluate Occurrences Preventive
    Allow expected changes during file integrity monitoring. CC ID 12090 Technical Security Preventive
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitor and Evaluate Occurrences Preventive
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Establish/Maintain Documentation Preventive
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Process or Activity Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1]
    Establish/Maintain Documentation Preventive
    Monitor the organization's exposure to threats, as necessary. CC ID 06494
    [{escalation and response plan} Determine whether the BCP addresses management monitoring of alert systems that provide information regarding the threat and progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:5]
    Monitor and Evaluate Occurrences Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitor and Evaluate Occurrences Detective
    Implement a fraud detection system. CC ID 13081 Business Processes Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Monitor for new vulnerabilities. CC ID 06843 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a compliance testing strategy. CC ID 00659 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Testing Preventive
    Test compliance controls for proper functionality. CC ID 00660 Testing Detective
    Establish, implement, and maintain a system security plan. CC ID 01922 Testing Preventive
    Include a system description in the system security plan. CC ID 16467 Establish/Maintain Documentation Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Establish/Maintain Documentation Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Establish/Maintain Documentation Preventive
    Include the information types in the system security plan. CC ID 14696 Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274 Establish/Maintain Documentation Preventive
    Include threats in the system security plan. CC ID 14693 Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Establish/Maintain Documentation Preventive
    Include remote access methods in the system security plan. CC ID 16441 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255 Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239 Establish/Maintain Documentation Preventive
    Create specific test plans to test each system component. CC ID 00661 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297 Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293 Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271 Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241 Business Processes Preventive
    Adhere to the system security plan. CC ID 11640 Testing Detective
    Review the test plans for each system component. CC ID 00662 Establish/Maintain Documentation Preventive
    Validate all testing assumptions in the test plans. CC ID 00663 Testing Detective
    Document validated testing processes in the testing procedures. CC ID 06200 Establish/Maintain Documentation Preventive
    Require testing procedures to be complete. CC ID 00664
    [{corresponding} Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Full-scope, end-to-end testing with a frequency commensurate with complexity and risk; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 1
    {full-scale test}{end-to-end testing} Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing is full-scale and end-to-end; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 1
    {full-scale test}{end-to-end testing} Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing is full-scale and end-to-end; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 1]
    Testing Detective
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Establish/Maintain Documentation Preventive
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Testing Preventive
    Implement automated audit tools. CC ID 04882 Acquisition/Sale of Assets or Services Preventive
    Assign senior management to approve test plans. CC ID 13071
    [From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5]
    Human Resources Management Preventive
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Testing Detective
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a testing program. CC ID 00654
    [{business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Behavior Preventive
    Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 Establish/Maintain Documentation Preventive
    Conduct Red Team exercises, as necessary. CC ID 12131 Technical Security Detective
    Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 Establish/Maintain Documentation Preventive
    Include the scope in the security assessment and authorization policy. CC ID 14220 Establish/Maintain Documentation Preventive
    Include the purpose in the security assessment and authorization policy. CC ID 14219 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 Communicate Preventive
    Include management commitment in the security assessment and authorization policy. CC ID 14189 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security assessment and authorization policy. CC ID 14183 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 Establish/Maintain Documentation Preventive
    Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 Communicate Preventive
    Test security systems and associated security procedures, as necessary. CC ID 11901
    [{business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7
    {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7
    {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7
    {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7]
    Technical Security Detective
    Employ third parties to carry out testing programs, as necessary. CC ID 13178 Human Resources Management Preventive
    Document improvement actions based on test results and exercises. CC ID 16840 Establish/Maintain Documentation Preventive
    Test in scope systems for segregation of duties, as necessary. CC ID 13906 Testing Detective
    Define the test requirements for each testing program. CC ID 13177
    [Determine whether the institution relies on proxy testing. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:8
    From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5
    From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Establish/Maintain Documentation Preventive
    Include test requirements for the use of human subjects in the testing program. CC ID 16222 Testing Preventive
    Test the in scope system in accordance with its intended purpose. CC ID 14961 Testing Preventive
    Perform network testing in accordance with organizational standards. CC ID 16448 Testing Preventive
    Test user accounts in accordance with organizational standards. CC ID 16421 Testing Preventive
    Identify risk management measures when testing in scope systems. CC ID 14960 Process or Activity Detective
    Include mechanisms for emergency stops in the testing program. CC ID 14398 Establish/Maintain Documentation Preventive
    Scan organizational networks for rogue devices. CC ID 00536 Testing Detective
    Scan the network for wireless access points. CC ID 00370 Testing Detective
    Document the business need justification for authorized wireless access points. CC ID 12044 Establish/Maintain Documentation Preventive
    Scan wireless networks for rogue devices. CC ID 11623 Technical Security Detective
    Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 Testing Detective
    Implement incident response procedures when rogue devices are discovered. CC ID 11880 Technical Security Corrective
    Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 Monitor and Evaluate Occurrences Corrective
    Deny network access to rogue devices until network access approval has been received. CC ID 11852 Configuration Preventive
    Isolate rogue devices after a rogue device has been detected. CC ID 07061 Configuration Corrective
    Establish, implement, and maintain conformity assessment procedures. CC ID 15032 Establish/Maintain Documentation Preventive
    Share conformity assessment results with affected parties and interested personnel. CC ID 15113 Communicate Preventive
    Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 Communicate Preventive
    Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 Communicate Preventive
    Create technical documentation assessment certificates in an official language. CC ID 15110 Establish/Maintain Documentation Preventive
    Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 Testing Preventive
    Perform conformity assessments, as necessary. CC ID 15095 Testing Detective
    Define the test frequency for each testing program. CC ID 13176 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 Technical Security Detective
    Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 Establish/Maintain Documentation Preventive
    Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 Communicate Preventive
    Establish, implement, and maintain a penetration test program. CC ID 01105 Behavior Preventive
    Align the penetration test program with industry standards. CC ID 12469 Establish/Maintain Documentation Preventive
    Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 Establish Roles Preventive
    Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 Testing Preventive
    Retain penetration test results according to internal policy. CC ID 10049 Records Management Preventive
    Retain penetration test remediation action records according to internal policy. CC ID 11629 Records Management Preventive
    Use dedicated user accounts when conducting penetration testing. CC ID 13728 Testing Detective
    Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 Testing Corrective
    Perform penetration tests, as necessary. CC ID 00655 Testing Detective
    Perform internal penetration tests, as necessary. CC ID 12471 Technical Security Detective
    Perform external penetration tests, as necessary. CC ID 12470 Technical Security Detective
    Include coverage of all in scope systems during penetration testing. CC ID 11957 Testing Detective
    Test the system for broken access controls. CC ID 01319 Testing Detective
    Test the system for broken authentication and session management. CC ID 01320 Testing Detective
    Test the system for insecure communications. CC ID 00535 Testing Detective
    Test the system for cross-site scripting attacks. CC ID 01321 Testing Detective
    Test the system for buffer overflows. CC ID 01322 Testing Detective
    Test the system for injection flaws. CC ID 01323 Testing Detective
    Ensure protocols are free from injection flaws. CC ID 16401 Process or Activity Preventive
    Test the system for Denial of Service. CC ID 01326 Testing Detective
    Test the system for insecure configuration management. CC ID 01327 Testing Detective
    Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 Testing Detective
    Test the system for cross-site request forgery. CC ID 06296 Testing Detective
    Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 Technical Security Detective
    Perform penetration testing on segmentation controls, as necessary. CC ID 12498 Technical Security Detective
    Verify segmentation controls are operational and effective. CC ID 12545 Audits and Risk Management Detective
    Repeat penetration testing, as necessary. CC ID 06860 Testing Detective
    Test the system for covert channels. CC ID 10652 Testing Detective
    Estimate the maximum bandwidth of any covert channels. CC ID 10653 Technical Security Detective
    Reduce the maximum bandwidth of covert channels. CC ID 10655 Technical Security Corrective
    Test systems to determine which covert channels might be exploited. CC ID 10654 Testing Detective
    Establish, implement, and maintain a business line testing strategy. CC ID 13245 Establish/Maintain Documentation Preventive
    Include facilities in the business line testing strategy. CC ID 13253
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3]
    Establish/Maintain Documentation Preventive
    Include electrical systems in the business line testing strategy. CC ID 13251
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Establish/Maintain Documentation Preventive
    Include mechanical systems in the business line testing strategy. CC ID 13250
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Establish/Maintain Documentation Preventive
    Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Establish/Maintain Documentation Preventive
    Include emergency power supplies in the business line testing strategy. CC ID 13247
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Establish/Maintain Documentation Preventive
    Include environmental controls in the business line testing strategy. CC ID 13246
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a vulnerability management program. CC ID 15721 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 Establish/Maintain Documentation Preventive
    Perform vulnerability scans, as necessary. CC ID 11637 Technical Security Detective
    Repeat vulnerability scanning, as necessary. CC ID 11646 Testing Detective
    Identify and document security vulnerabilities. CC ID 11857
    [{technology vulnerability}Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Technological and security vulnerabilities; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 1
    Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4
    Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4]
    Technical Security Detective
    Rank discovered vulnerabilities. CC ID 11940 Investigate Detective
    Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 Technical Security Preventive
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 Technical Security Detective
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Establish/Maintain Documentation Preventive
    Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 Communicate Preventive
    Maintain vulnerability scan reports as organizational records. CC ID 12092 Records Management Preventive
    Correlate vulnerability scan reports from the various systems. CC ID 10636 Technical Security Detective
    Perform internal vulnerability scans, as necessary. CC ID 00656 Testing Detective
    Perform vulnerability scans prior to installing payment applications. CC ID 12192 Technical Security Detective
    Implement scanning tools, as necessary. CC ID 14282 Technical Security Detective
    Update the vulnerability scanners' vulnerability list. CC ID 10634 Configuration Corrective
    Repeat vulnerability scanning after an approved change occurs. CC ID 12468 Technical Security Detective
    Perform external vulnerability scans, as necessary. CC ID 11624 Technical Security Detective
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Business Processes Preventive
    Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 Testing Preventive
    Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 Technical Security Detective
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 Behavior Corrective
    Perform vulnerability assessments, as necessary. CC ID 11828 Technical Security Corrective
    Review applications for security vulnerabilities after the application is updated. CC ID 11938 Technical Security Detective
    Test the system for unvalidated input. CC ID 01318 Testing Detective
    Test the system for proper error handling. CC ID 01324 Testing Detective
    Test the system for insecure data storage. CC ID 01325 Testing Detective
    Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 Testing Detective
    Approve the vulnerability management program. CC ID 15722 Process or Activity Preventive
    Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 Establish Roles Preventive
    Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 Technical Security Preventive
    Test the system for insecure cryptographic storage. CC ID 11635 Technical Security Detective
    Perform self-tests on cryptographic modules within the system. CC ID 06537 Testing Detective
    Perform power-up tests on cryptographic modules within the system. CC ID 06538 Testing Detective
    Perform conditional tests on cryptographic modules within the system. CC ID 06539 Testing Detective
    Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 Configuration Detective
    Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 Technical Security Corrective
    Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 Configuration Corrective
    Recommend mitigation techniques based on penetration test results. CC ID 04881 Establish/Maintain Documentation Corrective
    Correct or mitigate vulnerabilities. CC ID 12497 Technical Security Corrective
    Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 Technical Security Corrective
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663
    [Determine examination scope and objectives for reviewing the business continuity planning program. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1]
    Establish/Maintain Documentation Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Actionable Reports or Measurements Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Actionable Reports or Measurements Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a corrective action plan. CC ID 00675 Monitor and Evaluate Occurrences Detective
    Include monitoring in the corrective action plan. CC ID 11645
    [Review management's response to audit recommendations noted since the last examination. Consider the following: Monitoring systems used to track the implementation of recommendations on an on- going basis TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 4]
    Monitor and Evaluate Occurrences Detective
  • Operational and Systems Continuity
    301
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Involve auditors in reviewing and testing the business continuity program. CC ID 13211
    [Determine whether audit involvement in the business continuity program is effective, including: Audit participation in testing as an observer and as a reviewer of test plans and results; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 3
    {business continuity test result} Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 3
    {business continuity test process}{business continuity test result} Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 3]
    Testing Detective
    Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212
    [Determine whether audit involvement in the business continuity program is effective, including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11]
    Investigate Detective
    Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218
    [{assess}Determine whether audit involvement in the business continuity program is effective, including: Assessment of business continuity preparedness during line(s) of business reviews; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 2]
    Investigate Detective
    Establish, implement, and maintain a business continuity policy. CC ID 12405
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the business continuity policy. CC ID 14237 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the business continuity policy. CC ID 14235 Establish/Maintain Documentation Preventive
    Include management commitment in the business continuity policy. CC ID 14233 Establish/Maintain Documentation Preventive
    Include the scope in the business continuity policy. CC ID 14231 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the business continuity policy. CC ID 14190 Establish/Maintain Documentation Preventive
    Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 Communicate Preventive
    Include the purpose in the business continuity policy. CC ID 14188 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a business continuity testing policy. CC ID 13235
    [{business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Establish/Maintain Documentation Preventive
    Include testing cycles and test scope in the business continuity testing policy. CC ID 13236
    [{business continuity testing policy} Determine whether the testing policy establishes a testing cycle with increasing levels of test scope and complexity. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 3]
    Establish/Maintain Documentation Preventive
    Include documentation requirements in the business continuity testing policy. CC ID 14377 Establish/Maintain Documentation Preventive
    Include reporting requirements in the business continuity testing policy. CC ID 14397 Establish/Maintain Documentation Preventive
    Include test requirements for crisis management in the business continuity testing policy. CC ID 13240
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Establish/Maintain Documentation Preventive
    Include test requirements for support functions in the business continuity testing policy. CC ID 13239
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Establish/Maintain Documentation Preventive
    Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Establish/Maintain Documentation Preventive
    Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Establish/Maintain Documentation Preventive
    Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257
    [{business continuity testing strategy}{bcp and testing program} Determine whether the testing strategy addresses the documentation requirements for all facets of the continuity testing program, including test scenarios, plans, scripts, results, and reporting. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 5]
    Establish/Maintain Documentation Preventive
    Include data recovery in the business continuity testing strategy. CC ID 13262
    [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2]
    Establish/Maintain Documentation Preventive
    Include testing critical applications in the business continuity testing strategy. CC ID 13261
    [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2]
    Establish/Maintain Documentation Preventive
    Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265
    [{test scenario} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: Tests of the ability to support peak transaction volumes from back-up facilities for extended periods. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2 Bullet 2
    {test strategy}{predetermined time frame} Determine whether the core firm's testing strategy includes plans to test the ability of significant firms, which clear or settle transactions, to recover critical clearing and settlement activities from geographically dispersed back-up sites within a reasonable time frame. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 8]
    Testing Detective
    Include reconciling transaction data in the business continuity testing strategy. CC ID 13260
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to reconcile transaction data; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 3
    Determine that the test assumptions are appropriate for core and significant firms and consider: Whether continuity arrangements continue to operate until all pending transactions are closed. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 6]
    Establish/Maintain Documentation Preventive
    Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252
    [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Incorporating the results of telecommunications diversity assessments and confirming telecommunications circuit diversity; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 3
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Incorporating the results of telecommunications diversity assessments and confirming telecommunications circuit diversity; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 3
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a continuity framework. CC ID 00732
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5]
    Establish/Maintain Documentation Preventive
    Establish and maintain the scope of the continuity framework. CC ID 11908 Establish/Maintain Documentation Preventive
    Identify all stakeholders critical to the continuity of operations. CC ID 12741 Systems Continuity Detective
    Include network security in the scope of the continuity framework. CC ID 16327 Establish/Maintain Documentation Preventive
    Explain any exclusions to the scope of the continuity framework. CC ID 12236 Establish/Maintain Documentation Preventive
    Refrain from including exclusions that could affect business continuity. CC ID 12740 Records Management Preventive
    Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 Establish/Maintain Documentation Preventive
    Include business units in the scope of the continuity framework. CC ID 11898
    [Determine whether the board and senior management has ensured that integral groups are involved in the business continuity process (e.g. business line management, risk management, IT, facilities management, and audit). TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:3]
    Establish/Maintain Documentation Preventive
    Include business functions in the scope of the continuity framework. CC ID 12699 Establish/Maintain Documentation Preventive
    Include information security continuity in the scope of the continuity framework. CC ID 12009
    [{take into account}Review and verify that the written BCP: Take(s) into account: Security; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 7
    Determine that the BCP includes appropriate security procedures. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Security; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 1
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Systems Continuity Preventive
    Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development]
    Systems Continuity Preventive
    Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 Establish/Maintain Documentation Preventive
    Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    Interview management and review the business continuity request information to identify: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a shelter in place plan. CC ID 16260 Establish/Maintain Documentation Preventive
    Designate safe rooms in the shelter in place plan. CC ID 16276 Establish/Maintain Documentation Preventive
    Include Quality Management in the continuity framework. CC ID 12239 Establish/Maintain Documentation Preventive
    Establish and maintain a system continuity plan philosophy. CC ID 00734 Establish/Maintain Documentation Preventive
    Define the executive vision of the continuity planning process. CC ID 01243
    [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    {business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2]
    Establish/Maintain Documentation Preventive
    Include a pandemic plan in the continuity plan. CC ID 06800
    [{escalation and response plan} Determine whether the BCP addresses management monitoring of alert systems that provide information regarding the threat and progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:5
    {continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4
    {continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4
    Determine whether the BCP effectively addresses pandemic issues. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A documented strategy that provides for scaling the institution's pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of humans contracting the disease overseas, first cases within the United States, and first cases within the organization itself. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 2]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733
    [{incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Roles and responsibilities of crisis management group members; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 1
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define responsibilities and decision-making authorities for designated teams or staff members; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 2
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define responsibilities and decision-making authorities for designated teams or staff members; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 2
    {business continuity testing policy} Determine whether the testing policy identifies key roles and responsibilities of the participants in the testing program. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 2]
    Establish Roles Preventive
    Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 Systems Continuity Preventive
    Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761
    [Determine whether adequate risk mitigation strategies have been considered for: Preparation for return to normal operations once the permanent facilities are available. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 6]
    Establish/Maintain Documentation Preventive
    Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 Systems Continuity Corrective
    Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Monitor and Evaluate Occurrences Detective
    Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 Communicate Preventive
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {impact analysis}{service interruption} Determine whether the BCP incorporates management's analysis of the impact on operations if essential functions or services provided by outside parties are disrupted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:7
    {internal factor}Interview management and review the business continuity request information to identify: Any other internal or external factors that could affect the business continuity process. TTIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 5]
    Systems Continuity Detective
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    [business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    [business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Determine the existence of an appropriate enterprise-wide BCP. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5
    Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavailable for long periods. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:8]
    Establish/Maintain Documentation Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Communicate Corrective
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define the conditions under which the back-up site would be used; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 4]
    Systems Continuity Corrective
    Identify all stakeholders in the continuity plan. CC ID 13256
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1]
    Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 Communicate Preventive
    Maintain normal security levels when an emergency occurs. CC ID 06377 Systems Continuity Preventive
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Systems Continuity Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Establish/Maintain Documentation Preventive
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development]
    Human Resources Management Preventive
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities]
    Establish/Maintain Documentation Preventive
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: Back-up site employees are independent of the staff located at the primary site, at the time of disruption; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 2
    Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: : Trained employees are located at the back-up site at the time of disruption; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 1
    Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavailable for long periods. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:8
    {unavailability} Determine that the test assumptions are appropriate for core and significant firms and consider: Staff members at primary sites, who are located at both data centers and operations facilities, are unavailable for an extended period; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 2
    {business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4
    Determine whether the strategy addresses staffing considerations, including: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate staff; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 4]
    Human Resources Management Preventive
    Include the in scope system's location in the continuity plan. CC ID 16246 Systems Continuity Preventive
    Include the system description in the continuity plan. CC ID 16241 Systems Continuity Preventive
    Establish, implement, and maintain redundant systems. CC ID 16354 Configuration Preventive
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Establish/Maintain Documentation Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Behavior Preventive
    Restore systems and environments to be operational. CC ID 13476 Systems Continuity Corrective
    Include the continuity strategy in the continuity plan. CC ID 13189
    [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1]
    Establish/Maintain Documentation Preventive
    Document and use the lessons learned to update the continuity plan. CC ID 10037
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:6
    From the procedures performed: Document conclusions related to the quality and effectiveness of the business continuity process. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 2]
    Establish/Maintain Documentation Preventive
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Technical Security Preventive
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1]
    Establish/Maintain Documentation Preventive
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Government and community coordination. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 11
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Process or Activity Preventive
    Monitor and evaluate business continuity management system performance. CC ID 12410 Monitor and Evaluate Occurrences Detective
    Record business continuity management system performance for posterity. CC ID 12411 Monitor and Evaluate Occurrences Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Government and community coordination. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 11
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Process or Activity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242
    [{third party service provider} Determine whether the institution has a copy of the TSPs' BCP and incorporates it, as appropriate, into their plans. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:9]
    Establish/Maintain Documentation Preventive
    Include incident management procedures in the continuity plan. CC ID 13244
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Crisis management (responsibility for disaster declaration and dealing with outside parties); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 5
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Establish/Maintain Documentation Preventive
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Establish/Maintain Documentation Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that a large number of the institution's staff are unavailable for prolonged periods. Such procedures could include social distancing to minimize staff contact, telecommuting, or conducting operations from alternative sites. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 3]
    Establish/Maintain Documentation Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 Establish Roles Preventive
    Establish, implement, and maintain the continuity procedures. CC ID 14236 Establish/Maintain Documentation Corrective
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Communicate Preventive
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Establish/Maintain Documentation Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Configuration Preventive
    Install a generator sized to support the facility. CC ID 06709 Configuration Preventive
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Acquisition/Sale of Assets or Services Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Establish/Maintain Documentation Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220
    [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Include procedures for notifying the back-up site; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 5]
    Establish/Maintain Documentation Preventive
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: Staff and management succession plans; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 6]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the organization's call tree. CC ID 01167
    [{primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1]
    Testing Detective
    Establish, implement, and maintain damage assessment procedures. CC ID 01267 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Communicate Preventive
    Include procedures to restore network connectivity in the recovery plan. CC ID 16250 Establish/Maintain Documentation Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Establish/Maintain Documentation Preventive
    Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Human Resources Management Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Establish/Maintain Documentation Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Establish/Maintain Documentation Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Establish/Maintain Documentation Preventive
    Include escalation procedures in the recovery plan. CC ID 16248 Establish/Maintain Documentation Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Establish/Maintain Documentation Preventive
    Determine the cause for the activation of the recovery plan. CC ID 13291 Investigate Detective
    Test the recovery plan, as necessary. CC ID 13290 Testing Detective
    Test the backup information, as necessary. CC ID 13303 Testing Detective
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Establish/Maintain Documentation Detective
    Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 Communicate Preventive
    Include restoration procedures in the continuity plan. CC ID 01169
    [Determine whether adequate risk mitigation strategies have been considered for: Recovery of data (e.g. backlogged transactions, reconciliation procedures); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 5
    Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1
    Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1]
    Establish Roles Preventive
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    {third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4
    Determine whether adequate risk mitigation strategies have been considered for: BCP; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 3
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: According to its priority ranking in the risk assessment; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 1
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: Considering long-term recovery arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 3]
    Establish/Maintain Documentation Preventive
    Include the recovery plan in the continuity plan. CC ID 01377
    [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: Considering interdependencies among systems; and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 2
    {data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Communicate Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Systems Continuity Corrective
    Establish, implement, and maintain organizational facility continuity plans. CC ID 02224
    [{take into account}Review and verify that the written BCP: Take(s) into account: Facilities; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 5
    If the organization is relying on outside facilities for recovery, determine whether the recovery site: Is available for use until the institution achieves full recovery from the disaster and resumes activity at the institution's own facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 3]
    Establish/Maintain Documentation Preventive
    Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 Systems Continuity Detective
    Install and maintain redundant telecommunication feeds for critical assets. CC ID 00726 Configuration Preventive
    Install and maintain redundant power supplies for critical facilities. CC ID 06355 Configuration Preventive
    Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 Physical and Environmental Protection Preventive
    Install and maintain dedicated power lines to critical facilities. CC ID 06357 Physical and Environmental Protection Preventive
    Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 Configuration Preventive
    Install electro-magnetic shielding around all electrical cabling. CC ID 06358 Physical and Environmental Protection Preventive
    Install electrical grounding equipment. CC ID 06359 Physical and Environmental Protection Preventive
    Implement redundancy in life-safety systems. CC ID 02228 Physical and Environmental Protection Preventive
    Include bomb threat procedures and bomb procedures in the organizational facility continuity plan. CC ID 02229 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735
    [{internal business process}Determine whether the continuity strategy addresses interdependent components, including: Internal systems and business processes. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 5]
    Establish/Maintain Documentation Preventive
    Include emergency operating procedures in the continuity plan. CC ID 11694
    [{emergency procedure} Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Explain actions to be taken in specific emergencies; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 3]
    Establish/Maintain Documentation Preventive
    Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 Establish/Maintain Documentation Preventive
    Define and prioritize critical business functions. CC ID 00736
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process]
    Establish/Maintain Documentation Detective
    Review and prioritize the importance of each business unit. CC ID 01165 Systems Continuity Preventive
    Review and prioritize the importance of each business process. CC ID 11689
    [{internal business process}Determine whether the continuity strategy addresses interdependent components, including: Internal systems and business processes. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 5]
    Establish/Maintain Documentation Preventive
    Document the mean time to failure for system components. CC ID 10684 Systems Continuity Preventive
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Audits and Risk Management Preventive
    Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241
    [{business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2
    {business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2]
    Systems Continuity Preventive
    Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 Systems Continuity Preventive
    Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 Configuration Corrective
    Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    {bcp testing program}{business continuity test result} Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institution's recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production recovery, achievement of operational priorities, timely recovery of data). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 1
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity); TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 4
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity); TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 4]
    Establish/Maintain Documentation Preventive
    Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 Process or Activity Corrective
    Define and prioritize critical business records. CC ID 11687 Establish/Maintain Documentation Preventive
    Identify all critical business records. CC ID 00737 Records Management Detective
    Include the protection of personnel in the continuity plan. CC ID 06378
    [{take into account} Review and verify that the written BCP: Take(s) into account: Personnel; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a critical personnel list. CC ID 00739 Establish/Maintain Documentation Detective
    Identify alternate personnel for each person on the critical personnel list. CC ID 12771
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to relocate or engage staff from alternate sites; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 5]
    Human Resources Management Preventive
    Define the triggering events for when to activate the pandemic plan. CC ID 06801 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a critical third party list. CC ID 06815
    [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8
    Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2
    Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2
    Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2
    Determine whether the financial institution and service provider have made advance arrangements for both third-party computer forensics and incident management services in advance of a wide-scale cyber security event. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:8
    Determine whether the financial institution and service provider have made advance arrangements for both third-party computer forensics and incident management services in advance of a wide-scale cyber security event. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:8
    Determine whether the continuity strategy addresses interdependent components, including: Key suppliers/business partners; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 4]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1
    {technology service provider}Determine whether the continuity strategy addresses interdependent components, including: Third-party technology providers; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 3]
    Behavior Preventive
    Establish, implement, and maintain a critical resource list. CC ID 00740 Establish/Maintain Documentation Detective
    Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741
    [{third party service providers} Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:8
    {third party service providers} Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:8]
    Establish/Maintain Documentation Preventive
    Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 Establish/Maintain Documentation Preventive
    Include workstation continuity procedures in the continuity plan. CC ID 01378 Establish/Maintain Documentation Preventive
    Include server continuity procedures in the continuity plan. CC ID 01379
    [Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the TSP's facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:7]
    Establish/Maintain Documentation Preventive
    Include website continuity procedures in the continuity plan. CC ID 01380 Establish/Maintain Documentation Preventive
    Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 Data and Information Management Preventive
    Include near-line capabilities in the continuity plan. CC ID 01383 Establish/Maintain Documentation Preventive
    Include online capabilities in the continuity plan. CC ID 11690 Establish/Maintain Documentation Preventive
    Include mainframe continuity procedures in the continuity plan. CC ID 01382 Establish/Maintain Documentation Preventive
    Include telecommunications continuity procedures in the continuity plan. CC ID 11691
    [Determine whether the continuity strategy addresses interdependent components, including: Telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 2
    {voice service}Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of telephony and electronic messaging due to the convergence of voice and data services on the same network; and TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 2
    {data communication} Determine whether the financial institution and service provider are considering al- ternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of data and voice communications between facilities and service providers. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 3]
    Establish/Maintain Documentation Preventive
    Include system continuity procedures in the continuity plan. CC ID 01268
    [{Mission-Critical Application} Determine whether management has reviewed all interrelated components of each mission critical application and the underlying continuity strategy to determine "single point of failure" exposure. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:8]
    Establish/Maintain Documentation Preventive
    Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743
    [Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at the institution. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:6
    Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4
    {data communication} Determine whether the financial institution and service provider are considering al- ternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of data and voice communications between facilities and service providers. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 3]
    Establish/Maintain Documentation Detective
    Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 Establish/Maintain Documentation Preventive
    Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 Establish/Maintain Documentation Preventive
    Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 Establish/Maintain Documentation Preventive
    Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397
    [{one}Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Reliance upon a single communications provider; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 1]
    Testing Detective
    Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399
    [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 5
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 3
    {alternate facility}Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Telecommunications and remote computing. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 4
    {alternate facility}Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Telecommunications and remote computing. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 4]
    Testing Detective
    Require telecommunications service providers to have adequate continuity plans. CC ID 01400 Testing Detective
    Include emergency power continuity procedures in the continuity plan. CC ID 01254
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate power supplies (e.g. uninterruptible power source, back-up generators); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 4
    Determine whether the continuity strategy addresses interdependent components, including: Utilities; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 1]
    Establish/Maintain Documentation Preventive
    Include evacuation procedures in the continuity plan. CC ID 12773 Systems Continuity Preventive
    Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374
    [{take into account}Review and verify that the written BCP:Take(s) into account: Manual operating procedures. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 9]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 Physical and Environmental Protection Corrective
    Designate an alternate facility in the continuity plan. CC ID 00742 Establish/Maintain Documentation Detective
    Separate the alternate facility from the primary facility through geographic separation. CC ID 01394
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate facilities; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate processing locations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 2
    Determine that back-up sites are fully independent of the critical infrastructure components that support the primary sites. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 5]
    Physical and Environmental Protection Preventive
    Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 Establish/Maintain Documentation Preventive
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250
    [{take into account}Review and verify that the written BCP: Take(s) into account: Technology issues (hardware, software, network, data processing equipment, telecommunications, remote computing, vital records, electronic banking systems, telephone banking systems, utilities); TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 3
    {backup hardware} Determine whether the BCP includes appropriate hardware back-up and recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6]
    Establish/Maintain Documentation Preventive
    Include a backup rotation scheme in the backup policy. CC ID 16219 Establish/Maintain Documentation Preventive
    Include naming conventions in the backup policy. CC ID 16218 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258
    [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Operating systems; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 2
    Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Utility programs; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 4
    {data backup}Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Data; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 1
    {data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4]
    Systems Continuity Preventive
    Determine which data elements to back up. CC ID 13483 Data and Information Management Detective
    Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 Systems Continuity Preventive
    Establish and maintain off-site electronic media storage facilities. CC ID 00957 Physical and Environmental Protection Preventive
    Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390
    [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3
    {backup media} Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: Back-up media; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Off-site storage. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 5]
    Testing Detective
    Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 Configuration Preventive
    Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 Establish/Maintain Documentation Preventive
    Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 Systems Continuity Detective
    Store backup media at an off-site electronic media storage facility. CC ID 01332 Data and Information Management Preventive
    Transport backup media in lockable electronic media storage containers. CC ID 01264 Data and Information Management Preventive
    Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 Systems Continuity Preventive
    Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 Data and Information Management Preventive
    Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 Systems Continuity Preventive
    Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 Data and Information Management Preventive
    Perform backup procedures for in scope systems. CC ID 11692 Process or Activity Preventive
    Perform full backups in accordance with organizational standards. CC ID 16376 Data and Information Management Preventive
    Perform incremental backups in accordance with organizational standards. CC ID 16375 Data and Information Management Preventive
    Back up all records. CC ID 11974 Systems Continuity Preventive
    Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 Data and Information Management Preventive
    Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis]
    Establish/Maintain Documentation Preventive
    Encrypt backup data. CC ID 00958 Configuration Preventive
    Log the execution of each backup. CC ID 00956 Establish/Maintain Documentation Preventive
    Test backup media for media integrity and information integrity, as necessary. CC ID 01401 Testing Detective
    Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 Testing Detective
    Test each restored system for media integrity and information integrity. CC ID 01920 Testing Detective
    Include stakeholders when testing restored systems, as necessary. CC ID 13066 Testing Corrective
    Digitally sign disk images, as necessary. CC ID 06814 Establish/Maintain Documentation Preventive
    Include emergency communications procedures in the continuity plan. CC ID 00750
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the TSP's facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:7
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Customers; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 3
    {authorities}Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Local, state, and federal agencies; and TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 5
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Regulators. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 6
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Notification standards (employees, customers, regulators, vendors, service providers); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 9
    Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at the institution. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:6
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Establish/Maintain Documentation Preventive
    Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2]
    Establish/Maintain Documentation Preventive
    Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 Systems Continuity Preventive
    Maintain contact information for key third parties in a readily accessible manner. CC ID 12764
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Critical service providers; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 1
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Key financial correspondents; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 2
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1]
    Establish/Maintain Documentation Preventive
    Log important conversations conducted during emergencies with third parties. CC ID 12763 Log Management Preventive
    Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    {take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Designate a knowledgeable public relations spokesperson; and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 7]
    Communicate Preventive
    Identify who can speak to the media in the emergency communications procedures. CC ID 12761
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Media representatives; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 4]
    Communicate Corrective
    Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370
    [{takes into account}Review and verify that the written BCP:Take(s) into account: Financial disbursement (purchase authorities and expense reimbursement for senior management during a disaster); and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 8]
    Testing Detective
    Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770
    [{take into account}Review and verify that the written BCP:Take(s) into account: Liquidity; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 6]
    Acquisition/Sale of Assets or Services Preventive
    Minimize system continuity requirements. CC ID 00753 Establish/Maintain Documentation Preventive
    Include purchasing insurance in the continuity plan. CC ID 00762
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Insurance; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 10
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Establish/Maintain Documentation Preventive
    Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 Acquisition/Sale of Assets or Services Preventive
    Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 Acquisition/Sale of Assets or Services Preventive
    Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 Business Processes Detective
    Review the beneficiaries of the insurance policy. CC ID 16563 Business Processes Detective
    Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 Establish/Maintain Documentation Detective
    Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 Establish/Maintain Documentation Detective
    Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 Establish/Maintain Documentation Detective
    Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 Establish/Maintain Documentation Preventive
    Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 Establish/Maintain Documentation Preventive
    Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 Establish/Maintain Documentation Preventive
    Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 Establish/Maintain Documentation Preventive
    Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 Establish/Maintain Documentation Detective
    Validate information security continuity controls regularly. CC ID 12008 Systems Continuity Preventive
    Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760
    [Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Timely distribution of revised plans to personnel. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 2
    {business continuity testing strategy}Determine whether the strategy addresses staffing considerations, including: Staff access to key documentation (plans, procedures, and forms); and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 7
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    {third party service provider} Determine whether the institution has a copy of the TSPs' BCP and incorporates it, as appropriate, into their plans. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:9]
    Establish/Maintain Documentation Preventive
    Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a pandemic plan. CC ID 13214
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: An oversight program to ensure ongoing reviews and updates to the pandemic plan, so that policies, standards, and procedures include up-to-date, relevant information provided by governmental sources or by the institution's monitoring program. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 5]
    Establish/Maintain Documentation Preventive
    Match emergency policies to the level of disruption anticipated in the pandemic plan. CC ID 14375 Establish/Maintain Documentation Preventive
    Identify employees who have family members who are first responders or medical personnel. CC ID 14389 Human Resources Management Detective
    Identify tasks that can be accomplished at alternate work sites. CC ID 14393 Process or Activity Preventive
    Include work that will be suspended during the pandemic in the pandemic plan. CC ID 14380 Establish/Maintain Documentation Preventive
    Include alternate work locations in the pandemic plan. CC ID 14376 Establish/Maintain Documentation Preventive
    Assign pandemic planning roles and responsibilities, as necessary. CC ID 13230
    [Determine whether the BCP addresses the assignment of responsibility for pandemic planning, preparing, testing, responding, and recovering. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:2]
    Establish Roles Preventive
    Include modifications to the absenteeism policy in the pandemic plan. CC ID 13232
    [{absenteeism policy} Determine whether the BCP addresses modifications to normal compensation and absenteeism polices to be enacted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:9]
    Establish/Maintain Documentation Preventive
    Include remote access requirements in the pandemic plan. CC ID 13233
    [Determine whether management has analyzed remote access requirements, including the infrastructure capabilities and capacity that may be necessary during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:10]
    Establish/Maintain Documentation Preventive
    Include a compensation plan in the pandemic plan. CC ID 13231
    [{absenteeism policy} Determine whether the BCP addresses modifications to normal compensation and absenteeism polices to be enacted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:9]
    Establish/Maintain Documentation Preventive
    Revalidate exceptions to the pandemic plan, as necessary. CC ID 14395 Establish/Maintain Documentation Preventive
    Approve exceptions to the pandemic plan, as necessary. CC ID 14392 Establish/Maintain Documentation Preventive
    Include a list of which emergency policies will preempt organizational policies during a pandemic in the pandemic plan. CC ID 14374 Establish/Maintain Documentation Preventive
    Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 Systems Continuity Preventive
    Include coverage for alternate facilities for all offices in contingency arrangements. CC ID 00746
    [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8
    Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Work locations for business functions; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 3
    Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Workspace recovery - the adequacy of floor space, desk top computers, network connectivity, e-mail access, and telephone service; and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 2]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745
    [{alternate facility} Determine whether there is a comprehensive, written agreement or contract for alternative processing or facility recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:1]
    Establish/Maintain Documentation Preventive
    Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331 Establish/Maintain Documentation Preventive
    Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330 Establish/Maintain Documentation Preventive
    Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329 Establish/Maintain Documentation Preventive
    Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328 Establish/Maintain Documentation Preventive
    Include that the shared service provider will not oversubscribe their services in the Service Level Agreement. CC ID 04892 Establish/Maintain Documentation Preventive
    Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1]
    Establish/Maintain Documentation Preventive
    Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395
    [{alternate facility} Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify a current inventory of items needed for off-site processing; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 6
    {enough} If the organization is relying on outside facilities for recovery, determine whether the recovery site: Provides sufficient processing time for the anticipated workload based on emergency priorities; and TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 2
    {capability}{independent} If the organization is relying on in-house systems at separate physical locations for recovery, verify that the equipment is capable of independently processing all critical applications. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:2
    {enough} If the organization is relying on outside facilities for recovery, determine whether the recovery site: Has the ability to process the required volume; TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 1
    {recovery site} Determine how the recovery facility's customers would be accommodated if simultaneous disaster conditions were to occur to several customers during the same period of time. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:4
    Determine that back-up sites are able to support typical payment and settlement volumes for an extended period. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 4
    {alternate facility} Determine whether the organization ensures that when any changes (e.g. hardware or software upgrades or modifications) in the production environment occur that a process is in place to make or verify a similar change in each alternate recovery location. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:5]
    Configuration Preventive
    Establish, implement, and maintain logical access controls at alternate facilities. CC ID 13227
    [{physical access control} Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:2]
    Technical Security Preventive
    Establish, implement, and maintain physical access controls for alternate facilities. CC ID 13226
    [{physical access control} Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:2]
    Physical and Environmental Protection Preventive
    Notify the primary facilities of any changes at the alternate facilities that could affect the continuity plan. CC ID 13225
    [Determine whether the organization is kept informed of any changes at the recovery site that might require adjustments to the organization's software or its recovery plan(s). TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:6]
    Communicate Preventive
    Protect backup systems and restoration systems at the alternate facility. CC ID 04883
    [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Applications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 3]
    Systems Continuity Preventive
    Train personnel on the continuity plan. CC ID 00759
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:6
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Employee training; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 8
    Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: : Back-up site employees are able to recover clearing and settlement of open transactions within the timeframes addressed in the BCP and applicable industry guidance. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 3
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Behavior Preventive
    Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 Behavior Preventive
    Incorporate simulated events into the continuity plan training. CC ID 01402
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Behavior Preventive
    Include cross-team coordination in continuity plan training. CC ID 16235 Training Preventive
    Include stay at home order training in the continuity plan training. CC ID 14382 Training Preventive
    Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 Training Preventive
    Include personal protection in continuity plan training. CC ID 14394 Training Preventive
    Establish, implement, and maintain a business continuity plan testing program. CC ID 14829
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:6
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    Determine whether the BCP testing program is sufficient to demonstrate the financial institution's ability to meet its continuity objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: An evaluation of the reasonableness of assumptions used in developing the testing strategy. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 4
    {BCP testing program} Determine whether the financial institution's testing program enhances resilience through demonstrated ability to recover, resume, and maintain operations after disruptions, ranging from minor outages to wide-scale disasters consistent with the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12
    {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6
    {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6
    {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6
    {core firm} Determine that the test assumptions are appropriate for core and significant firms and consider: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7
    Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 1
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Testing Preventive
    Establish, implement, and maintain a continuity test plan. CC ID 04896
    [{sudden operational failure} Determine that the test assumptions are appropriate for core and significant firms and consider: Primary data centers and operations facilities that are completely inoperable without notice; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 1
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed schedules to complete each test; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 7
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Sequential, step-by-step procedures for staff and external parties, including instructions regarding transaction data and references to manual work-around processes, as needed; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 5
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4]
    Establish/Maintain Documentation Preventive
    Include success criteria for testing the plan in the continuity test plan. CC ID 14877 Establish/Maintain Documentation Preventive
    Include recovery procedures in the continuity test plan. CC ID 14876 Establish/Maintain Documentation Preventive
    Include test scripts in the continuity test plan. CC ID 14875 Establish/Maintain Documentation Preventive
    Include test objectives and scope of testing in the continuity test plan. CC ID 14874 Establish/Maintain Documentation Preventive
    Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 Establish/Maintain Documentation Preventive
    Include the succession plan in the continuity test plan, as necessary. CC ID 14401 Establish/Maintain Documentation Preventive
    Include contact information in the continuity test plan. CC ID 14399 Establish/Maintain Documentation Preventive
    Include testing all system components in the continuity test plan. CC ID 13508 Establish/Maintain Documentation Preventive
    Include test scenarios in the continuity test plan. CC ID 13506 Establish/Maintain Documentation Preventive
    Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test event dates and time stamps; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 3]
    Establish/Maintain Documentation Preventive
    Test the continuity plan, as necessary. CC ID 00755
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institution's mission critical operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:4
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11
    {bcp testing program}{region}{nation}Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Local, regional, or national testing/exercises. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 5]
    Testing Detective
    Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767
    [{BCP testing program}Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Telecommuting to simulate and test remote access; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 2
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    {bcp testing program} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The scope and level of detail of the testing program; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 1
    {bcp testing program} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The scope and level of detail of the testing program; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 1
    {connectivity testing}{test plan}Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 1
    {test plan}{backup telecommunications device} Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 3
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Risk assumptions; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 2
    {business continuity testing strategy}{enterprise-wide test} Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 3
    {business continuity testing strategy}{enterprise-wide test} Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 3
    {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6
    {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6
    {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6
    Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 1
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes network connectivity and identifies interdependencies; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 2]
    Testing Preventive
    Include third party recovery services in the scope of testing the continuity plan. CC ID 12766
    [Determine whether testing scenarios with critical third-parties considers: Return to normal operations. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 6
    Determine whether the use of cloud-based disaster recovery services integrate with and protect against data destruction with the same level of assurance as existing (internal) disaster recovery solutions. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:2
    Determine whether the use of cloud-based disaster recovery services integrate with and protect against data destruction with the same level of assurance as existing (internal) disaster recovery solutions. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:2
    Determine whether the client institution has received assurance, via testing documentation, that the third party can restore services to client institution and support typical volumes during a recovery event. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:7
    Determine whether the client institution has received assurance, via testing documentation, that the third party can restore services to client institution and support typical volumes during a recovery event. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:7]
    Testing Preventive
    Validate the emergency communications procedures during continuity plan tests. CC ID 12777
    [{BCP testing program}{internal communication} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Internal and external communications processes and links; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 3
    {BCP testing program}{internal communication} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Internal and external communications processes and links; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 3
    {business continuity testing strategy}{internal communication procedure}{external communication procedure}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 5
    {business continuity testing strategy}{internal communication procedure}{external communication procedure}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 5
    {business continuity testing strategy}{internal contact} Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Notification procedures to follow for internal and external contacts. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 6
    {business continuity testing strategy}{key stakeholders} Determine whether the strategy addresses staffing considerations, including: The ability to communicate with key internal and external stakeholders; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 2]
    Testing Preventive
    Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769
    [{critical third party} Evaluate how the financial institution ensures timeliness, thoroughness, and completeness of periodic testing with their critical providers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:4
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3
    Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Participation in third-party testing; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 4
    Determine that the test assumptions are appropriate for core and significant firms and consider: Other organizations in the immediate area that are also affected; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 3
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes critical subcontractors. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 3]
    Testing Preventive
    Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 Testing Detective
    Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757
    [{wide-scale disruption} Determine management's process for determining the scope of disaster recovery test scenarios, including whether management augments the tests with multiple concurrent or widespread interruptions to simulate the impact of "worst case" scenarios. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:10
    {wide-scale disruption} Determine management's process for determining the scope of disaster recovery test scenarios, including whether management augments the tests with multiple concurrent or widespread interruptions to simulate the impact of "worst case" scenarios. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:10
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A testing program to better ensure that the institution's pandemic planning practices and capabilities are effective and will allow critical operations to continue. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 4
    {BCP testing program}{table top exercise} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Table top operations exercises; and TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 4
    {business continuity testing strategy}{emergency response} Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6
    Determine whether testing scenarios with critical third-parties considers: An outage or disruption of the service provider; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 1
    Determine whether testing scenarios with critical third-parties considers: An outage or disruption at the financial institution; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 2
    Determine whether testing scenarios with critical third-parties considers: Crisis management; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 4
    Determine whether testing scenarios with critical third-parties considers: Cyber events; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 5
    Determine that the test assumptions are appropriate for core and significant firms and consider: Infrastructure (power, telecommunications, transportation) that is disrupted; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 4
    {business continuity testing strategy} Determine whether the testing strategy addresses various event scenarios, including potential issues encountered during a wide-scale disruption: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1
    {test scenario}{feasibility} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing disruption events affecting connectivity, capacity, and integrity of data transmission; and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 4
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {clearance activity}{geographic separation} Determine whether core and significant firm's strategies and plans address wide-scale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guidelines defined by the BCP and applicable industry standards, from geographically dispersed data centers and operations facilities. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 3
    {test scenario} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: Deviation from established test scripts to include unplanned events, such as the loss of key individuals or services; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2 Bullet 1]
    Testing Detective
    Analyze system interdependence during continuity plan tests. CC ID 13082
    [Determine whether the continuity strategy addresses interdependent components, including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7
    {internal interdependencies}{business continuity testing strategy} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: Expectations for testing internal and external interdependencies; and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 3
    {internal interdependencies}{business continuity testing strategy} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: Expectations for testing internal and external interdependencies; and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 3
    Determine that test scenarios reflect key interdependencies. Consider the following: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3
    Determine whether the significant firm has an external testing strategy that addresses key interdependencies, such as testing with third-party market providers and key customers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 9
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes network connectivity and identifies interdependencies; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 2]
    Testing Detective
    Validate the evacuation plans during continuity plan tests. CC ID 12760
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Assigned command center and assembly locations; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 2
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Assigned command center and assembly locations; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 2]
    Testing Preventive
    Test the continuity plan at the alternate facility. CC ID 01174
    [Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's alternative location to the TSPs' alternative location. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 3
    Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's alternative location to the TSPs' primary location; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 2
    Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's primary location to the TSPs' alternative location; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 1
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2
    {connectivity testing}{test plan}Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 1
    {test plan}{backup telecommunications device} Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 3
    {business continuity testing strategy} Determine whether the significant firm's external testing strategy includes testing from the significant firm's back-up sites to the core firms' back-up sites. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 10
    {clearance activity}{geographic separation} Determine whether core and significant firm's strategies and plans address wide-scale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guidelines defined by the BCP and applicable industry standards, from geographically dispersed data centers and operations facilities. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 3]
    Testing Detective
    Include predefined goals and realistic conditions during off-site testing. CC ID 01175 Establish/Maintain Documentation Preventive
    Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388
    [{business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2
    {bcp testing program}{business continuity test result} Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institution's recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production recovery, achievement of operational priorities, timely recovery of data). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to perform transaction processing and settlement; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 1
    {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to perform transaction processing and settlement; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 1]
    Testing Preventive
    Review all third party's continuity plan test results. CC ID 01365
    [{technology service provider}{recovery time objective}{wide-scale disruption}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: DR/BCP test results for RTOs that provide evidence the TSP can recover from large scale disruptions and cyber events; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 1
    Determine whether management has received and reviewed testing results of their TSPs. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:10
    Determine whether management has received and reviewed testing results of their TSPs. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:10
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Third-party testing results; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 5
    {business continuity test} Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6
    Determine whether the significant firm meets the testing requirements of applicable core firms. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 11
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the institution receives adequate testing information which validates and demonstrates the recovery capability and capacity of their critical service providers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:9]
    Testing Detective
    Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 Testing Detective
    Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548
    [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Business continuity test results; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 5
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: A summary of test results (e.g. based on goals and objectives, successes and failures, and deviations from test plans or test scripts) using quantifiable measurement criteria. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 8]
    Actionable Reports or Measurements Preventive
    Approve the continuity plan test results. CC ID 15718 Systems Continuity Preventive
    Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553
    [{retest} Determine whether an appropriate level of re-testing is conducted in a timely fashion to address test problems or failures. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 4]
    Testing Detective
    Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404
    [{business continuity testing strategy}{recovery of lost data} Determine whether the strategy addresses technology considerations, including: Testing recovery of data lost when switching to out-of-region, asynchronous back-up facilities. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 5]
    Testing Detective
    Conduct external audits of the Business Continuity Plan testing program. CC ID 13216
    [{incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program]
    Testing Detective
  • Operational management
    220
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a customer service program. CC ID 00846 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Business Processes Preventive
    Include detection procedures in the Incident Management program. CC ID 00588
    [{intrusion detection plan} Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:3]
    Establish/Maintain Documentation Preventive
    Categorize the incident following an incident response. CC ID 13208 Technical Security Preventive
    Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 Establish/Maintain Documentation Preventive
    Determine the incident severity level when assessing the security incidents. CC ID 01650 Monitor and Evaluate Occurrences Corrective
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Monitor and Evaluate Occurrences Detective
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Monitor and Evaluate Occurrences Detective
    Identify root causes of incidents that force system changes. CC ID 13482 Investigate Detective
    Respond to and triage when an incident is detected. CC ID 06942 Monitor and Evaluate Occurrences Detective
    Document the incident and any relevant evidence in the incident report. CC ID 08659 Establish/Maintain Documentation Detective
    Escalate incidents, as necessary. CC ID 14861 Monitor and Evaluate Occurrences Corrective
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Process or Activity Corrective
    Respond to all alerts from security systems in a timely manner. CC ID 06434 Behavior Corrective
    Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 Process or Activity Corrective
    Contain the incident to prevent further loss. CC ID 01751
    [{incident containment procedure} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Steps to be taken to contain the problem; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 3]
    Process or Activity Corrective
    Refrain from accessing compromised systems. CC ID 01752 Technical Security Corrective
    Isolate compromised systems from the network. CC ID 01753 Technical Security Corrective
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 Log Management Corrective
    Change authenticators after a security incident has been detected. CC ID 06789 Technical Security Corrective
    Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 Investigate Detective
    Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 Establish/Maintain Documentation Preventive
    Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 Establish/Maintain Documentation Detective
    Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 Establish/Maintain Documentation Detective
    Assess all incidents to determine what information was accessed. CC ID 01226
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Procedures for determining the nature and scope of the incident; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 2]
    Testing Corrective
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Monitor and Evaluate Occurrences Corrective
    Analyze the incident response process following an incident response. CC ID 13179 Investigate Detective
    Share incident information with interested personnel and affected parties. CC ID 01212
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about what is required for contacting affected customers; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 4]
    Data and Information Management Corrective
    Share data loss event information with the media. CC ID 01759 Behavior Corrective
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Data and Information Management Preventive
    Share data loss event information with interconnected system owners. CC ID 01209 Establish/Maintain Documentation Corrective
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Communicate Preventive
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Communicate Preventive
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Establish/Maintain Documentation Preventive
    Report data loss event information to breach notification organizations. CC ID 01210 Data and Information Management Corrective
    Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 Log Management Detective
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Communicate Preventive
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Communicate Preventive
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Behavior Corrective
    Remediate security violations according to organizational standards. CC ID 12338 Business Processes Preventive
    Include data loss event notifications in the Incident Response program. CC ID 00364
    [{data corruption}Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 9
    {data corruption}Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 9]
    Establish/Maintain Documentation Preventive
    Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 Behavior Corrective
    Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 Behavior Detective
    Delay sending incident response notifications under predetermined conditions. CC ID 00804 Behavior Corrective
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Establish/Maintain Documentation Preventive
    Submit written requests to delay the notification of affected parties. CC ID 16783 Communicate Preventive
    Revoke the written request to delay the notification. CC ID 16843 Process or Activity Preventive
    Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 Establish/Maintain Documentation Preventive
    Avoid false positive incident response notifications. CC ID 04732 Behavior Detective
    Establish, implement, and maintain incident response notifications. CC ID 12975 Establish/Maintain Documentation Corrective
    Refrain from charging for providing incident response notifications. CC ID 13876 Business Processes Preventive
    Include information required by law in incident response notifications. CC ID 00802 Establish/Maintain Documentation Detective
    Title breach notifications "Notice of Data Breach". CC ID 12977 Establish/Maintain Documentation Preventive
    Display titles of incident response notifications clearly and conspicuously. CC ID 12986 Establish/Maintain Documentation Preventive
    Display headings in incident response notifications clearly and conspicuously. CC ID 12987 Establish/Maintain Documentation Preventive
    Design the incident response notification to call attention to its nature and significance. CC ID 12984 Establish/Maintain Documentation Preventive
    Use plain language to write incident response notifications. CC ID 12976 Establish/Maintain Documentation Preventive
    Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 Establish/Maintain Documentation Preventive
    Refrain from including restricted information in the incident response notification. CC ID 16806 Actionable Reports or Measurements Preventive
    Include the affected parties rights in the incident response notification. CC ID 16811 Establish/Maintain Documentation Preventive
    Include details of the investigation in incident response notifications. CC ID 12296 Establish/Maintain Documentation Preventive
    Include the issuer's name in incident response notifications. CC ID 12062 Establish/Maintain Documentation Preventive
    Include a "What Happened" heading in breach notifications. CC ID 12978 Establish/Maintain Documentation Preventive
    Include a general description of the data loss event in incident response notifications. CC ID 04734 Establish/Maintain Documentation Preventive
    Include time information in incident response notifications. CC ID 04745 Establish/Maintain Documentation Preventive
    Include the identification of the data source in incident response notifications. CC ID 12305 Establish/Maintain Documentation Preventive
    Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 Establish/Maintain Documentation Preventive
    Include the type of information that was lost in incident response notifications. CC ID 04735 Establish/Maintain Documentation Preventive
    Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 Establish/Maintain Documentation Preventive
    Include a "What We Are Doing" heading in the breach notification. CC ID 12982 Establish/Maintain Documentation Preventive
    Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 Establish/Maintain Documentation Preventive
    Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 Establish/Maintain Documentation Preventive
    Include a "For More Information" heading in breach notifications. CC ID 12981 Establish/Maintain Documentation Preventive
    Include details of the companies and persons involved in incident response notifications. CC ID 12295 Establish/Maintain Documentation Preventive
    Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 Establish/Maintain Documentation Preventive
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Establish/Maintain Documentation Preventive
    Include any consequences in the incident response notifications. CC ID 12604 Establish/Maintain Documentation Preventive
    Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 Establish/Maintain Documentation Preventive
    Include a "What You Can Do" heading in the breach notification. CC ID 12980 Establish/Maintain Documentation Preventive
    Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 Establish/Maintain Documentation Detective
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Communicate Corrective
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Business Processes Corrective
    Include contact information in incident response notifications. CC ID 04739 Establish/Maintain Documentation Preventive
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Communicate Preventive
    Send paper incident response notifications to affected parties, as necessary. CC ID 00366 Behavior Corrective
    Post the incident response notification on the organization's website. CC ID 16809 Process or Activity Preventive
    Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 Behavior Corrective
    Document the determination for providing a substitute incident response notification. CC ID 16841 Process or Activity Preventive
    Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 Behavior Corrective
    Telephone incident response notifications to affected parties, as necessary. CC ID 04650 Behavior Corrective
    Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 Behavior Preventive
    Include contact information in the substitute incident response notification. CC ID 16776 Establish/Maintain Documentation Preventive
    Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 Establish/Maintain Documentation Preventive
    Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 Behavior Preventive
    Publish the incident response notification in a general circulation periodical. CC ID 04651 Behavior Corrective
    Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 Behavior Preventive
    Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 Behavior Corrective
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Communicate Corrective
    Establish, implement, and maintain a containment strategy. CC ID 13480 Establish/Maintain Documentation Preventive
    Include the containment approach in the containment strategy. CC ID 13486 Establish/Maintain Documentation Preventive
    Include response times in the containment strategy. CC ID 13485 Establish/Maintain Documentation Preventive
    Include incident recovery procedures in the Incident Management program. CC ID 01758 Establish/Maintain Documentation Corrective
    Change wireless access variables after a data loss event has been detected. CC ID 01756 Technical Security Corrective
    Eradicate the cause of the incident after the incident has been contained. CC ID 01757 Business Processes Corrective
    Establish, implement, and maintain a restoration log. CC ID 12745 Establish/Maintain Documentation Preventive
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Data and Information Management Preventive
    Include a description of the restored data in the restoration log. CC ID 15462 Data and Information Management Preventive
    Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 Human Resources Management Corrective
    Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 Establish/Maintain Documentation Preventive
    Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 Monitor and Evaluate Occurrences Detective
    Re-image compromised systems with secure builds. CC ID 12086 Technical Security Corrective
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Establish/Maintain Documentation Preventive
    Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 Monitor and Evaluate Occurrences Preventive
    Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 Investigate Preventive
    Update the incident response procedures using the lessons learned. CC ID 01233 Establish/Maintain Documentation Preventive
    Include incident management procedures in the Incident Management program. CC ID 12689 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858
    [{reasonable method} Determine whether the methods by which personnel are granted temporary access (physical and logical), during continuity planning implementation periods, are reasonable. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:4
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Remote access; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 7
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Establish/Maintain Documentation Corrective
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Establish/Maintain Documentation Preventive
    Create an incident response report following an incident response. CC ID 12700 Establish/Maintain Documentation Preventive
    Submit the incident response report to the proper authorities in a timely manner. CC ID 12705
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about contacting the appropriate regulator; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 5]
    Communicate Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Establish/Maintain Documentation Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Teams and responsibilities; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 1]
    Establish Roles Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Establish Roles Preventive
    Open a priority incident request after a security breach is detected. CC ID 04838 Testing Corrective
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Testing Corrective
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Communicate Corrective
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Establish Roles Preventive
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Establish Roles Preventive
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Establish Roles Preventive
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Establish Roles Preventive
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Establish Roles Preventive
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Establish Roles Preventive
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Establish Roles Preventive
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 Establish Roles Preventive
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Establish Roles Preventive
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Human Resources Management Preventive
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Investigate Detective
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Establish/Maintain Documentation Preventive
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Communicate Preventive
    Include coverage of all system components in the Incident Response program. CC ID 11955
    [{intrusion detection plan} Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:3
    {cybersecurity} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9
    Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about addressing zero-day attacks; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 7]
    Establish/Maintain Documentation Preventive
    Include business continuity procedures in the Incident Response program. CC ID 06433
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Incident response; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 6
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Establish/Maintain Documentation Preventive
    Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 Establish/Maintain Documentation Preventive
    Test the incident response procedures. CC ID 01216
    [{cybersecurity} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9
    Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: A requirement for periodic testing of the incident response plan in the real-world threat landscape; and TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 8
    Determine whether testing scenarios with critical third-parties considers: An incident response plan; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 3]
    Testing Detective
    Document the results of incident response tests and provide them to senior management. CC ID 14857 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 Establish/Maintain Documentation Preventive
    Include performance requirements in the Service Level Agreement. CC ID 00841
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Inclusion of reasonable performance standards (e.g., SLAs, RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 3]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a change control program. CC ID 00886
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Change control process; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 3
    {configuration change}{component change}Interview management and review the business continuity request information to identify: IT environments and changes to configuration or components; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 3
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Establish/Maintain Documentation Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243 Establish/Maintain Documentation Preventive
    Include version control in the change control program. CC ID 13119 Establish/Maintain Documentation Preventive
    Include service design and transition in the change control program. CC ID 13920 Establish/Maintain Documentation Preventive
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Maintenance Preventive
    Integrate configuration management procedures into the change control program. CC ID 13646 Technical Security Preventive
    Establish, implement, and maintain a back-out plan. CC ID 13623 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 Establish/Maintain Documentation Preventive
    Approve back-out plans, as necessary. CC ID 13627 Establish/Maintain Documentation Corrective
    Manage change requests. CC ID 00887 Business Processes Preventive
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Establish/Maintain Documentation Preventive
    Establish and maintain a change request approver list. CC ID 06795 Establish/Maintain Documentation Preventive
    Document all change requests in change request forms. CC ID 06794 Establish/Maintain Documentation Preventive
    Test proposed changes prior to their approval. CC ID 00548 Testing Detective
    Examine all changes to ensure they correspond with the change request. CC ID 12345 Business Processes Detective
    Approve tested change requests. CC ID 11783 Data and Information Management Preventive
    Validate the system before implementing approved changes. CC ID 01510 Systems Design, Build, and Implementation Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Behavior Preventive
    Establish, implement, and maintain emergency change procedures. CC ID 00890 Establish/Maintain Documentation Preventive
    Perform emergency changes, as necessary. CC ID 12707 Process or Activity Preventive
    Back up emergency changes after the change has been performed. CC ID 12734 Process or Activity Preventive
    Log emergency changes after they have been performed. CC ID 12733 Establish/Maintain Documentation Preventive
    Perform risk assessments prior to approving change requests. CC ID 00888 Testing Preventive
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Process or Activity Detective
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Investigate Detective
    Collect data about the network environment when certifying the network. CC ID 13125 Investigate Detective
    Implement changes according to the change control program. CC ID 11776 Business Processes Preventive
    Provide audit trails for all approved changes. CC ID 13120 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a patch management program. CC ID 00896 Process or Activity Preventive
    Document the sources of all software updates. CC ID 13316 Establish/Maintain Documentation Preventive
    Implement patch management software, as necessary. CC ID 12094 Technical Security Preventive
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Technical Security Preventive
    Establish, implement, and maintain a patch management policy. CC ID 16432 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain patch management procedures. CC ID 15224 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a patch log. CC ID 01642 Establish/Maintain Documentation Preventive
    Review the patch log for missing patches. CC ID 13186 Technical Security Detective
    Perform a patch test prior to deploying a patch. CC ID 00898 Testing Detective
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Business Processes Preventive
    Deploy software patches in accordance with organizational standards. CC ID 07032 Configuration Corrective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Testing Detective
    Patch software. CC ID 11825 Technical Security Corrective
    Patch the operating system, as necessary. CC ID 11824 Technical Security Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Configuration Corrective
    Remove outdated software after software has been updated. CC ID 11792 Configuration Corrective
    Update computer firmware, as necessary. CC ID 11755 Configuration Corrective
    Review changes to computer firmware. CC ID 12226 Testing Detective
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Testing Detective
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Configuration Corrective
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Technical Security Detective
    Establish, implement, and maintain a software release policy. CC ID 00893 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain traceability documentation. CC ID 16388 Systems Design, Build, and Implementation Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Behavior Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Data and Information Management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Business Processes Corrective
    Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 Establish/Maintain Documentation Detective
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Testing Detective
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 Testing Detective
    Establish, implement, and maintain a change acceptance testing log. CC ID 06392 Establish/Maintain Documentation Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a configuration change log. CC ID 08710 Configuration Detective
    Document approved configuration deviations. CC ID 08711 Establish/Maintain Documentation Corrective
    Document the organization's local environments. CC ID 06726
    [Determine the need to proceed to Tier II objectives and procedures for additional validation to support conclusions related to any of the Tier I objectives and procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain local environment security profiles. CC ID 07037 Establish/Maintain Documentation Preventive
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Establish/Maintain Documentation Preventive
    Include security requirements in the local environment security profile. CC ID 15717 Establish/Maintain Documentation Preventive
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Establish/Maintain Documentation Preventive
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Establish/Maintain Documentation Preventive
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Establish/Maintain Documentation Preventive
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Establish/Maintain Documentation Preventive
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Establish/Maintain Documentation Preventive
    Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 Communicate Preventive
    Update the local environment security profile, as necessary. CC ID 07043 Establish/Maintain Documentation Preventive
  • Physical and environmental protection
    154
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Physical and environmental protection CC ID 00709 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a physical security program. CC ID 11757 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a facility physical security program. CC ID 00711
    [{facility physical security program} Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Physical security facilities - the adequacy of physical perimeter security, physical access controls, protection services, and video monitoring. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 3
    {facility physical security program} Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Physical security facilities - the adequacy of physical perimeter security, physical access controls, protection services, and video monitoring. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 3]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain opening procedures for businesses. CC ID 16671 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain closing procedures for businesses. CC ID 16670 Establish/Maintain Documentation Preventive
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Establish/Maintain Documentation Preventive
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 Behavior Preventive
    Protect the facility from crime. CC ID 06347 Physical and Environmental Protection Preventive
    Define communication methods for reporting crimes. CC ID 06349 Establish/Maintain Documentation Preventive
    Include identification cards or badges in the physical security program. CC ID 14818 Establish/Maintain Documentation Preventive
    Protect facilities from eavesdropping. CC ID 02222 Physical and Environmental Protection Preventive
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and Environmental Protection Detective
    Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 Technical Security Preventive
    Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 Establish/Maintain Documentation Preventive
    Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 Physical and Environmental Protection Preventive
    Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 Physical and Environmental Protection Preventive
    Create security zones in facilities, as necessary. CC ID 16295 Physical and Environmental Protection Preventive
    Establish clear zones around any sensitive facilities. CC ID 02214 Physical and Environmental Protection Preventive
    Establish, implement, and maintain floor plans. CC ID 16419 Establish/Maintain Documentation Preventive
    Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 Establish/Maintain Documentation Preventive
    Post floor plans of critical facilities in secure locations. CC ID 16138 Communicate Preventive
    Post and maintain security signage for all facilities. CC ID 02201 Establish/Maintain Documentation Preventive
    Inspect items brought into the facility. CC ID 06341 Physical and Environmental Protection Preventive
    Maintain all physical security systems. CC ID 02206 Physical and Environmental Protection Preventive
    Detect anomalies in physical barriers. CC ID 13533 Investigate Detective
    Maintain all security alarm systems. CC ID 11669 Physical and Environmental Protection Preventive
    Identify and document physical access controls for all physical entry points. CC ID 01637 Establish/Maintain Documentation Preventive
    Control physical access to (and within) the facility. CC ID 01329 Physical and Environmental Protection Preventive
    Establish, implement, and maintain physical access procedures. CC ID 13629 Establish/Maintain Documentation Preventive
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and Environmental Protection Preventive
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and Environmental Protection Detective
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a visitor access permission policy. CC ID 06699 Establish/Maintain Documentation Preventive
    Escort visitors within the facility, as necessary. CC ID 06417 Establish/Maintain Documentation Preventive
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and Environmental Protection Preventive
    Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 Testing Preventive
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Behavior Preventive
    Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 Establish/Maintain Documentation Preventive
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Establish/Maintain Documentation Preventive
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463
    [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5]
    Physical and Environmental Protection Corrective
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Establish/Maintain Documentation Preventive
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain physical identification procedures. CC ID 00713 Establish/Maintain Documentation Preventive
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Human Resources Management Preventive
    Implement physical identification processes. CC ID 13715 Process or Activity Preventive
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Process or Activity Preventive
    Issue photo identification badges to all employees. CC ID 12326 Physical and Environmental Protection Preventive
    Implement operational requirements for card readers. CC ID 02225 Testing Preventive
    Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 Establish/Maintain Documentation Preventive
    Document all lost badges in a lost badge list. CC ID 12448 Establish/Maintain Documentation Corrective
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and Environmental Protection Preventive
    Manage constituent identification inside the facility. CC ID 02215 Behavior Preventive
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Human Resources Management Preventive
    Manage visitor identification inside the facility. CC ID 11670 Physical and Environmental Protection Preventive
    Issue visitor identification badges to all non-employees. CC ID 00543 Behavior Preventive
    Secure unissued visitor identification badges. CC ID 06712 Physical and Environmental Protection Preventive
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Behavior Preventive
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and Environmental Protection Preventive
    Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Establish/Maintain Documentation Preventive
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Process or Activity Preventive
    Include error handling controls in identification issuance procedures. CC ID 13709 Establish/Maintain Documentation Preventive
    Include an appeal process in the identification issuance procedures. CC ID 15428 Business Processes Preventive
    Include information security in the identification issuance procedures. CC ID 15425 Establish/Maintain Documentation Preventive
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Process or Activity Preventive
    Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 Establish/Maintain Documentation Preventive
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Establish/Maintain Documentation Preventive
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and Environmental Protection Preventive
    Enforce dual control for badge assignments. CC ID 12328 Physical and Environmental Protection Preventive
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and Environmental Protection Preventive
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and Environmental Protection Preventive
    Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Establish/Maintain Documentation Preventive
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Human Resources Management Preventive
    Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 Establish/Maintain Documentation Preventive
    Prevent tailgating through physical entry points. CC ID 06685 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a door security standard. CC ID 06686 Establish/Maintain Documentation Preventive
    Install doors so that exposed hinges are on the secured side. CC ID 06687 Configuration Preventive
    Install emergency doors to permit egress only. CC ID 06688 Configuration Preventive
    Install contact alarms on doors, as necessary. CC ID 06710 Configuration Preventive
    Use locks to protect against unauthorized physical access. CC ID 06342 Physical and Environmental Protection Preventive
    Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 Configuration Preventive
    Test locks for physical security vulnerabilities. CC ID 04880 Testing Detective
    Secure unissued access mechanisms. CC ID 06713 Technical Security Preventive
    Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 Establish/Maintain Documentation Preventive
    Change cipher lock codes, as necessary. CC ID 06651 Technical Security Preventive
    Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a window security standard. CC ID 06689 Establish/Maintain Documentation Preventive
    Install contact alarms on openable windows, as necessary. CC ID 06690 Configuration Preventive
    Install glass break alarms on windows, as necessary. CC ID 06691 Configuration Preventive
    Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 Establish/Maintain Documentation Preventive
    Install and maintain security lighting at all physical entry points. CC ID 02205 Physical and Environmental Protection Preventive
    Use vandal resistant light fixtures for all security lighting. CC ID 16130 Physical and Environmental Protection Preventive
    Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 Physical and Environmental Protection Preventive
    Secure the loading dock with physical access controls or security guards. CC ID 06703 Physical and Environmental Protection Preventive
    Isolate loading areas from information processing facilities, if possible. CC ID 12028 Physical and Environmental Protection Preventive
    Screen incoming mail and deliveries. CC ID 06719 Physical and Environmental Protection Preventive
    Protect access to the facility's mechanical systems area. CC ID 02212 Physical and Environmental Protection Preventive
    Establish, implement, and maintain elevator security guidelines. CC ID 02232 Physical and Environmental Protection Preventive
    Establish, implement, and maintain stairwell security guidelines. CC ID 02233 Physical and Environmental Protection Preventive
    Establish, implement, and maintain glass opening security guidelines. CC ID 02234 Physical and Environmental Protection Preventive
    Establish, implement, and maintain after hours facility access procedures. CC ID 06340 Establish/Maintain Documentation Preventive
    Establish a security room, if necessary. CC ID 00738 Physical and Environmental Protection Preventive
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749
    [Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1
    Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1]
    Physical and Environmental Protection Preventive
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and Environmental Protection Preventive
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and Environmental Protection Preventive
    Lock all lockable equipment cabinets. CC ID 11673 Physical and Environmental Protection Detective
    Establish, implement, and maintain vault physical security standards. CC ID 02203 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain emergency exit procedures. CC ID 01252 Establish/Maintain Documentation Preventive
    Establish, Implement, and maintain a camera operating policy. CC ID 15456 Establish/Maintain Documentation Preventive
    Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 Communicate Preventive
    Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 Monitor and Evaluate Occurrences Detective
    Establish and maintain a visitor log. CC ID 00715 Log Management Preventive
    Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 Establish/Maintain Documentation Preventive
    Report anomalies in the visitor log to appropriate personnel. CC ID 14755 Investigate Detective
    Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 Behavior Preventive
    Record the visitor's name in the visitor log. CC ID 00557 Log Management Preventive
    Record the visitor's organization in the visitor log. CC ID 12121 Log Management Preventive
    Record the visitor's acceptable access areas in the visitor log. CC ID 12237 Log Management Preventive
    Record the date and time of entry in the visitor log. CC ID 13255 Establish/Maintain Documentation Preventive
    Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 Establish/Maintain Documentation Preventive
    Retain all records in the visitor log as prescribed by law. CC ID 00572 Log Management Preventive
    Establish, implement, and maintain a physical access log. CC ID 12080 Establish/Maintain Documentation Preventive
    Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 Log Management Preventive
    Log when the vault is accessed. CC ID 06725 Log Management Detective
    Log when the cabinet is accessed. CC ID 11674 Log Management Detective
    Store facility access logs in off-site storage. CC ID 06958 Log Management Preventive
    Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 Monitor and Evaluate Occurrences Preventive
    Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 Monitor and Evaluate Occurrences Detective
    Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 Monitor and Evaluate Occurrences Detective
    Configure video cameras to cover all physical entry points. CC ID 06302 Configuration Preventive
    Configure video cameras to prevent physical tampering or disablement. CC ID 06303 Configuration Preventive
    Retain video events according to Records Management procedures. CC ID 06304 Records Management Preventive
    Monitor physical entry point alarms. CC ID 01639 Physical and Environmental Protection Detective
    Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 Monitor and Evaluate Occurrences Detective
    Monitor for alarmed security doors being propped open. CC ID 06684 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain physical security threat reports. CC ID 02207 Establish/Maintain Documentation Preventive
    Build and maintain fencing, as necessary. CC ID 02235 Physical and Environmental Protection Preventive
    Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 Physical and Environmental Protection Preventive
    Physically segregate business areas in accordance with organizational standards. CC ID 16718 Physical and Environmental Protection Preventive
    Employ security guards to provide physical security, as necessary. CC ID 06653 Establish Roles Preventive
    Establish, implement, and maintain a facility wall standard. CC ID 06692 Establish/Maintain Documentation Preventive
    Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 Physical and Environmental Protection Preventive
    Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 Configuration Preventive
    Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 Behavior Preventive
    Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 Behavior Preventive
    Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 Business Processes Preventive
    Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 Behavior Preventive
    Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 Behavior Preventive
    Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 Physical and Environmental Protection Preventive
    Establish, implement, and maintain removable storage media controls. CC ID 06680 Data and Information Management Preventive
    Establish, implement, and maintain storage media access control procedures. CC ID 00959
    [Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1
    Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1]
    Establish/Maintain Documentation Preventive
    Require removable storage media be in the custody of an authorized individual. CC ID 12319 Behavior Preventive
  • System hardening through configuration management
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    System hardening through configuration management CC ID 00860 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain system hardening procedures. CC ID 12001 Establish/Maintain Documentation Preventive
    Remove all unnecessary functionality. CC ID 00882 Configuration Preventive
    Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 Configuration Preventive
    Configure the File Replication service properly. CC ID 05068
    [{data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Configuration Preventive
    Configure Data Backup and Recovery settings in accordance with organizational standards. CC ID 08406
    [{backup hardware} Determine whether the BCP includes appropriate hardware back-up and recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6]
    Configuration Preventive
    Configure the "Retain deleted items for the specified number of days" to organizational standards. CC ID 08407 Configuration Preventive
    Configure the "Do not permanently delete items until the database has been backed up" to organizational standards. CC ID 08490 Configuration Preventive
    Configure the "Keep deleted mailboxes for the specified number of days" to organizational standards. CC ID 08600 Configuration Preventive
  • Systems design, build, and implementation
    17
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Systems design, build, and implementation CC ID 00989 IT Impact Zone IT Impact Zone
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a system design project management framework. CC ID 00990 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain project management standards. CC ID 00992
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Project management; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 2
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Establish/Maintain Documentation Preventive
    Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a project program documentation standard. CC ID 00995 Establish/Maintain Documentation Preventive
    Include budgeting for projects in the project management standard. CC ID 13136 Establish/Maintain Documentation Preventive
    Formally approve the initiation of each project phase. CC ID 00997 Systems Design, Build, and Implementation Detective
    Establish, implement, and maintain integrated project plans. CC ID 01056 Establish/Maintain Documentation Preventive
    Perform a risk assessment for each system development project. CC ID 01000 Testing Detective
    Establish, implement, and maintain a project control program. CC ID 01612 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a project test plan. CC ID 01001 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a project team plan. CC ID 06533 Establish/Maintain Documentation Preventive
    Identify accreditation tasks. CC ID 00999 Systems Design, Build, and Implementation Detective
    Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a project management training plan. CC ID 01002 Establish/Maintain Documentation Preventive
    Conduct a post implementation review when the system design project ends. CC ID 01003 Testing Detective
  • Technical security
    34
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain an access control program. CC ID 11702 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Establish/Maintain Documentation Preventive
    Control access rights to organizational assets. CC ID 00004 Technical Security Preventive
    Establish access rights based on least privilege. CC ID 01411 Technical Security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538
    [{authentication credential} Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and if they also include business continuity planning responsibilities. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:6
    {authentication credential} Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and if they also include business continuity planning responsibilities. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:6]
    Technical Security Preventive
    Control user privileges. CC ID 11665 Technical Security Preventive
    Review all user privileges, as necessary. CC ID 06784 Technical Security Preventive
    Review each user's access capabilities when their role changes. CC ID 00524
    [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5
    {alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5]
    Technical Security Preventive
    Establish, implement, and maintain a data loss prevention program. CC ID 13050
    [Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1]
    Establish/Maintain Documentation Preventive
    Include the data loss prevention strategy as part of the data loss prevention program. CC ID 13051 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a malicious code protection program. CC ID 00574
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 Communicate Preventive
    Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 Communicate Preventive
    Establish, implement, and maintain malicious code protection procedures. CC ID 15483 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a malicious code protection policy. CC ID 15478 Establish/Maintain Documentation Preventive
    Restrict downloading to reduce malicious code attacks. CC ID 04576 Behavior Preventive
    Install security and protection software, as necessary. CC ID 00575 Configuration Preventive
    Install and maintain container security solutions. CC ID 16178 Technical Security Preventive
    Scan for malicious code, as necessary. CC ID 11941 Investigate Detective
    Test all removable storage media for viruses and malicious code. CC ID 11861 Testing Detective
    Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 Testing Detective
    Remove malware when malicious code is discovered. CC ID 13691 Process or Activity Corrective
    Notify interested personnel and affected parties when malware is detected. CC ID 13689 Communicate Corrective
    Protect the system against replay attacks. CC ID 04552 Technical Security Preventive
    Define and assign roles and responsibilities for malicious code protection. CC ID 15474 Establish Roles Preventive
    Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 Establish/Maintain Documentation Corrective
    Log and react to all malicious code activity. CC ID 07072 Monitor and Evaluate Occurrences Detective
    Analyze the behavior and characteristics of the malicious code. CC ID 10672 Technical Security Detective
    Incorporate the malicious code analysis into the patch management program. CC ID 10673 Technical Security Corrective
    Lock antivirus configurations. CC ID 10047 Configuration Preventive
    Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain procedures for provisioning shared resources. CC ID 12181 Establish/Maintain Documentation Preventive
    Employ an open virtualization format for provisioning software for virtual machines, as necessary. CC ID 12356
    [Determine whether the financial institution and service provider manage the underlying virtualization platform upon which cloud disaster recovery services are based to minimize the impact of attacks designed to cause data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:3]
    Configuration Preventive
  • Third Party and supply chain oversight
    167
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a supply chain management program. CC ID 11742
    [{third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 Establish/Maintain Documentation Preventive
    Review and update all contracts, as necessary. CC ID 11612 Establish/Maintain Documentation Preventive
    Terminate supplier relationships, as necessary. CC ID 13489 Business Processes Corrective
    Document and maintain supply chain processes. CC ID 08816 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an exit plan. CC ID 15492 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the exit plan. CC ID 15497 Establish/Maintain Documentation Preventive
    Test the exit plan, as necessary. CC ID 15495 Testing Preventive
    Include contingency plans in the third party management plan. CC ID 10030 Establish/Maintain Documentation Preventive
    Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 Systems Continuity Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Process or Activity Detective
    Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 Establish/Maintain Documentation Preventive
    Include a description of the product or service to be provided in third party contracts. CC ID 06509 Establish/Maintain Documentation Preventive
    Include a description of the products or services fees in third party contracts. CC ID 10018 Establish/Maintain Documentation Preventive
    Include which parties are responsible for which fees in third party contracts. CC ID 10019 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 Establish/Maintain Documentation Preventive
    Include the type of information being transmitted in the information flow agreement. CC ID 14245 Establish/Maintain Documentation Preventive
    Include the security requirements in the information flow agreement. CC ID 14244 Establish/Maintain Documentation Preventive
    Include the interface characteristics in the information flow agreement. CC ID 14240 Establish/Maintain Documentation Preventive
    Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 Establish/Maintain Documentation Preventive
    Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 Establish/Maintain Documentation Preventive
    Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 Establish/Maintain Documentation Preventive
    Include a description of the data or information to be covered in third party contracts. CC ID 06510
    [{data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1]
    Establish/Maintain Documentation Preventive
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Data governance expectations. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 8
    Evaluate data governance standards and expectations with third-party providers. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5
    {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1
    {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1
    Evaluate data governance standards and expectations with third-party providers. Consider: Data volume and growth. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 2
    Evaluate data governance standards and expectations with third-party providers. Consider: Data volume and growth. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 2]
    Business Processes Preventive
    Include text about data ownership in third party contracts. CC ID 06502 Establish/Maintain Documentation Preventive
    Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 Establish/Maintain Documentation Preventive
    Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 Establish/Maintain Documentation Preventive
    Include the contract duration in third party contracts. CC ID 16221 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in third party contracts. CC ID 13487 Establish/Maintain Documentation Preventive
    Include cryptographic keys in third party contracts. CC ID 16179 Establish/Maintain Documentation Preventive
    Include bankruptcy provisions in third party contracts. CC ID 16519 Establish/Maintain Documentation Preventive
    Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 Establish/Maintain Documentation Preventive
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 Establish/Maintain Documentation Preventive
    Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 Establish/Maintain Documentation Preventive
    Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 Establish/Maintain Documentation Preventive
    Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 Establish/Maintain Documentation Preventive
    Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 Establish/Maintain Documentation Preventive
    Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 Establish/Maintain Documentation Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 Establish/Maintain Documentation Preventive
    Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 Establish/Maintain Documentation Preventive
    Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 Establish/Maintain Documentation Preventive
    Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 Establish/Maintain Documentation Preventive
    Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 Establish/Maintain Documentation Preventive
    Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 Establish/Maintain Documentation Preventive
    Include a reporting structure in third party contracts. CC ID 06532 Establish/Maintain Documentation Preventive
    Include points of contact in third party contracts. CC ID 12355 Establish/Maintain Documentation Preventive
    Include financial reporting in third party contracts, as necessary. CC ID 13573 Establish/Maintain Documentation Preventive
    Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512
    [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Review of independent third-party assessments and regulatory reports; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 2
    {technology service provider}{recovery time objective}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Independent audit reports that support the RTOs; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 2]
    Establish/Maintain Documentation Preventive
    Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 Establish/Maintain Documentation Preventive
    Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516
    [{third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4]
    Establish/Maintain Documentation Preventive
    Include training requirements in third party contracts. CC ID 16367 Acquisition/Sale of Assets or Services Preventive
    Include an indemnification and liability clause in third party contracts. CC ID 06517 Establish/Maintain Documentation Preventive
    Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 Establish/Maintain Documentation Preventive
    Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522
    [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Awareness and oversight of service provider's use of subcontractors. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 7]
    Establish/Maintain Documentation Preventive
    Include text regarding foreign-based third parties in third party contracts. CC ID 06722
    [{foreign-based third party}{offshore production data}{offshore backup data} For foreign-based third-party service providers determine if management has adequately addressed production and back-up data that remains offshore. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12
    {foreign-based third party}{offshore production data}{offshore backup data} For foreign-based third-party service providers determine if management has adequately addressed production and back-up data that remains offshore. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12]
    Establish/Maintain Documentation Preventive
    Include change control clauses in third party contracts, as necessary. CC ID 06523 Establish/Maintain Documentation Preventive
    Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115
    [Interview management and review the business continuity request information to identify: Changes in key service providers (technology, communication, back-up/recovery, etc.) and software vendors; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 4
    Interview management and review the business continuity request information to identify: Changes in key service providers (technology, communication, back-up/recovery, etc.) and software vendors; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 4
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Periodic reporting to an appropriate oversight committee; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 6]
    Establish/Maintain Documentation Preventive
    Include triggers for renegotiating the contract in third party contracts. CC ID 06527 Establish/Maintain Documentation Preventive
    Include change control notification processes in third party contracts. CC ID 06524 Establish/Maintain Documentation Preventive
    Include cost structure changes in third party contracts. CC ID 10021 Establish/Maintain Documentation Preventive
    Include a choice of venue clause in third party contracts. CC ID 06520 Establish/Maintain Documentation Preventive
    Include a dispute resolution clause in third party contracts. CC ID 06519 Establish/Maintain Documentation Preventive
    Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 Establish/Maintain Documentation Preventive
    Include a termination provision clause in third party contracts. CC ID 01367
    [{TSP}{contract termination}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Right to terminate language (if the TSP defaults on SLAs and RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 4]
    Establish/Maintain Documentation Detective
    Include early termination contingency plans in the third party contracts. CC ID 06526 Establish/Maintain Documentation Preventive
    Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 Establish/Maintain Documentation Preventive
    Include termination costs in third party contracts. CC ID 10023 Establish/Maintain Documentation Preventive
    Include text about obtaining adequate insurance in third party contracts. CC ID 06880 Establish/Maintain Documentation Preventive
    Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 Establish/Maintain Documentation Preventive
    Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 Establish/Maintain Documentation Preventive
    Include end-of-life information in third party contracts. CC ID 15265 Establish/Maintain Documentation Preventive
    Include third party requirements for personnel security in third party contracts. CC ID 00790 Testing Detective
    Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 Establish/Maintain Documentation Preventive
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Adherence to U.S. data confidentiality and security standards at a minimum by foreign-based service providers/subcontractors; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 6
    Evaluate data governance standards and expectations with third-party providers. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5
    {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1]
    Testing Detective
    Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 Testing Detective
    Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 Establish/Maintain Documentation Preventive
    Establish the third party's service continuity. CC ID 00797
    [Review and verify that the written BCP: Addresses the recovery of vendors and outsourcing arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 2
    Review and verify that the written BCP: Addresses the recovery of vendors and outsourcing arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 2]
    Testing Detective
    Determine the adequacy of a third party's alternate site preparations. CC ID 06879 Testing Detective
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Data and Information Management Detective
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 Testing Detective
    Include disclosure requirements in third party contracts. CC ID 08825 Business Processes Preventive
    Include requirements for alternate processing facilities in third party contracts. CC ID 13059 Establish/Maintain Documentation Preventive
    Document the organization's supply chain in the supply chain management program. CC ID 09958 Establish/Maintain Documentation Preventive
    Document supply chain dependencies in the supply chain management program. CC ID 08900 Establish/Maintain Documentation Detective
    Establish and maintain a Third Party Service Provider list. CC ID 12480 Establish/Maintain Documentation Preventive
    Include required information in the Third Party Service Provider list. CC ID 14429 Establish/Maintain Documentation Preventive
    Include subcontractors in the Third Party Service Provider list. CC ID 14425 Establish/Maintain Documentation Preventive
    Include alternate service providers in the Third Party Service Provider list. CC ID 14420 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 Communicate Preventive
    Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 Establish/Maintain Documentation Preventive
    Include all contract dates in the Third Party Service Provider list. CC ID 14421 Establish/Maintain Documentation Preventive
    Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 Establish/Maintain Documentation Preventive
    Include criticality of services in the Third Party Service Provider list. CC ID 14428 Establish/Maintain Documentation Preventive
    Include a description of data used in the Third Party Service Provider list. CC ID 14427 Establish/Maintain Documentation Preventive
    Include the location of services provided in the Third Party Service Provider list. CC ID 14423 Establish/Maintain Documentation Preventive
    Document supply chain transactions in the supply chain management program. CC ID 08857 Business Processes Preventive
    Document the supply chain's critical paths in the supply chain management program. CC ID 10032 Establish/Maintain Documentation Preventive
    Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 Establish/Maintain Documentation Preventive
    Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 Physical and Environmental Protection Preventive
    Establish, implement, and maintain Operational Level Agreements. CC ID 13637 Establish/Maintain Documentation Preventive
    Include technical processes in operational level agreements, as necessary. CC ID 13639 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 Process or Activity Preventive
    Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 Establish/Maintain Documentation Detective
    Include the responsible party for managing complaints in third party contracts. CC ID 10022 Establish Roles Preventive
    Approve all Service Level Agreements. CC ID 00843 Establish/Maintain Documentation Detective
    Track all chargeable items in Service Level Agreements. CC ID 11616 Business Processes Detective
    Document all chargeable items in Service Level Agreements. CC ID 00844 Establish/Maintain Documentation Detective
    Enforce third party Service Level Agreements, as necessary. CC ID 07098 Business Processes Corrective
    Categorize all suppliers in the supply chain management program. CC ID 00792 Establish/Maintain Documentation Preventive
    Include risk management procedures in the supply chain management policy. CC ID 08811 Establish/Maintain Documentation Preventive
    Perform risk assessments of third parties, as necessary. CC ID 06454 Testing Detective
    Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 Business Processes Preventive
    Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 Establish/Maintain Documentation Preventive
    Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 Establish/Maintain Documentation Preventive
    Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 Business Processes Preventive
    Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 Establish/Maintain Documentation Preventive
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [{offshore data storage}{risk profile} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Evidence of management's evaluation of whether storage of data offshore (production or back-up) meets the financial institution's risk appetite and profile; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 1]
    Establish/Maintain Documentation Preventive
    Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 Audits and Risk Management Detective
    Establish, implement, and maintain a supply chain management policy. CC ID 08808 Establish/Maintain Documentation Preventive
    Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 Business Processes Preventive
    Require third parties to employ a Chief Information Security Officer. CC ID 12057 Human Resources Management Preventive
    Include supplier assessment principles in the supply chain management policy. CC ID 08809 Establish/Maintain Documentation Preventive
    Include the third party selection process in the supply chain management policy. CC ID 13132 Establish/Maintain Documentation Preventive
    Select suppliers based on their qualifications. CC ID 00795 Establish/Maintain Documentation Preventive
    Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 Establish/Maintain Documentation Preventive
    Include a clear management process in the supply chain management policy. CC ID 08810 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain management policy. CC ID 15499 Establish/Maintain Documentation Preventive
    Include third party due diligence standards in the supply chain management policy. CC ID 08812 Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 Communicate Preventive
    Require suppliers to commit to the supply chain management policy. CC ID 08813 Establish/Maintain Documentation Preventive
    Support third parties in building their capabilities. CC ID 08814 Business Processes Preventive
    Implement measurable improvement plans with all third parties. CC ID 08815 Business Processes Preventive
    Post a list of compliant third parties on the organization's website. CC ID 08817 Business Processes Preventive
    Use third parties that are compliant with the applicable requirements. CC ID 08818 Business Processes Preventive
    Establish, implement, and maintain a conflict minerals policy. CC ID 08943 Establish/Maintain Documentation Preventive
    Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 Establish/Maintain Documentation Preventive
    Include all in scope materials in the conflict minerals policy. CC ID 08945 Establish/Maintain Documentation Preventive
    Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 Establish/Maintain Documentation Preventive
    Include all applicable authority documents in the conflict minerals policy. CC ID 08947 Establish/Maintain Documentation Preventive
    Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 Establish/Maintain Documentation Preventive
    Make the conflict minerals policy Publicly Available Information. CC ID 08949 Data and Information Management Preventive
    Establish and maintain a conflict materials report. CC ID 08823 Establish/Maintain Documentation Preventive
    Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 Establish/Maintain Documentation Preventive
    Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 Establish/Maintain Documentation Preventive
    Identify supply sources for secondary materials. CC ID 08822 Business Processes Preventive
    Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 Business Processes Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Business Processes Preventive
    Assess third parties' business continuity capabilities during due diligence. CC ID 12077
    [Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1
    Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1
    Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1
    {take into account}Review and verify that the written BCP: Take(s) into account: Vendor(s) ability to service contracted customer base in the event of a major disaster or regional event; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 4
    {third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9
    {third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9
    Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2
    {backup and recovery capability} Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Recovery capabilities and capacity of the service provider; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 1
    {TSP} Determine whether institution management has assessed the adequacy of the TSPs' business continuity program through their vendor management program (e.g. contract requirements, third-party reviews). TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:11
    {predetermined time frame} Determine the extent to which core and significant firms have demonstrated through testing or routine use that they have the ability to recover and, if relevant, resume operations within the specified time frames addressed in the BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 2
    {foreign-based third party} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Management's assessment of the foreign-based provider's resilience architecture and strategy. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 2
    {foreign-based third party} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Management's assessment of the foreign-based provider's resilience architecture and strategy. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 2]
    Business Processes Detective
    Review third parties' backup policies. CC ID 13043
    [{data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1]
    Systems Continuity Detective
    Assess third parties' abilities to provide services during due diligence. CC ID 12074
    [Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Cyber resilience and preparedness; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 2
    Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Significant downtime that would threaten the financial institution's business resilience; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 3]
    Business Processes Detective
    Assess third parties' use of subcontractors during due diligence. CC ID 12073
    [Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Service provider's oversight of subcontractors. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 4]
    Business Processes Detective
    Assess third parties' compliance environment during due diligence. CC ID 13134 Process or Activity Detective
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Testing requirements with the TSP; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 7]
    Establish/Maintain Documentation Detective
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Communicate Preventive
    Include the audit scope in the third party external audit report. CC ID 13138 Establish/Maintain Documentation Preventive
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Establish/Maintain Documentation Detective
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Establish/Maintain Documentation Detective
    Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856
    [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Review of independent third-party assessments and regulatory reports; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 2
    {Management Information System}Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Regular review of MIS reporting (e.g., adherence to RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 3]
    Business Processes Preventive
    Assess the effectiveness of third party services provided to the organization. CC ID 13142 Business Processes Detective
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4]
    Monitor and Evaluate Occurrences Detective
    Monitor third parties' financial conditions. CC ID 13170 Monitor and Evaluate Occurrences Detective
    Review the supply chain's service delivery on a regular basis. CC ID 12010 Business Processes Preventive
    Establish, implement, and maintain outsourcing contracts. CC ID 13124 Establish/Maintain Documentation Preventive
    Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: TSP accountability for actions/inactions of subcontractors should the subcontractor fail to provide necessary service(s) for business recovery capabilities; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 5]
    Establish/Maintain Documentation Preventive
Common Controls and
mandates by Type
252 Mandated Controls - bold    
123 Implied Controls - italic     1085 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
1460 Total
  • Acquisition/Sale of Assets or Services
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement automated audit tools. CC ID 04882 Monitoring and measurement Preventive
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Audits and risk management Corrective
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Operational and Systems Continuity Preventive
    Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770
    [{take into account}Review and verify that the written BCP:Take(s) into account: Liquidity; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 6]
    Operational and Systems Continuity Preventive
    Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 Operational and Systems Continuity Preventive
    Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 Operational and Systems Continuity Preventive
    Include training requirements in third party contracts. CC ID 16367 Third Party and supply chain oversight Preventive
  • Actionable Reports or Measurements
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Monitoring and measurement Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Monitoring and measurement Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Monitoring and measurement Detective
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [Organize and document your work papers to ensure clear support for significant findings and conclusions. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:5]
    Audits and risk management Preventive
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Audits and risk management Corrective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills; TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 1]
    Audits and risk management Detective
    Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548
    [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Business continuity test results; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 5
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: A summary of test results (e.g. based on goals and objectives, successes and failures, and deviations from test plans or test scripts) using quantifiable measurement criteria. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 8]
    Operational and Systems Continuity Preventive
    Refrain from including restricted information in the incident response notification. CC ID 16806 Operational management Preventive
    Document the results of incident response tests and provide them to senior management. CC ID 14857 Operational management Preventive
  • Audits and Risk Management
    54
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Address operational anomalies within the incident management system. CC ID 11633 Monitoring and measurement Preventive
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Monitoring and measurement Preventive
    Verify segmentation controls are operational and effective. CC ID 12545 Monitoring and measurement Detective
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Preventive
    Audit in scope audit items and compliance documents. CC ID 06730 Audits and risk management Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146
    [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Prior regulatory reports of examination; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 2
    Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Pre-examination planning memos; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 1
    {work paper}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Prior examination workpapers; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 3]
    Audits and risk management Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620
    [{internal auditor} From the procedures performed: Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 3]
    Audits and risk management Detective
    Review management's response to issues raised in past audit reports. CC ID 01149
    [Review management's response to audit recommendations noted since the last examination. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2]
    Audits and risk management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159
    [Determine whether audit involvement in the business continuity program is effective, including: Audit coverage of the business continuity program; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 1]
    Audits and risk management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622
    [Determine whether audit involvement in the business continuity program is effective, including: Documentation of audit findings TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 4]
    Audits and risk management Preventive
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and risk management Preventive
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and risk management Detective
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and risk management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and risk management Detective
    Address past incidents in the risk assessment program. CC ID 12743 Audits and risk management Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230 Audits and risk management Preventive
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and risk management Preventive
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and risk management Preventive
    Review the risk profiles, as necessary. CC ID 16561 Audits and risk management Detective
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4]
    Audits and risk management Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Technical events such as communication failure, power failure, equipment and software failure, transportation system disruptions, and water system disruptions; TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 2
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4]
    Audits and risk management Preventive
    Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and risk management Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and risk management Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and risk management Preventive
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and risk management Preventive
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and risk management Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Preventive
    Conduct a Business Impact Analysis, as necessary. CC ID 01147
    [Determine whether an adequate BIA and risk assessment have been completed. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3
    Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:5]
    Audits and risk management Detective
    Analyze and quantify the risks to in scope systems and information. CC ID 00701 Audits and risk management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment]
    Audits and risk management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and risk management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:1]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and risk management Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and terrorism; and TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 3]
    Audits and risk management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and risk management Detective
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 Audits and risk management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468
    [Determine whether the financial institution and service provider consider their susceptibility to an insider threat and what impact this may have on business continuity and broader resilience. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:7
    {internal threat}Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Internally identified threats; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 2]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [{external threat} Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Externally identified threats (including security alerts, pandemic alerts, or emergency warnings published by information sharing organizations or local, state, and federal agencies). TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 3]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and risk management Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and risk management Preventive
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and risk management Preventive
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and risk management Preventive
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and risk management Preventive
    Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 Audits and risk management Preventive
    Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 Audits and risk management Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and risk management Preventive
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and risk management Detective
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and risk management Detective
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and risk management Preventive
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Operational and Systems Continuity Preventive
    Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 Third Party and supply chain oversight Detective
  • Behavior
    45
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 Monitoring and measurement Detective
    Establish, implement, and maintain a testing program. CC ID 00654
    [{business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Monitoring and measurement Preventive
    Establish, implement, and maintain a penetration test program. CC ID 01105 Monitoring and measurement Preventive
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 Monitoring and measurement Corrective
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Preventive
    Use the risk taxonomy when managing risk. CC ID 12280 Audits and risk management Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 Audits and risk management Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Audits and risk management Preventive
    Restrict downloading to reduce malicious code attacks. CC ID 04576 Technical security Preventive
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 Physical and environmental protection Preventive
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Physical and environmental protection Preventive
    Manage constituent identification inside the facility. CC ID 02215 Physical and environmental protection Preventive
    Issue visitor identification badges to all non-employees. CC ID 00543 Physical and environmental protection Preventive
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Physical and environmental protection Preventive
    Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 Physical and environmental protection Preventive
    Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 Physical and environmental protection Preventive
    Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 Physical and environmental protection Preventive
    Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 Physical and environmental protection Preventive
    Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 Physical and environmental protection Preventive
    Require removable storage media be in the custody of an authorized individual. CC ID 12319 Physical and environmental protection Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Operational and Systems Continuity Preventive
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1
    {technology service provider}Determine whether the continuity strategy addresses interdependent components, including: Third-party technology providers; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 3]
    Operational and Systems Continuity Preventive
    Train personnel on the continuity plan. CC ID 00759
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:6
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Employee training; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 8
    Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: : Back-up site employees are able to recover clearing and settlement of open transactions within the timeframes addressed in the BCP and applicable industry guidance. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 3
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Preventive
    Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 Operational and Systems Continuity Preventive
    Incorporate simulated events into the continuity plan training. CC ID 01402
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Operational and Systems Continuity Preventive
    Train all personnel and third parties, as necessary. CC ID 00785 Human Resources management Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786
    [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5
    {business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4]
    Human Resources management Preventive
    Respond to all alerts from security systems in a timely manner. CC ID 06434 Operational management Corrective
    Share data loss event information with the media. CC ID 01759 Operational management Corrective
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Operational management Corrective
    Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 Operational management Corrective
    Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 Operational management Detective
    Delay sending incident response notifications under predetermined conditions. CC ID 00804 Operational management Corrective
    Avoid false positive incident response notifications. CC ID 04732 Operational management Detective
    Send paper incident response notifications to affected parties, as necessary. CC ID 00366 Operational management Corrective
    Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 Operational management Corrective
    Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 Operational management Corrective
    Telephone incident response notifications to affected parties, as necessary. CC ID 04650 Operational management Corrective
    Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 Operational management Preventive
    Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 Operational management Preventive
    Publish the incident response notification in a general circulation periodical. CC ID 04651 Operational management Corrective
    Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 Operational management Preventive
    Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 Operational management Corrective
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Operational management Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Operational management Preventive
  • Business Processes
    64
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze the business environment in which the organization operates. CC ID 12798
    [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    {configuration change}{component change}Interview management and review the business continuity request information to identify: IT environments and changes to configuration or components; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 3]
    Leadership and high level objectives Preventive
    Align assets with business functions and the business environment. CC ID 13681 Leadership and high level objectives Preventive
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630
    [{test strategy} Determine if test plans adequately complement testing strategies. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2]
    Leadership and high level objectives Preventive
    Implement a fraud detection system. CC ID 13081 Monitoring and measurement Preventive
    Approve the system security plan. CC ID 14241 Monitoring and measurement Preventive
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Monitoring and measurement Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Preventive
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Audits and risk management Detective
    Integrate the risk management program with the organization's business activities. CC ID 13661 Audits and risk management Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659 Audits and risk management Preventive
    Include regular updating in the risk management system. CC ID 14990 Audits and risk management Preventive
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Audits and risk management Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Audits and risk management Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903
    [Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Large scale disruptive events that could affect the ability to service clients; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 1
    {state-of-the-art}Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Significant downtime that would threaten the financial institution's business resiliency. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 3
    {state-of-the-art}Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Cyber events that could impact the ability to service clients; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 2]
    Audits and risk management Preventive
    Approve the threat and risk classification scheme. CC ID 15693 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Audits and risk management Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Audits and risk management Preventive
    Review the Business Impact Analysis, as necessary. CC ID 12774
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment
    Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    Review the BIA and risk assessment to determine whether the prioritization of business functions is adequate. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:2]
    Audits and risk management Preventive
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Audits and risk management Preventive
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Audits and risk management Preventive
    Evaluate the cyber insurance market. CC ID 12695 Audits and risk management Preventive
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Audits and risk management Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Audits and risk management Preventive
    Include an appeal process in the identification issuance procedures. CC ID 15428 Physical and environmental protection Preventive
    Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 Physical and environmental protection Preventive
    Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 Operational and Systems Continuity Detective
    Review the beneficiaries of the insurance policy. CC ID 16563 Operational and Systems Continuity Detective
    Establish, implement, and maintain an education methodology. CC ID 06671 Human Resources management Preventive
    Establish, implement, and maintain an occupational health and safety management system. CC ID 16201 Human Resources management Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Operational management Preventive
    Remediate security violations according to organizational standards. CC ID 12338 Operational management Preventive
    Refrain from charging for providing incident response notifications. CC ID 13876 Operational management Preventive
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Operational management Corrective
    Eradicate the cause of the incident after the incident has been contained. CC ID 01757 Operational management Corrective
    Manage change requests. CC ID 00887 Operational management Preventive
    Examine all changes to ensure they correspond with the change request. CC ID 12345 Operational management Detective
    Implement changes according to the change control program. CC ID 11776 Operational management Preventive
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Operational management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Operational management Corrective
    Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain an electronic commerce program. CC ID 08617 Acquisition or sale of facilities, technology, and services Preventive
    Protect the integrity of application service transactions. CC ID 12017
    [Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 2]
    Acquisition or sale of facilities, technology, and services Preventive
    Terminate supplier relationships, as necessary. CC ID 13489 Third Party and supply chain oversight Corrective
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Data governance expectations. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 8
    Evaluate data governance standards and expectations with third-party providers. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5
    {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1
    {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1
    Evaluate data governance standards and expectations with third-party providers. Consider: Data volume and growth. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 2
    Evaluate data governance standards and expectations with third-party providers. Consider: Data volume and growth. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 2]
    Third Party and supply chain oversight Preventive
    Include disclosure requirements in third party contracts. CC ID 08825 Third Party and supply chain oversight Preventive
    Document supply chain transactions in the supply chain management program. CC ID 08857 Third Party and supply chain oversight Preventive
    Track all chargeable items in Service Level Agreements. CC ID 11616 Third Party and supply chain oversight Detective
    Enforce third party Service Level Agreements, as necessary. CC ID 07098 Third Party and supply chain oversight Corrective
    Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 Third Party and supply chain oversight Preventive
    Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 Third Party and supply chain oversight Preventive
    Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 Third Party and supply chain oversight Preventive
    Support third parties in building their capabilities. CC ID 08814 Third Party and supply chain oversight Preventive
    Implement measurable improvement plans with all third parties. CC ID 08815 Third Party and supply chain oversight Preventive
    Post a list of compliant third parties on the organization's website. CC ID 08817 Third Party and supply chain oversight Preventive
    Use third parties that are compliant with the applicable requirements. CC ID 08818 Third Party and supply chain oversight Preventive
    Identify supply sources for secondary materials. CC ID 08822 Third Party and supply chain oversight Preventive
    Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 Third Party and supply chain oversight Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Third Party and supply chain oversight Preventive
    Assess third parties' business continuity capabilities during due diligence. CC ID 12077
    [Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1
    Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1
    Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1
    {take into account}Review and verify that the written BCP: Take(s) into account: Vendor(s) ability to service contracted customer base in the event of a major disaster or regional event; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 4
    {third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9
    {third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9
    Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2
    {backup and recovery capability} Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Recovery capabilities and capacity of the service provider; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 1
    {TSP} Determine whether institution management has assessed the adequacy of the TSPs' business continuity program through their vendor management program (e.g. contract requirements, third-party reviews). TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:11
    {predetermined time frame} Determine the extent to which core and significant firms have demonstrated through testing or routine use that they have the ability to recover and, if relevant, resume operations within the specified time frames addressed in the BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 2
    {foreign-based third party} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Management's assessment of the foreign-based provider's resilience architecture and strategy. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 2
    {foreign-based third party} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Management's assessment of the foreign-based provider's resilience architecture and strategy. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 2]
    Third Party and supply chain oversight Detective
    Assess third parties' abilities to provide services during due diligence. CC ID 12074
    [Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Cyber resilience and preparedness; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 2
    Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Significant downtime that would threaten the financial institution's business resilience; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 3]
    Third Party and supply chain oversight Detective
    Assess third parties' use of subcontractors during due diligence. CC ID 12073
    [Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Service provider's oversight of subcontractors. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 4]
    Third Party and supply chain oversight Detective
    Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856
    [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Review of independent third-party assessments and regulatory reports; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 2
    {Management Information System}Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Regular review of MIS reporting (e.g., adherence to RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 3]
    Third Party and supply chain oversight Preventive
    Assess the effectiveness of third party services provided to the organization. CC ID 13142 Third Party and supply chain oversight Detective
    Review the supply chain's service delivery on a regular basis. CC ID 12010 Third Party and supply chain oversight Preventive
  • Communicate
    63
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Leadership and high level objectives Preventive
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Leadership and high level objectives Preventive
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Leadership and high level objectives Preventive
    Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 Monitoring and measurement Corrective
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Monitoring and measurement Preventive
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Monitoring and measurement Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Preventive
    Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 Monitoring and measurement Preventive
    Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 Monitoring and measurement Preventive
    Share conformity assessment results with affected parties and interested personnel. CC ID 15113 Monitoring and measurement Preventive
    Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 Monitoring and measurement Preventive
    Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 Monitoring and measurement Preventive
    Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 Monitoring and measurement Preventive
    Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 Monitoring and measurement Preventive
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Audits and risk management Preventive
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Audits and risk management Preventive
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Audits and risk management Preventive
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Audits and risk management Preventive
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Audits and risk management Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Audits and risk management Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Audits and risk management Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Audits and risk management Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Audits and risk management Preventive
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Preventive
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 Audits and risk management Preventive
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Audits and risk management Preventive
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Audits and risk management Preventive
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Audits and risk management Preventive
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Audits and risk management Preventive
    Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 Technical security Preventive
    Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 Technical security Preventive
    Notify interested personnel and affected parties when malware is detected. CC ID 13689 Technical security Corrective
    Post floor plans of critical facilities in secure locations. CC ID 16138 Physical and environmental protection Preventive
    Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 Physical and environmental protection Preventive
    Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 Operational and Systems Continuity Preventive
    Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 Operational and Systems Continuity Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Operational and Systems Continuity Corrective
    Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 Operational and Systems Continuity Preventive
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Operational and Systems Continuity Preventive
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Operational and Systems Continuity Preventive
    Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 Operational and Systems Continuity Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Operational and Systems Continuity Preventive
    Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    {take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Designate a knowledgeable public relations spokesperson; and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 7]
    Operational and Systems Continuity Preventive
    Identify who can speak to the media in the emergency communications procedures. CC ID 12761
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Media representatives; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 4]
    Operational and Systems Continuity Corrective
    Notify the primary facilities of any changes at the alternate facilities that could affect the continuity plan. CC ID 13225
    [Determine whether the organization is kept informed of any changes at the recovery site that might require adjustments to the organization's software or its recovery plan(s). TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:6]
    Operational and Systems Continuity Preventive
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Operational management Preventive
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Operational management Preventive
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Operational management Preventive
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Operational management Preventive
    Submit written requests to delay the notification of affected parties. CC ID 16783 Operational management Preventive
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Operational management Corrective
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Operational management Preventive
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Operational management Corrective
    Submit the incident response report to the proper authorities in a timely manner. CC ID 12705
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about contacting the appropriate regulator; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 5]
    Operational management Preventive
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Operational management Corrective
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Operational management Preventive
    Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 Operational management Preventive
    Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 Third Party and supply chain oversight Preventive
    Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 Third Party and supply chain oversight Preventive
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Third Party and supply chain oversight Preventive
  • Configuration
    40
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Deny network access to rogue devices until network access approval has been received. CC ID 11852 Monitoring and measurement Preventive
    Isolate rogue devices after a rogue device has been detected. CC ID 07061 Monitoring and measurement Corrective
    Update the vulnerability scanners' vulnerability list. CC ID 10634 Monitoring and measurement Corrective
    Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 Monitoring and measurement Detective
    Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 Monitoring and measurement Corrective
    Install security and protection software, as necessary. CC ID 00575 Technical security Preventive
    Lock antivirus configurations. CC ID 10047 Technical security Preventive
    Employ an open virtualization format for provisioning software for virtual machines, as necessary. CC ID 12356
    [Determine whether the financial institution and service provider manage the underlying virtualization platform upon which cloud disaster recovery services are based to minimize the impact of attacks designed to cause data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:3]
    Technical security Preventive
    Install doors so that exposed hinges are on the secured side. CC ID 06687 Physical and environmental protection Preventive
    Install emergency doors to permit egress only. CC ID 06688 Physical and environmental protection Preventive
    Install contact alarms on doors, as necessary. CC ID 06710 Physical and environmental protection Preventive
    Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 Physical and environmental protection Preventive
    Install contact alarms on openable windows, as necessary. CC ID 06690 Physical and environmental protection Preventive
    Install glass break alarms on windows, as necessary. CC ID 06691 Physical and environmental protection Preventive
    Configure video cameras to cover all physical entry points. CC ID 06302 Physical and environmental protection Preventive
    Configure video cameras to prevent physical tampering or disablement. CC ID 06303 Physical and environmental protection Preventive
    Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 Physical and environmental protection Preventive
    Establish, implement, and maintain redundant systems. CC ID 16354 Operational and Systems Continuity Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Operational and Systems Continuity Preventive
    Install a generator sized to support the facility. CC ID 06709 Operational and Systems Continuity Preventive
    Install and maintain redundant telecommunication feeds for critical assets. CC ID 00726 Operational and Systems Continuity Preventive
    Install and maintain redundant power supplies for critical facilities. CC ID 06355 Operational and Systems Continuity Preventive
    Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 Operational and Systems Continuity Preventive
    Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 Operational and Systems Continuity Corrective
    Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 Operational and Systems Continuity Preventive
    Encrypt backup data. CC ID 00958 Operational and Systems Continuity Preventive
    Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395
    [{alternate facility} Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify a current inventory of items needed for off-site processing; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 6
    {enough} If the organization is relying on outside facilities for recovery, determine whether the recovery site: Provides sufficient processing time for the anticipated workload based on emergency priorities; and TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 2
    {capability}{independent} If the organization is relying on in-house systems at separate physical locations for recovery, verify that the equipment is capable of independently processing all critical applications. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:2
    {enough} If the organization is relying on outside facilities for recovery, determine whether the recovery site: Has the ability to process the required volume; TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 1
    {recovery site} Determine how the recovery facility's customers would be accommodated if simultaneous disaster conditions were to occur to several customers during the same period of time. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:4
    Determine that back-up sites are able to support typical payment and settlement volumes for an extended period. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 4
    {alternate facility} Determine whether the organization ensures that when any changes (e.g. hardware or software upgrades or modifications) in the production environment occur that a process is in place to make or verify a similar change in each alternate recovery location. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:5]
    Operational and Systems Continuity Preventive
    Deploy software patches in accordance with organizational standards. CC ID 07032 Operational management Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Operational management Corrective
    Remove outdated software after software has been updated. CC ID 11792 Operational management Corrective
    Update computer firmware, as necessary. CC ID 11755 Operational management Corrective
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Operational management Corrective
    Establish, implement, and maintain a configuration change log. CC ID 08710 Operational management Detective
    Remove all unnecessary functionality. CC ID 00882 System hardening through configuration management Preventive
    Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 System hardening through configuration management Preventive
    Configure the File Replication service properly. CC ID 05068
    [{data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    System hardening through configuration management Preventive
    Configure Data Backup and Recovery settings in accordance with organizational standards. CC ID 08406
    [{backup hardware} Determine whether the BCP includes appropriate hardware back-up and recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6]
    System hardening through configuration management Preventive
    Configure the "Retain deleted items for the specified number of days" to organizational standards. CC ID 08407 System hardening through configuration management Preventive
    Configure the "Do not permanently delete items until the database has been backed up" to organizational standards. CC ID 08490 System hardening through configuration management Preventive
    Configure the "Keep deleted mailboxes for the specified number of days" to organizational standards. CC ID 08600 System hardening through configuration management Preventive
  • Data and Information Management
    20
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include data quality in the risk management strategies. CC ID 15308 Audits and risk management Preventive
    Establish, implement, and maintain removable storage media controls. CC ID 06680 Physical and environmental protection Preventive
    Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 Operational and Systems Continuity Preventive
    Determine which data elements to back up. CC ID 13483 Operational and Systems Continuity Detective
    Store backup media at an off-site electronic media storage facility. CC ID 01332 Operational and Systems Continuity Preventive
    Transport backup media in lockable electronic media storage containers. CC ID 01264 Operational and Systems Continuity Preventive
    Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 Operational and Systems Continuity Preventive
    Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 Operational and Systems Continuity Preventive
    Perform full backups in accordance with organizational standards. CC ID 16376 Operational and Systems Continuity Preventive
    Perform incremental backups in accordance with organizational standards. CC ID 16375 Operational and Systems Continuity Preventive
    Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 Operational and Systems Continuity Preventive
    Share incident information with interested personnel and affected parties. CC ID 01212
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about what is required for contacting affected customers; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 4]
    Operational management Corrective
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Operational management Preventive
    Report data loss event information to breach notification organizations. CC ID 01210 Operational management Corrective
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Operational management Preventive
    Include a description of the restored data in the restoration log. CC ID 15462 Operational management Preventive
    Approve tested change requests. CC ID 11783 Operational management Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Operational management Preventive
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Third Party and supply chain oversight Detective
    Make the conflict minerals policy Publicly Available Information. CC ID 08949 Third Party and supply chain oversight Preventive
  • Establish Roles
    30
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Leadership and high level objectives Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765 Leadership and high level objectives Detective
    Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 Monitoring and measurement Preventive
    Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 Monitoring and measurement Preventive
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 Audits and risk management Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Audits and risk management Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Audits and risk management Preventive
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 Audits and risk management Preventive
    Define and assign roles and responsibilities for malicious code protection. CC ID 15474 Technical security Preventive
    Employ security guards to provide physical security, as necessary. CC ID 06653 Physical and environmental protection Preventive
    Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733
    [{incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Roles and responsibilities of crisis management group members; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 1
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define responsibilities and decision-making authorities for designated teams or staff members; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 2
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define responsibilities and decision-making authorities for designated teams or staff members; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 2
    {business continuity testing policy} Determine whether the testing policy identifies key roles and responsibilities of the participants in the testing program. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 2]
    Operational and Systems Continuity Preventive
    Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 Operational and Systems Continuity Preventive
    Include restoration procedures in the continuity plan. CC ID 01169
    [Determine whether adequate risk mitigation strategies have been considered for: Recovery of data (e.g. backlogged transactions, reconciliation procedures); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 5
    Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1
    Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1]
    Operational and Systems Continuity Preventive
    Assign pandemic planning roles and responsibilities, as necessary. CC ID 13230
    [Determine whether the BCP addresses the assignment of responsibility for pandemic planning, preparing, testing, responding, and recovering. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:2]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 Human Resources management Preventive
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 Human Resources management Preventive
    Rotate duties amongst the critical roles and positions. CC ID 06554
    [{business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4]
    Human Resources management Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Teams and responsibilities; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 1]
    Operational management Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Operational management Preventive
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Operational management Preventive
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Operational management Preventive
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Operational management Preventive
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Operational management Preventive
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Operational management Preventive
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Operational management Preventive
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Operational management Preventive
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 Operational management Preventive
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Operational management Preventive
    Include the responsible party for managing complaints in third party contracts. CC ID 10022 Third Party and supply chain oversight Preventive
  • Establish/Maintain Documentation
    672
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151
    [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5]
    Leadership and high level objectives Detective
    Establish, implement, and maintain a strategic plan. CC ID 12784 Leadership and high level objectives Preventive
    Establish, implement, and maintain a decision management strategy. CC ID 06913 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 Leadership and high level objectives Preventive
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Leadership and high level objectives Preventive
    Align business continuity objectives with the business continuity policy. CC ID 12408
    [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228 Leadership and high level objectives Preventive
    Establish, implement, and maintain financial reports. CC ID 14770
    [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1]
    Leadership and high level objectives Preventive
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Leadership and high level objectives Preventive
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Leadership and high level objectives Preventive
    Include the business need justification for lost value in the financial report. CC ID 15588 Leadership and high level objectives Preventive
    Include financial statements in the financial report, as necessary. CC ID 14775 Leadership and high level objectives Preventive
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Leadership and high level objectives Preventive
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Leadership and high level objectives Preventive
    Include material contingencies in the financial statement. CC ID 16596 Leadership and high level objectives Preventive
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Leadership and high level objectives Preventive
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Leadership and high level objectives Preventive
    Include assets and liabilities in the call report. CC ID 16729 Leadership and high level objectives Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about filing Suspicious Activity Reports (SARs); TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 6]
    Monitoring and measurement Corrective
    Include identity information of suspects in the suspicious activity report. CC ID 16648 Monitoring and measurement Preventive
    Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 Monitoring and measurement Detective
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Monitoring and measurement Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1]
    Monitoring and measurement Preventive
    Establish, implement, and maintain a compliance testing strategy. CC ID 00659 Monitoring and measurement Preventive
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Preventive
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Preventive
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Preventive
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Preventive
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Preventive
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Preventive
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Preventive
    Create specific test plans to test each system component. CC ID 00661 Monitoring and measurement Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Preventive
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Preventive
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Preventive
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Preventive
    Review the test plans for each system component. CC ID 00662 Monitoring and measurement Preventive
    Document validated testing processes in the testing procedures. CC ID 06200 Monitoring and measurement Preventive
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Monitoring and measurement Preventive
    Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 Monitoring and measurement Preventive
    Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 Monitoring and measurement Preventive
    Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 Monitoring and measurement Preventive
    Include the scope in the security assessment and authorization policy. CC ID 14220 Monitoring and measurement Preventive
    Include the purpose in the security assessment and authorization policy. CC ID 14219 Monitoring and measurement Preventive
    Include management commitment in the security assessment and authorization policy. CC ID 14189 Monitoring and measurement Preventive
    Include compliance requirements in the security assessment and authorization policy. CC ID 14183 Monitoring and measurement Preventive
    Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 Monitoring and measurement Preventive
    Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 Monitoring and measurement Preventive
    Document improvement actions based on test results and exercises. CC ID 16840 Monitoring and measurement Preventive
    Define the test requirements for each testing program. CC ID 13177
    [Determine whether the institution relies on proxy testing. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:8
    From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5
    From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Monitoring and measurement Preventive
    Include mechanisms for emergency stops in the testing program. CC ID 14398 Monitoring and measurement Preventive
    Document the business need justification for authorized wireless access points. CC ID 12044 Monitoring and measurement Preventive
    Establish, implement, and maintain conformity assessment procedures. CC ID 15032 Monitoring and measurement Preventive
    Create technical documentation assessment certificates in an official language. CC ID 15110 Monitoring and measurement Preventive
    Define the test frequency for each testing program. CC ID 13176 Monitoring and measurement Preventive
    Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 Monitoring and measurement Detective
    Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 Monitoring and measurement Preventive
    Align the penetration test program with industry standards. CC ID 12469 Monitoring and measurement Preventive
    Establish, implement, and maintain a business line testing strategy. CC ID 13245 Monitoring and measurement Preventive
    Include facilities in the business line testing strategy. CC ID 13253
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3]
    Monitoring and measurement Preventive
    Include electrical systems in the business line testing strategy. CC ID 13251
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Monitoring and measurement Preventive
    Include mechanical systems in the business line testing strategy. CC ID 13250
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Monitoring and measurement Preventive
    Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Monitoring and measurement Preventive
    Include emergency power supplies in the business line testing strategy. CC ID 13247
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Monitoring and measurement Preventive
    Include environmental controls in the business line testing strategy. CC ID 13246
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Monitoring and measurement Preventive
    Establish, implement, and maintain a vulnerability management program. CC ID 15721 Monitoring and measurement Preventive
    Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 Monitoring and measurement Preventive
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Monitoring and measurement Preventive
    Recommend mitigation techniques based on penetration test results. CC ID 04881 Monitoring and measurement Corrective
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Preventive
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663
    [Determine examination scope and objectives for reviewing the business continuity planning program. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1]
    Monitoring and measurement Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Audits and risk management Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Audits and risk management Preventive
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Audits and risk management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199
    [{internal auditor} From the procedures performed: Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 3]
    Audits and risk management Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200
    [{matters requiring attention}Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 2
    Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the report of examination. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:4
    Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: The potential impact of your conclusions on composite and component ratings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 3
    {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4
    {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4
    {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4]
    Audits and risk management Preventive
    Establish, implement, and maintain an audit program. CC ID 00684 Audits and risk management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Audits and risk management Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [Establish the scope of the examination by focusing on those factors that present the greatest degree of risk to the institution or service provider. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:5]
    Audits and risk management Preventive
    Include materiality levels in the audit terms. CC ID 01238 Audits and risk management Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239
    [Interview management and review the business continuity request information to identify: Any material changes in the audit program, scope, or schedule related to business continuity activities; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 2]
    Audits and risk management Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Audits and risk management Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Audits and risk management Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Audits and risk management Preventive
    Establish and maintain organizational audit reports. CC ID 06731 Audits and risk management Preventive
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Audits and risk management Detective
    Review past audit reports. CC ID 01155
    [{internal audit report}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Internal and external audit reports, including third-party reports; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 4
    {internal audit report}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Internal and external audit reports, including third-party reports; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 4]
    Audits and risk management Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Audits and risk management Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Audits and risk management Detective
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117
    [Discuss corrective action and communicate findings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13]
    Audits and risk management Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Audits and risk management Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Audits and risk management Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148
    [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1
    Review management's response to audit recommendations noted since the last examination. Consider the following: Existence of any outstanding issues; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 3
    Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: Violations of law, rulings, regulations; TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 1]
    Audits and risk management Detective
    Implement a corrective action plan in response to the audit report. CC ID 06777
    [Review management's response to audit recommendations noted since the last examination. Consider the following Adequacy and timing of corrective action; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 1
    Review management's response to audit recommendations noted since the last examination. Consider the following Adequacy and timing of corrective action; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 1
    Discuss corrective action and communicate findings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13
    Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3
    Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3]
    Audits and risk management Corrective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Audits and risk management Preventive
    Include the audit criteria in the audit plan. CC ID 15262 Audits and risk management Preventive
    Include a list of reference documents in the audit plan. CC ID 15260 Audits and risk management Preventive
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Audits and risk management Preventive
    Include the allocation of resources in the audit plan. CC ID 15251 Audits and risk management Preventive
    Include communication protocols in the audit plan. CC ID 15247 Audits and risk management Preventive
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Audits and risk management Preventive
    Include meeting schedules in the audit plan. CC ID 15245 Audits and risk management Preventive
    Include the time frames for the audit in the audit plan. CC ID 15244 Audits and risk management Preventive
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Audits and risk management Preventive
    Include the locations to be audited in the audit plan. CC ID 15242 Audits and risk management Preventive
    Include the processes to be audited in the audit plan. CC ID 15241 Audits and risk management Preventive
    Include audit objectives in the audit plan. CC ID 15240 Audits and risk management Preventive
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Audits and risk management Preventive
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 Audits and risk management Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051
    [{third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4]
    Audits and risk management Preventive
    Include the scope of risk management activities in the risk management program. CC ID 13658 Audits and risk management Preventive
    Include managing mobile risks in the risk management program. CC ID 13535 Audits and risk management Preventive
    Establish, implement, and maintain risk management strategies. CC ID 13209 Audits and risk management Preventive
    Include off-site storage of supplies in the risk management strategies. CC ID 13221
    [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: Supplies; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 2]
    Audits and risk management Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217
    [Determine whether management has considered the possibility of transferring critical aspects of the institution's operation to alternate backup providers or other industry participants to ensure continuity of operations in extreme situations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:4]
    Audits and risk management Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development]
    Audits and risk management Preventive
    Include off-site storage in the risk mitigation strategies. CC ID 13213
    [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: System documentation (e.g. topologies; inventory listing; firewall, router, and network configurations; operating procedures). TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 4]
    Audits and risk management Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [Determine whether the financial institution's and TSP's risk management strategies are designed to achieve resilience, such as the ability to effectively respond to wide-scale disruptions, including cyber attacks and attacks on multiple critical infrastructure sectors. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10]
    Audits and risk management Preventive
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Audits and risk management Preventive
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Audits and risk management Preventive
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 Audits and risk management Preventive
    Establish, implement, and maintain insurance requirements. CC ID 16562 Audits and risk management Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Audits and risk management Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Audits and risk management Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Audits and risk management Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Audits and risk management Preventive
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 Audits and risk management Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Audits and risk management Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Audits and risk management Preventive
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Audits and risk management Preventive
    Include compliance requirements in the risk assessment policy. CC ID 14121 Audits and risk management Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Audits and risk management Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Audits and risk management Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Audits and risk management Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Audits and risk management Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Audits and risk management Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Audits and risk management Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Audits and risk management Preventive
    Document cybersecurity risks. CC ID 12281 Audits and risk management Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Audits and risk management Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Audits and risk management Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Audits and risk management Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Audits and risk management Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Audits and risk management Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479 Audits and risk management Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Audits and risk management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Audits and risk management Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Audits and risk management Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities]
    Audits and risk management Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Audits and risk management Preventive
    Document organizational risk criteria. CC ID 12277 Audits and risk management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Audits and risk management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Audits and risk management Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Audits and risk management Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Audits and risk management Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Audits and risk management Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Audits and risk management Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Audits and risk management Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458
    [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5]
    Audits and risk management Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Pandemics. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 4]
    Audits and risk management Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Audits and risk management Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Audits and risk management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Audits and risk management Detective
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [{risk profile}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: The financial institution's overall risk assessment and profile. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 6]
    Audits and risk management Detective
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Audits and risk management Preventive
    Create a risk assessment report based on the risk assessment results. CC ID 15695 Audits and risk management Preventive
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Audits and risk management Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Audits and risk management Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Audits and risk management Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Audits and risk management Preventive
    Include pandemic risks in the Business Impact Analysis. CC ID 13219
    [{continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4]
    Audits and risk management Preventive
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3
    Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Audits and risk management Preventive
    Establish, implement, and maintain a risk register. CC ID 14828 Audits and risk management Preventive
    Document organizational risk tolerance in a risk register. CC ID 09961 Audits and risk management Preventive
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis]
    Audits and risk management Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Audits and risk management Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment]
    Audits and risk management Detective
    Document the results of the gap analysis. CC ID 16271 Audits and risk management Preventive
    Establish, implement, and maintain a risk treatment plan. CC ID 11983 Audits and risk management Preventive
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Audits and risk management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Audits and risk management Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Audits and risk management Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Audits and risk management Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Audits and risk management Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Audits and risk management Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Audits and risk management Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Audits and risk management Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Audits and risk management Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Audits and risk management Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Audits and risk management Preventive
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 Audits and risk management Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 Audits and risk management Corrective
    Review and approve the risk assessment findings. CC ID 06485
    [{risk profile}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: The financial institution's overall risk assessment and profile. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 6]
    Audits and risk management Preventive
    Include risk responses in the risk management program. CC ID 13195 Audits and risk management Preventive
    Document residual risk in a residual risk report. CC ID 13664 Audits and risk management Corrective
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Audits and risk management Preventive
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Audits and risk management Preventive
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Audits and risk management Preventive
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Audits and risk management Preventive
    Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 Audits and risk management Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Audits and risk management Preventive
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Audits and risk management Preventive
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Audits and risk management Preventive
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Audits and risk management Preventive
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Audits and risk management Preventive
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Audits and risk management Preventive
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Audits and risk management Preventive
    Include management commitment in the supply chain risk management policy. CC ID 14709 Audits and risk management Preventive
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Audits and risk management Preventive
    Include the scope in the supply chain risk management policy. CC ID 14707 Audits and risk management Preventive
    Include the purpose in the supply chain risk management policy. CC ID 14706 Audits and risk management Preventive
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Audits and risk management Preventive
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Audits and risk management Preventive
    Include dates in the supply chain risk management plan. CC ID 15617 Audits and risk management Preventive
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Audits and risk management Preventive
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Audits and risk management Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190 Audits and risk management Preventive
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Technical security Preventive
    Establish, implement, and maintain a data loss prevention program. CC ID 13050
    [Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1]
    Technical security Preventive
    Include the data loss prevention strategy as part of the data loss prevention program. CC ID 13051 Technical security Preventive
    Establish, implement, and maintain a malicious code protection program. CC ID 00574
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Technical security Preventive
    Establish, implement, and maintain malicious code protection procedures. CC ID 15483 Technical security Preventive
    Establish, implement, and maintain a malicious code protection policy. CC ID 15478 Technical security Preventive
    Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 Technical security Corrective
    Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551 Technical security Preventive
    Establish, implement, and maintain procedures for provisioning shared resources. CC ID 12181 Technical security Preventive
    Establish, implement, and maintain a physical security program. CC ID 11757 Physical and environmental protection Preventive
    Establish, implement, and maintain a facility physical security program. CC ID 00711
    [{facility physical security program} Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Physical security facilities - the adequacy of physical perimeter security, physical access controls, protection services, and video monitoring. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 3
    {facility physical security program} Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Physical security facilities - the adequacy of physical perimeter security, physical access controls, protection services, and video monitoring. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 3]
    Physical and environmental protection Preventive
    Establish, implement, and maintain opening procedures for businesses. CC ID 16671 Physical and environmental protection Preventive
    Establish, implement, and maintain closing procedures for businesses. CC ID 16670 Physical and environmental protection Preventive
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Physical and environmental protection Preventive
    Define communication methods for reporting crimes. CC ID 06349 Physical and environmental protection Preventive
    Include identification cards or badges in the physical security program. CC ID 14818 Physical and environmental protection Preventive
    Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 Physical and environmental protection Preventive
    Establish, implement, and maintain floor plans. CC ID 16419 Physical and environmental protection Preventive
    Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 Physical and environmental protection Preventive
    Post and maintain security signage for all facilities. CC ID 02201 Physical and environmental protection Preventive
    Identify and document physical access controls for all physical entry points. CC ID 01637 Physical and environmental protection Preventive
    Establish, implement, and maintain physical access procedures. CC ID 13629 Physical and environmental protection Preventive
    Establish, implement, and maintain a visitor access permission policy. CC ID 06699 Physical and environmental protection Preventive
    Escort visitors within the facility, as necessary. CC ID 06417 Physical and environmental protection Preventive
    Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 Physical and environmental protection Preventive
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Physical and environmental protection Preventive
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Physical and environmental protection Preventive
    Establish, implement, and maintain physical identification procedures. CC ID 00713 Physical and environmental protection Preventive
    Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 Physical and environmental protection Preventive
    Document all lost badges in a lost badge list. CC ID 12448 Physical and environmental protection Corrective
    Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Physical and environmental protection Preventive
    Include error handling controls in identification issuance procedures. CC ID 13709 Physical and environmental protection Preventive
    Include information security in the identification issuance procedures. CC ID 15425 Physical and environmental protection Preventive
    Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 Physical and environmental protection Preventive
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Physical and environmental protection Preventive
    Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Physical and environmental protection Preventive
    Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Physical and environmental protection Preventive
    Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 Physical and environmental protection Preventive
    Establish, implement, and maintain a door security standard. CC ID 06686 Physical and environmental protection Preventive
    Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 Physical and environmental protection Preventive
    Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 Physical and environmental protection Preventive
    Establish, implement, and maintain a window security standard. CC ID 06689 Physical and environmental protection Preventive
    Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 Physical and environmental protection Preventive
    Establish, implement, and maintain after hours facility access procedures. CC ID 06340 Physical and environmental protection Preventive
    Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 Physical and environmental protection Preventive
    Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 Physical and environmental protection Preventive
    Establish, implement, and maintain emergency exit procedures. CC ID 01252 Physical and environmental protection Preventive
    Establish, Implement, and maintain a camera operating policy. CC ID 15456 Physical and environmental protection Preventive
    Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 Physical and environmental protection Preventive
    Record the date and time of entry in the visitor log. CC ID 13255 Physical and environmental protection Preventive
    Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 Physical and environmental protection Preventive
    Establish, implement, and maintain a physical access log. CC ID 12080 Physical and environmental protection Preventive
    Establish, implement, and maintain physical security threat reports. CC ID 02207 Physical and environmental protection Preventive
    Establish, implement, and maintain a facility wall standard. CC ID 06692 Physical and environmental protection Preventive
    Establish, implement, and maintain storage media access control procedures. CC ID 00959
    [Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1
    Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1]
    Physical and environmental protection Preventive
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a business continuity policy. CC ID 12405
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities]
    Operational and Systems Continuity Preventive
    Include compliance requirements in the business continuity policy. CC ID 14237 Operational and Systems Continuity Preventive
    Include coordination amongst entities in the business continuity policy. CC ID 14235 Operational and Systems Continuity Preventive
    Include management commitment in the business continuity policy. CC ID 14233 Operational and Systems Continuity Preventive
    Include the scope in the business continuity policy. CC ID 14231 Operational and Systems Continuity Preventive
    Include roles and responsibilities in the business continuity policy. CC ID 14190 Operational and Systems Continuity Preventive
    Include the purpose in the business continuity policy. CC ID 14188 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a business continuity testing policy. CC ID 13235
    [{business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Operational and Systems Continuity Preventive
    Include testing cycles and test scope in the business continuity testing policy. CC ID 13236
    [{business continuity testing policy} Determine whether the testing policy establishes a testing cycle with increasing levels of test scope and complexity. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 3]
    Operational and Systems Continuity Preventive
    Include documentation requirements in the business continuity testing policy. CC ID 14377 Operational and Systems Continuity Preventive
    Include reporting requirements in the business continuity testing policy. CC ID 14397 Operational and Systems Continuity Preventive
    Include test requirements for crisis management in the business continuity testing policy. CC ID 13240
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Operational and Systems Continuity Preventive
    Include test requirements for support functions in the business continuity testing policy. CC ID 13239
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Operational and Systems Continuity Preventive
    Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Operational and Systems Continuity Preventive
    Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Operational and Systems Continuity Preventive
    Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257
    [{business continuity testing strategy}{bcp and testing program} Determine whether the testing strategy addresses the documentation requirements for all facets of the continuity testing program, including test scenarios, plans, scripts, results, and reporting. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 5]
    Operational and Systems Continuity Preventive
    Include data recovery in the business continuity testing strategy. CC ID 13262
    [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2]
    Operational and Systems Continuity Preventive
    Include testing critical applications in the business continuity testing strategy. CC ID 13261
    [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2]
    Operational and Systems Continuity Preventive
    Include reconciling transaction data in the business continuity testing strategy. CC ID 13260
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to reconcile transaction data; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 3
    Determine that the test assumptions are appropriate for core and significant firms and consider: Whether continuity arrangements continue to operate until all pending transactions are closed. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 6]
    Operational and Systems Continuity Preventive
    Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252
    [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Incorporating the results of telecommunications diversity assessments and confirming telecommunications circuit diversity; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 3
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Incorporating the results of telecommunications diversity assessments and confirming telecommunications circuit diversity; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 3
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity framework. CC ID 00732
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5]
    Operational and Systems Continuity Preventive
    Establish and maintain the scope of the continuity framework. CC ID 11908 Operational and Systems Continuity Preventive
    Include network security in the scope of the continuity framework. CC ID 16327 Operational and Systems Continuity Preventive
    Explain any exclusions to the scope of the continuity framework. CC ID 12236 Operational and Systems Continuity Preventive
    Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 Operational and Systems Continuity Preventive
    Include business units in the scope of the continuity framework. CC ID 11898
    [Determine whether the board and senior management has ensured that integral groups are involved in the business continuity process (e.g. business line management, risk management, IT, facilities management, and audit). TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:3]
    Operational and Systems Continuity Preventive
    Include business functions in the scope of the continuity framework. CC ID 12699 Operational and Systems Continuity Preventive
    Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 Operational and Systems Continuity Preventive
    Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    Interview management and review the business continuity request information to identify: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain a shelter in place plan. CC ID 16260 Operational and Systems Continuity Preventive
    Designate safe rooms in the shelter in place plan. CC ID 16276 Operational and Systems Continuity Preventive
    Include Quality Management in the continuity framework. CC ID 12239 Operational and Systems Continuity Preventive
    Establish and maintain a system continuity plan philosophy. CC ID 00734 Operational and Systems Continuity Preventive
    Define the executive vision of the continuity planning process. CC ID 01243
    [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    {business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2]
    Operational and Systems Continuity Preventive
    Include a pandemic plan in the continuity plan. CC ID 06800
    [{escalation and response plan} Determine whether the BCP addresses management monitoring of alert systems that provide information regarding the threat and progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:5
    {continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4
    {continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4
    Determine whether the BCP effectively addresses pandemic issues. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A documented strategy that provides for scaling the institution's pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of humans contracting the disease overseas, first cases within the United States, and first cases within the organization itself. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 2]
    Operational and Systems Continuity Preventive
    Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761
    [Determine whether adequate risk mitigation strategies have been considered for: Preparation for return to normal operations once the permanent facilities are available. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 6]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    [business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    [business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Determine the existence of an appropriate enterprise-wide BCP. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5
    Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavailable for long periods. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:8]
    Operational and Systems Continuity Preventive
    Identify all stakeholders in the continuity plan. CC ID 13256
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1]
    Operational and Systems Continuity Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Operational and Systems Continuity Preventive
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities]
    Operational and Systems Continuity Preventive
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Operational and Systems Continuity Preventive
    Include the continuity strategy in the continuity plan. CC ID 13189
    [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1]
    Operational and Systems Continuity Preventive
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1]
    Operational and Systems Continuity Preventive
    Document and use the lessons learned to update the continuity plan. CC ID 10037
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:6
    From the procedures performed: Document conclusions related to the quality and effectiveness of the business continuity process. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 2]
    Operational and Systems Continuity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242
    [{third party service provider} Determine whether the institution has a copy of the TSPs' BCP and incorporates it, as appropriate, into their plans. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:9]
    Operational and Systems Continuity Preventive
    Include incident management procedures in the continuity plan. CC ID 13244
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Crisis management (responsibility for disaster declaration and dealing with outside parties); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 5
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Preventive
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Operational and Systems Continuity Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that a large number of the institution's staff are unavailable for prolonged periods. Such procedures could include social distancing to minimize staff contact, telecommuting, or conducting operations from alternative sites. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 3]
    Operational and Systems Continuity Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Operational and Systems Continuity Preventive
    Establish, implement, and maintain the continuity procedures. CC ID 14236 Operational and Systems Continuity Corrective
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Operational and Systems Continuity Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Operational and Systems Continuity Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220
    [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Include procedures for notifying the back-up site; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 5]
    Operational and Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: Staff and management succession plans; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 6]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain damage assessment procedures. CC ID 01267 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288 Operational and Systems Continuity Preventive
    Include procedures to restore network connectivity in the recovery plan. CC ID 16250 Operational and Systems Continuity Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Operational and Systems Continuity Preventive
    Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 Operational and Systems Continuity Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Operational and Systems Continuity Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Operational and Systems Continuity Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Operational and Systems Continuity Preventive
    Include escalation procedures in the recovery plan. CC ID 16248 Operational and Systems Continuity Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Operational and Systems Continuity Preventive
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Operational and Systems Continuity Detective
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    {third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4
    Determine whether adequate risk mitigation strategies have been considered for: BCP; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 3
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: According to its priority ranking in the risk assessment; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 1
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: Considering long-term recovery arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 3]
    Operational and Systems Continuity Preventive
    Include the recovery plan in the continuity plan. CC ID 01377
    [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: Considering interdependencies among systems; and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 2
    {data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain organizational facility continuity plans. CC ID 02224
    [{take into account}Review and verify that the written BCP: Take(s) into account: Facilities; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 5
    If the organization is relying on outside facilities for recovery, determine whether the recovery site: Is available for use until the institution achieves full recovery from the disaster and resumes activity at the institution's own facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 3]
    Operational and Systems Continuity Preventive
    Include bomb threat procedures and bomb procedures in the organizational facility continuity plan. CC ID 02229 Operational and Systems Continuity Preventive
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735
    [{internal business process}Determine whether the continuity strategy addresses interdependent components, including: Internal systems and business processes. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 5]
    Operational and Systems Continuity Preventive
    Include emergency operating procedures in the continuity plan. CC ID 11694
    [{emergency procedure} Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Explain actions to be taken in specific emergencies; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 3]
    Operational and Systems Continuity Preventive
    Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 Operational and Systems Continuity Preventive
    Define and prioritize critical business functions. CC ID 00736
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process]
    Operational and Systems Continuity Detective
    Review and prioritize the importance of each business process. CC ID 11689
    [{internal business process}Determine whether the continuity strategy addresses interdependent components, including: Internal systems and business processes. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 5]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    {bcp testing program}{business continuity test result} Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institution's recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production recovery, achievement of operational priorities, timely recovery of data). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 1
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity); TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 4
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity); TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 4]
    Operational and Systems Continuity Preventive
    Define and prioritize critical business records. CC ID 11687 Operational and Systems Continuity Preventive
    Include the protection of personnel in the continuity plan. CC ID 06378
    [{take into account} Review and verify that the written BCP: Take(s) into account: Personnel; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 1]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain a critical personnel list. CC ID 00739 Operational and Systems Continuity Detective
    Define the triggering events for when to activate the pandemic plan. CC ID 06801 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a critical third party list. CC ID 06815
    [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8
    Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2
    Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2
    Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2
    Determine whether the financial institution and service provider have made advance arrangements for both third-party computer forensics and incident management services in advance of a wide-scale cyber security event. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:8
    Determine whether the financial institution and service provider have made advance arrangements for both third-party computer forensics and incident management services in advance of a wide-scale cyber security event. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:8
    Determine whether the continuity strategy addresses interdependent components, including: Key suppliers/business partners; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 4]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain a critical resource list. CC ID 00740 Operational and Systems Continuity Detective
    Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741
    [{third party service providers} Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:8
    {third party service providers} Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:8]
    Operational and Systems Continuity Preventive
    Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 Operational and Systems Continuity Preventive
    Include workstation continuity procedures in the continuity plan. CC ID 01378 Operational and Systems Continuity Preventive
    Include server continuity procedures in the continuity plan. CC ID 01379
    [Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the TSP's facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:7]
    Operational and Systems Continuity Preventive
    Include website continuity procedures in the continuity plan. CC ID 01380 Operational and Systems Continuity Preventive
    Include near-line capabilities in the continuity plan. CC ID 01383 Operational and Systems Continuity Preventive
    Include online capabilities in the continuity plan. CC ID 11690 Operational and Systems Continuity Preventive
    Include mainframe continuity procedures in the continuity plan. CC ID 01382 Operational and Systems Continuity Preventive
    Include telecommunications continuity procedures in the continuity plan. CC ID 11691
    [Determine whether the continuity strategy addresses interdependent components, including: Telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 2
    {voice service}Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of telephony and electronic messaging due to the convergence of voice and data services on the same network; and TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 2
    {data communication} Determine whether the financial institution and service provider are considering al- ternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of data and voice communications between facilities and service providers. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 3]
    Operational and Systems Continuity Preventive
    Include system continuity procedures in the continuity plan. CC ID 01268
    [{Mission-Critical Application} Determine whether management has reviewed all interrelated components of each mission critical application and the underlying continuity strategy to determine "single point of failure" exposure. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:8]
    Operational and Systems Continuity Preventive
    Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743
    [Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at the institution. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:6
    Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4
    {data communication} Determine whether the financial institution and service provider are considering al- ternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of data and voice communications between facilities and service providers. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 3]
    Operational and Systems Continuity Detective
    Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 Operational and Systems Continuity Preventive
    Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 Operational and Systems Continuity Preventive
    Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 Operational and Systems Continuity Preventive
    Include emergency power continuity procedures in the continuity plan. CC ID 01254
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate power supplies (e.g. uninterruptible power source, back-up generators); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 4
    Determine whether the continuity strategy addresses interdependent components, including: Utilities; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 1]
    Operational and Systems Continuity Preventive
    Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374
    [{take into account}Review and verify that the written BCP:Take(s) into account: Manual operating procedures. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 9]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 Operational and Systems Continuity Preventive
    Designate an alternate facility in the continuity plan. CC ID 00742 Operational and Systems Continuity Detective
    Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 Operational and Systems Continuity Preventive
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250
    [{take into account}Review and verify that the written BCP: Take(s) into account: Technology issues (hardware, software, network, data processing equipment, telecommunications, remote computing, vital records, electronic banking systems, telephone banking systems, utilities); TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 3
    {backup hardware} Determine whether the BCP includes appropriate hardware back-up and recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6]
    Operational and Systems Continuity Preventive
    Include a backup rotation scheme in the backup policy. CC ID 16219 Operational and Systems Continuity Preventive
    Include naming conventions in the backup policy. CC ID 16218 Operational and Systems Continuity Preventive
    Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 Operational and Systems Continuity Preventive
    Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis]
    Operational and Systems Continuity Preventive
    Log the execution of each backup. CC ID 00956 Operational and Systems Continuity Preventive
    Digitally sign disk images, as necessary. CC ID 06814 Operational and Systems Continuity Preventive
    Include emergency communications procedures in the continuity plan. CC ID 00750
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the TSP's facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:7
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Customers; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 3
    {authorities}Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Local, state, and federal agencies; and TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 5
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Regulators. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 6
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Notification standards (employees, customers, regulators, vendors, service providers); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 9
    Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at the institution. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:6
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Preventive
    Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2]
    Operational and Systems Continuity Preventive
    Maintain contact information for key third parties in a readily accessible manner. CC ID 12764
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Critical service providers; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 1
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Key financial correspondents; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 2
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1]
    Operational and Systems Continuity Preventive
    Minimize system continuity requirements. CC ID 00753 Operational and Systems Continuity Preventive
    Include purchasing insurance in the continuity plan. CC ID 00762
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Insurance; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 10
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Preventive
    Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 Operational and Systems Continuity Detective
    Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 Operational and Systems Continuity Detective
    Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 Operational and Systems Continuity Detective
    Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 Operational and Systems Continuity Preventive
    Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 Operational and Systems Continuity Preventive
    Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 Operational and Systems Continuity Preventive
    Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 Operational and Systems Continuity Preventive
    Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 Operational and Systems Continuity Detective
    Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760
    [Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Timely distribution of revised plans to personnel. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 2
    {business continuity testing strategy}Determine whether the strategy addresses staffing considerations, including: Staff access to key documentation (plans, procedures, and forms); and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 7
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    {third party service provider} Determine whether the institution has a copy of the TSPs' BCP and incorporates it, as appropriate, into their plans. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:9]
    Operational and Systems Continuity Preventive
    Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a pandemic plan. CC ID 13214
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: An oversight program to ensure ongoing reviews and updates to the pandemic plan, so that policies, standards, and procedures include up-to-date, relevant information provided by governmental sources or by the institution's monitoring program. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 5]
    Operational and Systems Continuity Preventive
    Match emergency policies to the level of disruption anticipated in the pandemic plan. CC ID 14375 Operational and Systems Continuity Preventive
    Include work that will be suspended during the pandemic in the pandemic plan. CC ID 14380 Operational and Systems Continuity Preventive
    Include alternate work locations in the pandemic plan. CC ID 14376 Operational and Systems Continuity Preventive
    Include modifications to the absenteeism policy in the pandemic plan. CC ID 13232
    [{absenteeism policy} Determine whether the BCP addresses modifications to normal compensation and absenteeism polices to be enacted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:9]
    Operational and Systems Continuity Preventive
    Include remote access requirements in the pandemic plan. CC ID 13233
    [Determine whether management has analyzed remote access requirements, including the infrastructure capabilities and capacity that may be necessary during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:10]
    Operational and Systems Continuity Preventive
    Include a compensation plan in the pandemic plan. CC ID 13231
    [{absenteeism policy} Determine whether the BCP addresses modifications to normal compensation and absenteeism polices to be enacted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:9]
    Operational and Systems Continuity Preventive
    Revalidate exceptions to the pandemic plan, as necessary. CC ID 14395 Operational and Systems Continuity Preventive
    Approve exceptions to the pandemic plan, as necessary. CC ID 14392 Operational and Systems Continuity Preventive
    Include a list of which emergency policies will preempt organizational policies during a pandemic in the pandemic plan. CC ID 14374 Operational and Systems Continuity Preventive
    Include coverage for alternate facilities for all offices in contingency arrangements. CC ID 00746
    [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8
    Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Work locations for business functions; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 3
    Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Workspace recovery - the adequacy of floor space, desk top computers, network connectivity, e-mail access, and telephone service; and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 2]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745
    [{alternate facility} Determine whether there is a comprehensive, written agreement or contract for alternative processing or facility recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:1]
    Operational and Systems Continuity Preventive
    Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331 Operational and Systems Continuity Preventive
    Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330 Operational and Systems Continuity Preventive
    Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329 Operational and Systems Continuity Preventive
    Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328 Operational and Systems Continuity Preventive
    Include that the shared service provider will not oversubscribe their services in the Service Level Agreement. CC ID 04892 Operational and Systems Continuity Preventive
    Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity test plan. CC ID 04896
    [{sudden operational failure} Determine that the test assumptions are appropriate for core and significant firms and consider: Primary data centers and operations facilities that are completely inoperable without notice; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 1
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed schedules to complete each test; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 7
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Sequential, step-by-step procedures for staff and external parties, including instructions regarding transaction data and references to manual work-around processes, as needed; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 5
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4]
    Operational and Systems Continuity Preventive
    Include success criteria for testing the plan in the continuity test plan. CC ID 14877 Operational and Systems Continuity Preventive
    Include recovery procedures in the continuity test plan. CC ID 14876 Operational and Systems Continuity Preventive
    Include test scripts in the continuity test plan. CC ID 14875 Operational and Systems Continuity Preventive
    Include test objectives and scope of testing in the continuity test plan. CC ID 14874 Operational and Systems Continuity Preventive
    Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 Operational and Systems Continuity Preventive
    Include the succession plan in the continuity test plan, as necessary. CC ID 14401 Operational and Systems Continuity Preventive
    Include contact information in the continuity test plan. CC ID 14399 Operational and Systems Continuity Preventive
    Include testing all system components in the continuity test plan. CC ID 13508 Operational and Systems Continuity Preventive
    Include test scenarios in the continuity test plan. CC ID 13506 Operational and Systems Continuity Preventive
    Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test event dates and time stamps; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 3]
    Operational and Systems Continuity Preventive
    Include predefined goals and realistic conditions during off-site testing. CC ID 01175 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Preventive
    Establish, implement, and maintain training plans. CC ID 00828 Human Resources management Preventive
    Establish, implement, and maintain a security awareness program. CC ID 11746 Human Resources management Preventive
    Document security awareness requirements. CC ID 12146 Human Resources management Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Human Resources management Preventive
    Establish, implement, and maintain an occupational health and safety policy. CC ID 00716 Human Resources management Preventive
    Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073
    [Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:6]
    Human Resources management Preventive
    Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Human Resources management Preventive
    Establish, implement, and maintain a customer service program. CC ID 00846 Operational management Preventive
    Include detection procedures in the Incident Management program. CC ID 00588
    [{intrusion detection plan} Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:3]
    Operational management Preventive
    Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 Operational management Preventive
    Document the incident and any relevant evidence in the incident report. CC ID 08659 Operational management Detective
    Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 Operational management Preventive
    Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 Operational management Detective
    Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 Operational management Detective
    Share data loss event information with interconnected system owners. CC ID 01209 Operational management Corrective
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Operational management Preventive
    Include data loss event notifications in the Incident Response program. CC ID 00364
    [{data corruption}Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 9
    {data corruption}Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 9]
    Operational management Preventive
    Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 Operational management Preventive
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Operational management Preventive
    Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 Operational management Preventive
    Establish, implement, and maintain incident response notifications. CC ID 12975 Operational management Corrective
    Include information required by law in incident response notifications. CC ID 00802 Operational management Detective
    Title breach notifications "Notice of Data Breach". CC ID 12977 Operational management Preventive
    Display titles of incident response notifications clearly and conspicuously. CC ID 12986 Operational management Preventive
    Display headings in incident response notifications clearly and conspicuously. CC ID 12987 Operational management Preventive
    Design the incident response notification to call attention to its nature and significance. CC ID 12984 Operational management Preventive
    Use plain language to write incident response notifications. CC ID 12976 Operational management Preventive
    Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 Operational management Preventive
    Include the affected parties rights in the incident response notification. CC ID 16811 Operational management Preventive
    Include details of the investigation in incident response notifications. CC ID 12296 Operational management Preventive
    Include the issuer's name in incident response notifications. CC ID 12062 Operational management Preventive
    Include a "What Happened" heading in breach notifications. CC ID 12978 Operational management Preventive
    Include a general description of the data loss event in incident response notifications. CC ID 04734 Operational management Preventive
    Include time information in incident response notifications. CC ID 04745 Operational management Preventive
    Include the identification of the data source in incident response notifications. CC ID 12305 Operational management Preventive
    Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 Operational management Preventive
    Include the type of information that was lost in incident response notifications. CC ID 04735 Operational management Preventive
    Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 Operational management Preventive
    Include a "What We Are Doing" heading in the breach notification. CC ID 12982 Operational management Preventive
    Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 Operational management Preventive
    Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 Operational management Preventive
    Include a "For More Information" heading in breach notifications. CC ID 12981 Operational management Preventive
    Include details of the companies and persons involved in incident response notifications. CC ID 12295 Operational management Preventive
    Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 Operational management Preventive
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Operational management Preventive
    Include any consequences in the incident response notifications. CC ID 12604 Operational management Preventive
    Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 Operational management Preventive
    Include a "What You Can Do" heading in the breach notification. CC ID 12980 Operational management Preventive
    Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 Operational management Detective
    Include contact information in incident response notifications. CC ID 04739 Operational management Preventive
    Include contact information in the substitute incident response notification. CC ID 16776 Operational management Preventive
    Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 Operational management Preventive
    Establish, implement, and maintain a containment strategy. CC ID 13480 Operational management Preventive
    Include the containment approach in the containment strategy. CC ID 13486 Operational management Preventive
    Include response times in the containment strategy. CC ID 13485 Operational management Preventive
    Include incident recovery procedures in the Incident Management program. CC ID 01758 Operational management Corrective
    Establish, implement, and maintain a restoration log. CC ID 12745 Operational management Preventive
    Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 Operational management Preventive
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Operational management Preventive
    Update the incident response procedures using the lessons learned. CC ID 01233 Operational management Preventive
    Include incident management procedures in the Incident Management program. CC ID 12689 Operational management Preventive
    Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858
    [{reasonable method} Determine whether the methods by which personnel are granted temporary access (physical and logical), during continuity planning implementation periods, are reasonable. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:4
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Remote access; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 7
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational management Corrective
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Operational management Preventive
    Create an incident response report following an incident response. CC ID 12700 Operational management Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Operational management Preventive
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Operational management Preventive
    Include coverage of all system components in the Incident Response program. CC ID 11955
    [{intrusion detection plan} Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:3
    {cybersecurity} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9
    Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about addressing zero-day attacks; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 7]
    Operational management Preventive
    Include business continuity procedures in the Incident Response program. CC ID 06433
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Incident response; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 6
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational management Preventive
    Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 Operational management Preventive
    Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 Operational management Preventive
    Include performance requirements in the Service Level Agreement. CC ID 00841
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Inclusion of reasonable performance standards (e.g., SLAs, RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 3]
    Operational management Preventive
    Establish, implement, and maintain a change control program. CC ID 00886
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Change control process; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 3
    {configuration change}{component change}Interview management and review the business continuity request information to identify: IT environments and changes to configuration or components; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 3
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational management Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243 Operational management Preventive
    Include version control in the change control program. CC ID 13119 Operational management Preventive
    Include service design and transition in the change control program. CC ID 13920 Operational management Preventive
    Establish, implement, and maintain a back-out plan. CC ID 13623 Operational management Preventive
    Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 Operational management Preventive
    Approve back-out plans, as necessary. CC ID 13627 Operational management Corrective
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Operational management Preventive
    Establish and maintain a change request approver list. CC ID 06795 Operational management Preventive
    Document all change requests in change request forms. CC ID 06794 Operational management Preventive
    Establish, implement, and maintain emergency change procedures. CC ID 00890 Operational management Preventive
    Log emergency changes after they have been performed. CC ID 12733 Operational management Preventive
    Provide audit trails for all approved changes. CC ID 13120 Operational management Preventive
    Document the sources of all software updates. CC ID 13316 Operational management Preventive
    Establish, implement, and maintain a patch management policy. CC ID 16432 Operational management Preventive
    Establish, implement, and maintain patch management procedures. CC ID 15224 Operational management Preventive
    Establish, implement, and maintain a patch log. CC ID 01642 Operational management Preventive
    Establish, implement, and maintain a software release policy. CC ID 00893 Operational management Preventive
    Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 Operational management Detective
    Establish, implement, and maintain a change acceptance testing log. CC ID 06392 Operational management Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Operational management Preventive
    Document approved configuration deviations. CC ID 08711 Operational management Corrective
    Document the organization's local environments. CC ID 06726
    [Determine the need to proceed to Tier II objectives and procedures for additional validation to support conclusions related to any of the Tier I objectives and procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 1]
    Operational management Preventive
    Establish, implement, and maintain local environment security profiles. CC ID 07037 Operational management Preventive
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Operational management Preventive
    Include security requirements in the local environment security profile. CC ID 15717 Operational management Preventive
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Operational management Preventive
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Operational management Preventive
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Operational management Preventive
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Operational management Preventive
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Operational management Preventive
    Update the local environment security profile, as necessary. CC ID 07043 Operational management Preventive
    Establish, implement, and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Preventive
    Establish, implement, and maintain a system design project management framework. CC ID 00990 Systems design, build, and implementation Preventive
    Establish, implement, and maintain project management standards. CC ID 00992
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Project management; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 2
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain a project program documentation standard. CC ID 00995 Systems design, build, and implementation Preventive
    Include budgeting for projects in the project management standard. CC ID 13136 Systems design, build, and implementation Preventive
    Establish, implement, and maintain integrated project plans. CC ID 01056 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a project control program. CC ID 01612 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a project test plan. CC ID 01001 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a project team plan. CC ID 06533 Systems design, build, and implementation Preventive
    Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a project management training plan. CC ID 01002 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a supply chain management program. CC ID 11742
    [{third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9]
    Third Party and supply chain oversight Preventive
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 Third Party and supply chain oversight Preventive
    Review and update all contracts, as necessary. CC ID 11612 Third Party and supply chain oversight Preventive
    Document and maintain supply chain processes. CC ID 08816 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain an exit plan. CC ID 15492 Third Party and supply chain oversight Preventive
    Include roles and responsibilities in the exit plan. CC ID 15497 Third Party and supply chain oversight Preventive
    Include contingency plans in the third party management plan. CC ID 10030 Third Party and supply chain oversight Preventive
    Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 Third Party and supply chain oversight Preventive
    Include a description of the product or service to be provided in third party contracts. CC ID 06509 Third Party and supply chain oversight Preventive
    Include a description of the products or services fees in third party contracts. CC ID 10018 Third Party and supply chain oversight Preventive
    Include which parties are responsible for which fees in third party contracts. CC ID 10019 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 Third Party and supply chain oversight Preventive
    Include the type of information being transmitted in the information flow agreement. CC ID 14245 Third Party and supply chain oversight Preventive
    Include the security requirements in the information flow agreement. CC ID 14244 Third Party and supply chain oversight Preventive
    Include the interface characteristics in the information flow agreement. CC ID 14240 Third Party and supply chain oversight Preventive
    Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 Third Party and supply chain oversight Preventive
    Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 Third Party and supply chain oversight Preventive
    Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 Third Party and supply chain oversight Preventive
    Include a description of the data or information to be covered in third party contracts. CC ID 06510
    [{data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1]
    Third Party and supply chain oversight Preventive
    Include text about data ownership in third party contracts. CC ID 06502 Third Party and supply chain oversight Preventive
    Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 Third Party and supply chain oversight Preventive
    Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 Third Party and supply chain oversight Preventive
    Include the contract duration in third party contracts. CC ID 16221 Third Party and supply chain oversight Preventive
    Include roles and responsibilities in third party contracts. CC ID 13487 Third Party and supply chain oversight Preventive
    Include cryptographic keys in third party contracts. CC ID 16179 Third Party and supply chain oversight Preventive
    Include bankruptcy provisions in third party contracts. CC ID 16519 Third Party and supply chain oversight Preventive
    Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 Third Party and supply chain oversight Preventive
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 Third Party and supply chain oversight Preventive
    Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 Third Party and supply chain oversight Preventive
    Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 Third Party and supply chain oversight Preventive
    Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 Third Party and supply chain oversight Preventive
    Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 Third Party and supply chain oversight Preventive
    Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 Third Party and supply chain oversight Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 Third Party and supply chain oversight Preventive
    Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 Third Party and supply chain oversight Preventive
    Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 Third Party and supply chain oversight Preventive
    Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 Third Party and supply chain oversight Preventive
    Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 Third Party and supply chain oversight Preventive
    Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 Third Party and supply chain oversight Preventive
    Include a reporting structure in third party contracts. CC ID 06532 Third Party and supply chain oversight Preventive
    Include points of contact in third party contracts. CC ID 12355 Third Party and supply chain oversight Preventive
    Include financial reporting in third party contracts, as necessary. CC ID 13573 Third Party and supply chain oversight Preventive
    Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512
    [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Review of independent third-party assessments and regulatory reports; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 2
    {technology service provider}{recovery time objective}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Independent audit reports that support the RTOs; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 2]
    Third Party and supply chain oversight Preventive
    Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 Third Party and supply chain oversight Preventive
    Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516
    [{third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4]
    Third Party and supply chain oversight Preventive
    Include an indemnification and liability clause in third party contracts. CC ID 06517 Third Party and supply chain oversight Preventive
    Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 Third Party and supply chain oversight Preventive
    Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522
    [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Awareness and oversight of service provider's use of subcontractors. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 7]
    Third Party and supply chain oversight Preventive
    Include text regarding foreign-based third parties in third party contracts. CC ID 06722
    [{foreign-based third party}{offshore production data}{offshore backup data} For foreign-based third-party service providers determine if management has adequately addressed production and back-up data that remains offshore. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12
    {foreign-based third party}{offshore production data}{offshore backup data} For foreign-based third-party service providers determine if management has adequately addressed production and back-up data that remains offshore. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12]
    Third Party and supply chain oversight Preventive
    Include change control clauses in third party contracts, as necessary. CC ID 06523 Third Party and supply chain oversight Preventive
    Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115
    [Interview management and review the business continuity request information to identify: Changes in key service providers (technology, communication, back-up/recovery, etc.) and software vendors; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 4
    Interview management and review the business continuity request information to identify: Changes in key service providers (technology, communication, back-up/recovery, etc.) and software vendors; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 4
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Periodic reporting to an appropriate oversight committee; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 6]
    Third Party and supply chain oversight Preventive
    Include triggers for renegotiating the contract in third party contracts. CC ID 06527 Third Party and supply chain oversight Preventive
    Include change control notification processes in third party contracts. CC ID 06524 Third Party and supply chain oversight Preventive
    Include cost structure changes in third party contracts. CC ID 10021 Third Party and supply chain oversight Preventive
    Include a choice of venue clause in third party contracts. CC ID 06520 Third Party and supply chain oversight Preventive
    Include a dispute resolution clause in third party contracts. CC ID 06519 Third Party and supply chain oversight Preventive
    Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 Third Party and supply chain oversight Preventive
    Include a termination provision clause in third party contracts. CC ID 01367
    [{TSP}{contract termination}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Right to terminate language (if the TSP defaults on SLAs and RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 4]
    Third Party and supply chain oversight Detective
    Include early termination contingency plans in the third party contracts. CC ID 06526 Third Party and supply chain oversight Preventive
    Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 Third Party and supply chain oversight Preventive
    Include termination costs in third party contracts. CC ID 10023 Third Party and supply chain oversight Preventive
    Include text about obtaining adequate insurance in third party contracts. CC ID 06880 Third Party and supply chain oversight Preventive
    Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 Third Party and supply chain oversight Preventive
    Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 Third Party and supply chain oversight Preventive
    Include end-of-life information in third party contracts. CC ID 15265 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 Third Party and supply chain oversight Preventive
    Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 Third Party and supply chain oversight Preventive
    Include requirements for alternate processing facilities in third party contracts. CC ID 13059 Third Party and supply chain oversight Preventive
    Document the organization's supply chain in the supply chain management program. CC ID 09958 Third Party and supply chain oversight Preventive
    Document supply chain dependencies in the supply chain management program. CC ID 08900 Third Party and supply chain oversight Detective
    Establish and maintain a Third Party Service Provider list. CC ID 12480 Third Party and supply chain oversight Preventive
    Include required information in the Third Party Service Provider list. CC ID 14429 Third Party and supply chain oversight Preventive
    Include subcontractors in the Third Party Service Provider list. CC ID 14425 Third Party and supply chain oversight Preventive
    Include alternate service providers in the Third Party Service Provider list. CC ID 14420 Third Party and supply chain oversight Preventive
    Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 Third Party and supply chain oversight Preventive
    Include all contract dates in the Third Party Service Provider list. CC ID 14421 Third Party and supply chain oversight Preventive
    Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 Third Party and supply chain oversight Preventive
    Include criticality of services in the Third Party Service Provider list. CC ID 14428 Third Party and supply chain oversight Preventive
    Include a description of data used in the Third Party Service Provider list. CC ID 14427 Third Party and supply chain oversight Preventive
    Include the location of services provided in the Third Party Service Provider list. CC ID 14423 Third Party and supply chain oversight Preventive
    Document the supply chain's critical paths in the supply chain management program. CC ID 10032 Third Party and supply chain oversight Preventive
    Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain Operational Level Agreements. CC ID 13637 Third Party and supply chain oversight Preventive
    Include technical processes in operational level agreements, as necessary. CC ID 13639 Third Party and supply chain oversight Preventive
    Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 Third Party and supply chain oversight Detective
    Approve all Service Level Agreements. CC ID 00843 Third Party and supply chain oversight Detective
    Document all chargeable items in Service Level Agreements. CC ID 00844 Third Party and supply chain oversight Detective
    Categorize all suppliers in the supply chain management program. CC ID 00792 Third Party and supply chain oversight Preventive
    Include risk management procedures in the supply chain management policy. CC ID 08811 Third Party and supply chain oversight Preventive
    Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 Third Party and supply chain oversight Preventive
    Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 Third Party and supply chain oversight Preventive
    Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 Third Party and supply chain oversight Preventive
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [{offshore data storage}{risk profile} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Evidence of management's evaluation of whether storage of data offshore (production or back-up) meets the financial institution's risk appetite and profile; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 1]
    Third Party and supply chain oversight Preventive
    Establish, implement, and maintain a supply chain management policy. CC ID 08808 Third Party and supply chain oversight Preventive
    Include supplier assessment principles in the supply chain management policy. CC ID 08809 Third Party and supply chain oversight Preventive
    Include the third party selection process in the supply chain management policy. CC ID 13132 Third Party and supply chain oversight Preventive
    Select suppliers based on their qualifications. CC ID 00795 Third Party and supply chain oversight Preventive
    Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 Third Party and supply chain oversight Preventive
    Include a clear management process in the supply chain management policy. CC ID 08810 Third Party and supply chain oversight Preventive
    Include roles and responsibilities in the supply chain management policy. CC ID 15499 Third Party and supply chain oversight Preventive
    Include third party due diligence standards in the supply chain management policy. CC ID 08812 Third Party and supply chain oversight Preventive
    Require suppliers to commit to the supply chain management policy. CC ID 08813 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain a conflict minerals policy. CC ID 08943 Third Party and supply chain oversight Preventive
    Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 Third Party and supply chain oversight Preventive
    Include all in scope materials in the conflict minerals policy. CC ID 08945 Third Party and supply chain oversight Preventive
    Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 Third Party and supply chain oversight Preventive
    Include all applicable authority documents in the conflict minerals policy. CC ID 08947 Third Party and supply chain oversight Preventive
    Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 Third Party and supply chain oversight Preventive
    Establish and maintain a conflict materials report. CC ID 08823 Third Party and supply chain oversight Preventive
    Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 Third Party and supply chain oversight Preventive
    Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 Third Party and supply chain oversight Preventive
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Testing requirements with the TSP; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 7]
    Third Party and supply chain oversight Detective
    Include the audit scope in the third party external audit report. CC ID 13138 Third Party and supply chain oversight Preventive
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Third Party and supply chain oversight Detective
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Third Party and supply chain oversight Detective
    Establish, implement, and maintain outsourcing contracts. CC ID 13124 Third Party and supply chain oversight Preventive
    Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: TSP accountability for actions/inactions of subcontractors should the subcontractor fail to provide necessary service(s) for business recovery capabilities; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 5]
    Third Party and supply chain oversight Preventive
  • Human Resources Management
    25
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Monitoring and measurement Detective
    Assign senior management to approve test plans. CC ID 13071
    [From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5]
    Monitoring and measurement Preventive
    Employ third parties to carry out testing programs, as necessary. CC ID 13178 Monitoring and measurement Preventive
    Assign responsibility for remediation actions. CC ID 13622 Audits and risk management Preventive
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Audits and risk management Detective
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Audits and risk management Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Audits and risk management Preventive
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Physical and environmental protection Preventive
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Physical and environmental protection Preventive
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Physical and environmental protection Preventive
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development]
    Operational and Systems Continuity Preventive
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: Back-up site employees are independent of the staff located at the primary site, at the time of disruption; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 2
    Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: : Trained employees are located at the back-up site at the time of disruption; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 1
    Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavailable for long periods. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:8
    {unavailability} Determine that the test assumptions are appropriate for core and significant firms and consider: Staff members at primary sites, who are located at both data centers and operations facilities, are unavailable for an extended period; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 2
    {business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4
    Determine whether the strategy addresses staffing considerations, including: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate staff; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 4]
    Operational and Systems Continuity Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Operational and Systems Continuity Preventive
    Identify alternate personnel for each person on the critical personnel list. CC ID 12771
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to relocate or engage staff from alternate sites; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 5]
    Operational and Systems Continuity Preventive
    Identify employees who have family members who are first responders or medical personnel. CC ID 14389 Operational and Systems Continuity Detective
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine the quality of business continuity plan oversight and support provided by the board and senior management. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2
    {BCP and testing program} Determine whether a senior manager or committee has been assigned responsibility to oversee the development, implementation, and maintenance of the BCP and the testing program. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:2
    {board committee} Determine whether the Board or a committee thereof and senior management provide appropriate oversight of the institution's pandemic preparedness program. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:1]
    Human Resources management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources management Preventive
    Assign the roles and responsibilities for the change control program. CC ID 13118
    [Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1]
    Human Resources management Preventive
    Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: Staff and management succession plans; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 6]
    Human Resources management Preventive
    Implement a staff rotation plan. CC ID 12772 Human Resources management Preventive
    Provide protective face masks for critical personnel, as necessary. CC ID 06803
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Human Resources management Preventive
    Establish, implement, and maintain an insider threat program. CC ID 10687
    [Determine whether the financial institution and service provider consider their susceptibility to an insider threat and what impact this may have on business continuity and broader resilience. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:7]
    Human Resources management Preventive
    Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 Operational management Corrective
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Operational management Preventive
    Require third parties to employ a Chief Information Security Officer. CC ID 12057 Third Party and supply chain oversight Preventive
  • IT Impact Zone
    12
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    18
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Rank discovered vulnerabilities. CC ID 11940 Monitoring and measurement Detective
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Audits and risk management Detective
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Audits and risk management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Audits and risk management Detective
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Audits and risk management Preventive
    Scan for malicious code, as necessary. CC ID 11941 Technical security Detective
    Detect anomalies in physical barriers. CC ID 13533 Physical and environmental protection Detective
    Report anomalies in the visitor log to appropriate personnel. CC ID 14755 Physical and environmental protection Detective
    Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212
    [Determine whether audit involvement in the business continuity program is effective, including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11]
    Operational and Systems Continuity Detective
    Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218
    [{assess}Determine whether audit involvement in the business continuity program is effective, including: Assessment of business continuity preparedness during line(s) of business reviews; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 2]
    Operational and Systems Continuity Detective
    Determine the cause for the activation of the recovery plan. CC ID 13291 Operational and Systems Continuity Detective
    Identify root causes of incidents that force system changes. CC ID 13482 Operational management Detective
    Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 Operational management Detective
    Analyze the incident response process following an incident response. CC ID 13179 Operational management Detective
    Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 Operational management Preventive
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Operational management Detective
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Operational management Detective
    Collect data about the network environment when certifying the network. CC ID 13125 Operational management Detective
  • Log Management
    17
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Monitoring and measurement Detective
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 Monitoring and measurement Detective
    Establish, implement, and maintain event logging procedures. CC ID 01335 Monitoring and measurement Detective
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 Monitoring and measurement Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Audits and risk management Detective
    Establish and maintain a visitor log. CC ID 00715 Physical and environmental protection Preventive
    Record the visitor's name in the visitor log. CC ID 00557 Physical and environmental protection Preventive
    Record the visitor's organization in the visitor log. CC ID 12121 Physical and environmental protection Preventive
    Record the visitor's acceptable access areas in the visitor log. CC ID 12237 Physical and environmental protection Preventive
    Retain all records in the visitor log as prescribed by law. CC ID 00572 Physical and environmental protection Preventive
    Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 Physical and environmental protection Preventive
    Log when the vault is accessed. CC ID 06725 Physical and environmental protection Detective
    Log when the cabinet is accessed. CC ID 11674 Physical and environmental protection Detective
    Store facility access logs in off-site storage. CC ID 06958 Physical and environmental protection Preventive
    Log important conversations conducted during emergencies with third parties. CC ID 12763 Operational and Systems Continuity Preventive
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 Operational management Corrective
    Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 Operational management Detective
  • Maintenance
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Operational management Preventive
  • Monitor and Evaluate Occurrences
    54
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze organizational objectives, functions, and activities. CC ID 00598 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863
    [Interview management and review the business continuity request information to identify: Any significant changes in management, business strategies or internal business processes that could affect the business recovery process; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 1]
    Leadership and high level objectives Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Leadership and high level objectives Preventive
    Monitor the usage and capacity of critical assets. CC ID 14825 Monitoring and measurement Detective
    Monitor the usage and capacity of Information Technology assets. CC ID 00668
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Data centers and computer operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 1
    Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Data centers and computer operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 1
    Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Back-room operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 2
    {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to handle increased workloads supporting critical operations for extended periods. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 8
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 2]
    Monitoring and measurement Detective
    Monitor all outbound traffic from all systems. CC ID 12970 Monitoring and measurement Preventive
    Monitor systems for errors and faults. CC ID 04544
    [{Mission-Critical Application} Determine whether management has reviewed all interrelated components of each mission critical application and the underlying continuity strategy to determine "single point of failure" exposure. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:8]
    Monitoring and measurement Detective
    Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 Monitoring and measurement Detective
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Monitoring and measurement Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225
    [{BCP and testing program} Determine whether the financial institution and service provider consider their susceptibility to simultaneous attacks in their business resilience planning, testing, and recovery strategies. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:6]
    Monitoring and measurement Detective
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitoring and measurement Detective
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitoring and measurement Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitoring and measurement Detective
    Detect unauthorized access to systems. CC ID 06798 Monitoring and measurement Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitoring and measurement Detective
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitoring and measurement Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitoring and measurement Detective
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitoring and measurement Preventive
    Monitor and evaluate system performance. CC ID 00651
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Monitoring and measurement Detective
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitoring and measurement Detective
    Implement file integrity monitoring. CC ID 01205
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Monitoring and measurement Detective
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitoring and measurement Preventive
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitoring and measurement Preventive
    Monitor the organization's exposure to threats, as necessary. CC ID 06494
    [{escalation and response plan} Determine whether the BCP addresses management monitoring of alert systems that provide information regarding the threat and progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:5]
    Monitoring and measurement Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitoring and measurement Detective
    Monitor for new vulnerabilities. CC ID 06843 Monitoring and measurement Preventive
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitoring and measurement Detective
    Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 Monitoring and measurement Corrective
    Establish, implement, and maintain a corrective action plan. CC ID 00675 Monitoring and measurement Detective
    Include monitoring in the corrective action plan. CC ID 11645
    [Review management's response to audit recommendations noted since the last examination. Consider the following: Monitoring systems used to track the implementation of recommendations on an on- going basis TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 4]
    Monitoring and measurement Detective
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Audits and risk management Preventive
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Audits and risk management Preventive
    Log and react to all malicious code activity. CC ID 07072 Technical security Detective
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Physical and environmental protection Preventive
    Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 Physical and environmental protection Detective
    Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 Physical and environmental protection Preventive
    Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 Physical and environmental protection Detective
    Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 Physical and environmental protection Detective
    Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 Physical and environmental protection Detective
    Monitor for alarmed security doors being propped open. CC ID 06684 Physical and environmental protection Detective
    Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Operational and Systems Continuity Detective
    Monitor and evaluate business continuity management system performance. CC ID 12410 Operational and Systems Continuity Detective
    Record business continuity management system performance for posterity. CC ID 12411 Operational and Systems Continuity Preventive
    Determine the incident severity level when assessing the security incidents. CC ID 01650 Operational management Corrective
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Operational management Detective
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Operational management Detective
    Respond to and triage when an incident is detected. CC ID 06942 Operational management Detective
    Escalate incidents, as necessary. CC ID 14861 Operational management Corrective
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Operational management Corrective
    Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 Operational management Detective
    Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 Operational management Preventive
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4]
    Third Party and supply chain oversight Detective
    Monitor third parties' financial conditions. CC ID 13170 Third Party and supply chain oversight Detective
  • Physical and Environmental Protection
    59
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Protect the facility from crime. CC ID 06347 Physical and environmental protection Preventive
    Protect facilities from eavesdropping. CC ID 02222 Physical and environmental protection Preventive
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and environmental protection Detective
    Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 Physical and environmental protection Preventive
    Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 Physical and environmental protection Preventive
    Create security zones in facilities, as necessary. CC ID 16295 Physical and environmental protection Preventive
    Establish clear zones around any sensitive facilities. CC ID 02214 Physical and environmental protection Preventive
    Inspect items brought into the facility. CC ID 06341 Physical and environmental protection Preventive
    Maintain all physical security systems. CC ID 02206 Physical and environmental protection Preventive
    Maintain all security alarm systems. CC ID 11669 Physical and environmental protection Preventive
    Control physical access to (and within) the facility. CC ID 01329 Physical and environmental protection Preventive
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and environmental protection Preventive
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and environmental protection Detective
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and environmental protection Preventive
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and environmental protection Preventive
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463
    [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5]
    Physical and environmental protection Corrective
    Issue photo identification badges to all employees. CC ID 12326 Physical and environmental protection Preventive
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and environmental protection Preventive
    Manage visitor identification inside the facility. CC ID 11670 Physical and environmental protection Preventive
    Secure unissued visitor identification badges. CC ID 06712 Physical and environmental protection Preventive
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and environmental protection Preventive
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and environmental protection Preventive
    Enforce dual control for badge assignments. CC ID 12328 Physical and environmental protection Preventive
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and environmental protection Preventive
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and environmental protection Preventive
    Prevent tailgating through physical entry points. CC ID 06685 Physical and environmental protection Preventive
    Use locks to protect against unauthorized physical access. CC ID 06342 Physical and environmental protection Preventive
    Install and maintain security lighting at all physical entry points. CC ID 02205 Physical and environmental protection Preventive
    Use vandal resistant light fixtures for all security lighting. CC ID 16130 Physical and environmental protection Preventive
    Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 Physical and environmental protection Preventive
    Secure the loading dock with physical access controls or security guards. CC ID 06703 Physical and environmental protection Preventive
    Isolate loading areas from information processing facilities, if possible. CC ID 12028 Physical and environmental protection Preventive
    Screen incoming mail and deliveries. CC ID 06719 Physical and environmental protection Preventive
    Protect access to the facility's mechanical systems area. CC ID 02212 Physical and environmental protection Preventive
    Establish, implement, and maintain elevator security guidelines. CC ID 02232 Physical and environmental protection Preventive
    Establish, implement, and maintain stairwell security guidelines. CC ID 02233 Physical and environmental protection Preventive
    Establish, implement, and maintain glass opening security guidelines. CC ID 02234 Physical and environmental protection Preventive
    Establish a security room, if necessary. CC ID 00738 Physical and environmental protection Preventive
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749
    [Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1
    Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1]
    Physical and environmental protection Preventive
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and environmental protection Preventive
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and environmental protection Preventive
    Lock all lockable equipment cabinets. CC ID 11673 Physical and environmental protection Detective
    Establish, implement, and maintain vault physical security standards. CC ID 02203 Physical and environmental protection Preventive
    Monitor physical entry point alarms. CC ID 01639 Physical and environmental protection Detective
    Build and maintain fencing, as necessary. CC ID 02235 Physical and environmental protection Preventive
    Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 Physical and environmental protection Preventive
    Physically segregate business areas in accordance with organizational standards. CC ID 16718 Physical and environmental protection Preventive
    Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 Physical and environmental protection Preventive
    Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 Physical and environmental protection Preventive
    Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 Operational and Systems Continuity Preventive
    Install and maintain dedicated power lines to critical facilities. CC ID 06357 Operational and Systems Continuity Preventive
    Install electro-magnetic shielding around all electrical cabling. CC ID 06358 Operational and Systems Continuity Preventive
    Install electrical grounding equipment. CC ID 06359 Operational and Systems Continuity Preventive
    Implement redundancy in life-safety systems. CC ID 02228 Operational and Systems Continuity Preventive
    Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 Operational and Systems Continuity Corrective
    Separate the alternate facility from the primary facility through geographic separation. CC ID 01394
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate facilities; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate processing locations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 2
    Determine that back-up sites are fully independent of the critical infrastructure components that support the primary sites. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 5]
    Operational and Systems Continuity Preventive
    Establish and maintain off-site electronic media storage facilities. CC ID 00957 Operational and Systems Continuity Preventive
    Establish, implement, and maintain physical access controls for alternate facilities. CC ID 13226
    [{physical access control} Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:2]
    Operational and Systems Continuity Preventive
    Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 Third Party and supply chain oversight Preventive
  • Process or Activity
    43
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Leadership and high level objectives Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Leadership and high level objectives Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Leadership and high level objectives Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942 Leadership and high level objectives Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Leadership and high level objectives Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Leadership and high level objectives Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Leadership and high level objectives Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Leadership and high level objectives Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Leadership and high level objectives Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909
    [{business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Crisis management decision process; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 3]
    Leadership and high level objectives Preventive
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Monitoring and measurement Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Corrective
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Preventive
    Identify risk management measures when testing in scope systems. CC ID 14960 Monitoring and measurement Detective
    Ensure protocols are free from injection flaws. CC ID 16401 Monitoring and measurement Preventive
    Approve the vulnerability management program. CC ID 15722 Monitoring and measurement Preventive
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Audits and risk management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Audits and risk management Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Audits and risk management Detective
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Audits and risk management Detective
    Remove malware when malicious code is discovered. CC ID 13691 Technical security Corrective
    Implement physical identification processes. CC ID 13715 Physical and environmental protection Preventive
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Physical and environmental protection Preventive
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Physical and environmental protection Preventive
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Physical and environmental protection Preventive
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Government and community coordination. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 11
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Government and community coordination. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 11
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Preventive
    Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 Operational and Systems Continuity Corrective
    Perform backup procedures for in scope systems. CC ID 11692 Operational and Systems Continuity Preventive
    Identify tasks that can be accomplished at alternate work sites. CC ID 14393 Operational and Systems Continuity Preventive
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Operational management Corrective
    Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 Operational management Corrective
    Contain the incident to prevent further loss. CC ID 01751
    [{incident containment procedure} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Steps to be taken to contain the problem; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 3]
    Operational management Corrective
    Revoke the written request to delay the notification. CC ID 16843 Operational management Preventive
    Post the incident response notification on the organization's website. CC ID 16809 Operational management Preventive
    Document the determination for providing a substitute incident response notification. CC ID 16841 Operational management Preventive
    Perform emergency changes, as necessary. CC ID 12707 Operational management Preventive
    Back up emergency changes after the change has been performed. CC ID 12734 Operational management Preventive
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Operational management Detective
    Establish, implement, and maintain a patch management program. CC ID 00896 Operational management Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Third Party and supply chain oversight Detective
    Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 Third Party and supply chain oversight Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Detective
  • Records Management
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Retain penetration test results according to internal policy. CC ID 10049 Monitoring and measurement Preventive
    Retain penetration test remediation action records according to internal policy. CC ID 11629 Monitoring and measurement Preventive
    Maintain vulnerability scan reports as organizational records. CC ID 12092 Monitoring and measurement Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038
    [Organize and document your work papers to ensure clear support for significant findings and conclusions. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:5]
    Audits and risk management Preventive
    Retain video events according to Records Management procedures. CC ID 06304 Physical and environmental protection Preventive
    Refrain from including exclusions that could affect business continuity. CC ID 12740 Operational and Systems Continuity Preventive
    Identify all critical business records. CC ID 00737 Operational and Systems Continuity Detective
  • Systems Continuity
    37
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify all stakeholders critical to the continuity of operations. CC ID 12741 Operational and Systems Continuity Detective
    Include information security continuity in the scope of the continuity framework. CC ID 12009
    [{take into account}Review and verify that the written BCP: Take(s) into account: Security; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 7
    Determine that the BCP includes appropriate security procedures. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Security; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 1
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Preventive
    Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development]
    Operational and Systems Continuity Preventive
    Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 Operational and Systems Continuity Preventive
    Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 Operational and Systems Continuity Corrective
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {impact analysis}{service interruption} Determine whether the BCP incorporates management's analysis of the impact on operations if essential functions or services provided by outside parties are disrupted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:7
    {internal factor}Interview management and review the business continuity request information to identify: Any other internal or external factors that could affect the business continuity process. TTIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 5]
    Operational and Systems Continuity Detective
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Operational and Systems Continuity Preventive
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define the conditions under which the back-up site would be used; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 4]
    Operational and Systems Continuity Corrective
    Maintain normal security levels when an emergency occurs. CC ID 06377 Operational and Systems Continuity Preventive
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Operational and Systems Continuity Preventive
    Include the in scope system's location in the continuity plan. CC ID 16246 Operational and Systems Continuity Preventive
    Include the system description in the continuity plan. CC ID 16241 Operational and Systems Continuity Preventive
    Restore systems and environments to be operational. CC ID 13476 Operational and Systems Continuity Corrective
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Operational and Systems Continuity Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 Operational and Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Operational and Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 Operational and Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Operational and Systems Continuity Corrective
    Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 Operational and Systems Continuity Detective
    Review and prioritize the importance of each business unit. CC ID 01165 Operational and Systems Continuity Preventive
    Document the mean time to failure for system components. CC ID 10684 Operational and Systems Continuity Preventive
    Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241
    [{business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2
    {business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 Operational and Systems Continuity Preventive
    Include evacuation procedures in the continuity plan. CC ID 12773 Operational and Systems Continuity Preventive
    Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258
    [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Operating systems; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 2
    Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Utility programs; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 4
    {data backup}Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Data; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 1
    {data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4]
    Operational and Systems Continuity Preventive
    Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 Operational and Systems Continuity Preventive
    Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 Operational and Systems Continuity Detective
    Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 Operational and Systems Continuity Preventive
    Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 Operational and Systems Continuity Preventive
    Back up all records. CC ID 11974 Operational and Systems Continuity Preventive
    Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 Operational and Systems Continuity Preventive
    Validate information security continuity controls regularly. CC ID 12008 Operational and Systems Continuity Preventive
    Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 Operational and Systems Continuity Preventive
    Protect backup systems and restoration systems at the alternate facility. CC ID 04883
    [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Applications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 3]
    Operational and Systems Continuity Preventive
    Approve the continuity plan test results. CC ID 15718 Operational and Systems Continuity Preventive
    Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 Third Party and supply chain oversight Preventive
    Review third parties' backup policies. CC ID 13043
    [{data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1]
    Third Party and supply chain oversight Detective
  • Systems Design, Build, and Implementation
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Validate the system before implementing approved changes. CC ID 01510 Operational management Preventive
    Establish, implement, and maintain traceability documentation. CC ID 16388 Operational management Preventive
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems design, build, and implementation Preventive
    Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 Systems design, build, and implementation Preventive
    Formally approve the initiation of each project phase. CC ID 00997 Systems design, build, and implementation Detective
    Identify accreditation tasks. CC ID 00999 Systems design, build, and implementation Detective
  • Technical Security
    61
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Monitoring and measurement Detective
    Allow expected changes during file integrity monitoring. CC ID 12090 Monitoring and measurement Preventive
    Conduct Red Team exercises, as necessary. CC ID 12131 Monitoring and measurement Detective
    Test security systems and associated security procedures, as necessary. CC ID 11901
    [{business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7
    {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7
    {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7
    {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7]
    Monitoring and measurement Detective
    Scan wireless networks for rogue devices. CC ID 11623 Monitoring and measurement Detective
    Implement incident response procedures when rogue devices are discovered. CC ID 11880 Monitoring and measurement Corrective
    Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 Monitoring and measurement Detective
    Perform internal penetration tests, as necessary. CC ID 12471 Monitoring and measurement Detective
    Perform external penetration tests, as necessary. CC ID 12470 Monitoring and measurement Detective
    Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 Monitoring and measurement Detective
    Perform penetration testing on segmentation controls, as necessary. CC ID 12498 Monitoring and measurement Detective
    Estimate the maximum bandwidth of any covert channels. CC ID 10653 Monitoring and measurement Detective
    Reduce the maximum bandwidth of covert channels. CC ID 10655 Monitoring and measurement Corrective
    Perform vulnerability scans, as necessary. CC ID 11637 Monitoring and measurement Detective
    Identify and document security vulnerabilities. CC ID 11857
    [{technology vulnerability}Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Technological and security vulnerabilities; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 1
    Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4
    Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4]
    Monitoring and measurement Detective
    Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 Monitoring and measurement Preventive
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 Monitoring and measurement Detective
    Correlate vulnerability scan reports from the various systems. CC ID 10636 Monitoring and measurement Detective
    Perform vulnerability scans prior to installing payment applications. CC ID 12192 Monitoring and measurement Detective
    Implement scanning tools, as necessary. CC ID 14282 Monitoring and measurement Detective
    Repeat vulnerability scanning after an approved change occurs. CC ID 12468 Monitoring and measurement Detective
    Perform external vulnerability scans, as necessary. CC ID 11624 Monitoring and measurement Detective
    Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 Monitoring and measurement Detective
    Perform vulnerability assessments, as necessary. CC ID 11828 Monitoring and measurement Corrective
    Review applications for security vulnerabilities after the application is updated. CC ID 11938 Monitoring and measurement Detective
    Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 Monitoring and measurement Preventive
    Test the system for insecure cryptographic storage. CC ID 11635 Monitoring and measurement Detective
    Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 Monitoring and measurement Corrective
    Correct or mitigate vulnerabilities. CC ID 12497 Monitoring and measurement Corrective
    Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 Monitoring and measurement Corrective
    Analyze the organization's information security environment. CC ID 13122 Audits and risk management Preventive
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Audits and risk management Preventive
    Control access rights to organizational assets. CC ID 00004 Technical security Preventive
    Establish access rights based on least privilege. CC ID 01411 Technical security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538
    [{authentication credential} Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and if they also include business continuity planning responsibilities. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:6
    {authentication credential} Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and if they also include business continuity planning responsibilities. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:6]
    Technical security Preventive
    Control user privileges. CC ID 11665 Technical security Preventive
    Review all user privileges, as necessary. CC ID 06784 Technical security Preventive
    Review each user's access capabilities when their role changes. CC ID 00524
    [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5
    {alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5]
    Technical security Preventive
    Install and maintain container security solutions. CC ID 16178 Technical security Preventive
    Protect the system against replay attacks. CC ID 04552 Technical security Preventive
    Analyze the behavior and characteristics of the malicious code. CC ID 10672 Technical security Detective
    Incorporate the malicious code analysis into the patch management program. CC ID 10673 Technical security Corrective
    Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 Physical and environmental protection Preventive
    Secure unissued access mechanisms. CC ID 06713 Physical and environmental protection Preventive
    Change cipher lock codes, as necessary. CC ID 06651 Physical and environmental protection Preventive
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Operational and Systems Continuity Preventive
    Establish, implement, and maintain logical access controls at alternate facilities. CC ID 13227
    [{physical access control} Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:2]
    Operational and Systems Continuity Preventive
    Categorize the incident following an incident response. CC ID 13208 Operational management Preventive
    Refrain from accessing compromised systems. CC ID 01752 Operational management Corrective
    Isolate compromised systems from the network. CC ID 01753 Operational management Corrective
    Change authenticators after a security incident has been detected. CC ID 06789 Operational management Corrective
    Change wireless access variables after a data loss event has been detected. CC ID 01756 Operational management Corrective
    Re-image compromised systems with secure builds. CC ID 12086 Operational management Corrective
    Integrate configuration management procedures into the change control program. CC ID 13646 Operational management Preventive
    Implement patch management software, as necessary. CC ID 12094 Operational management Preventive
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Operational management Preventive
    Review the patch log for missing patches. CC ID 13186 Operational management Detective
    Patch software. CC ID 11825 Operational management Corrective
    Patch the operating system, as necessary. CC ID 11824 Operational management Corrective
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Operational management Detective
    Establish, implement, and maintain payment transaction security measures. CC ID 13088 Acquisition or sale of facilities, technology, and services Preventive
  • Testing
    112
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Monitoring and measurement Preventive
    Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Monitoring and measurement Preventive
    Test compliance controls for proper functionality. CC ID 00660 Monitoring and measurement Detective
    Establish, implement, and maintain a system security plan. CC ID 01922 Monitoring and measurement Preventive
    Adhere to the system security plan. CC ID 11640 Monitoring and measurement Detective
    Validate all testing assumptions in the test plans. CC ID 00663 Monitoring and measurement Detective
    Require testing procedures to be complete. CC ID 00664
    [{corresponding} Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Full-scope, end-to-end testing with a frequency commensurate with complexity and risk; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 1
    {full-scale test}{end-to-end testing} Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing is full-scale and end-to-end; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 1
    {full-scale test}{end-to-end testing} Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing is full-scale and end-to-end; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 1]
    Monitoring and measurement Detective
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Monitoring and measurement Preventive
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Monitoring and measurement Detective
    Test in scope systems for segregation of duties, as necessary. CC ID 13906 Monitoring and measurement Detective
    Include test requirements for the use of human subjects in the testing program. CC ID 16222 Monitoring and measurement Preventive
    Test the in scope system in accordance with its intended purpose. CC ID 14961 Monitoring and measurement Preventive
    Perform network testing in accordance with organizational standards. CC ID 16448 Monitoring and measurement Preventive
    Test user accounts in accordance with organizational standards. CC ID 16421 Monitoring and measurement Preventive
    Scan organizational networks for rogue devices. CC ID 00536 Monitoring and measurement Detective
    Scan the network for wireless access points. CC ID 00370 Monitoring and measurement Detective
    Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 Monitoring and measurement Detective
    Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 Monitoring and measurement Preventive
    Perform conformity assessments, as necessary. CC ID 15095 Monitoring and measurement Detective
    Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 Monitoring and measurement Preventive
    Use dedicated user accounts when conducting penetration testing. CC ID 13728 Monitoring and measurement Detective
    Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 Monitoring and measurement Corrective
    Perform penetration tests, as necessary. CC ID 00655 Monitoring and measurement Detective
    Include coverage of all in scope systems during penetration testing. CC ID 11957 Monitoring and measurement Detective
    Test the system for broken access controls. CC ID 01319 Monitoring and measurement Detective
    Test the system for broken authentication and session management. CC ID 01320 Monitoring and measurement Detective
    Test the system for insecure communications. CC ID 00535 Monitoring and measurement Detective
    Test the system for cross-site scripting attacks. CC ID 01321 Monitoring and measurement Detective
    Test the system for buffer overflows. CC ID 01322 Monitoring and measurement Detective
    Test the system for injection flaws. CC ID 01323 Monitoring and measurement Detective
    Test the system for Denial of Service. CC ID 01326 Monitoring and measurement Detective
    Test the system for insecure configuration management. CC ID 01327 Monitoring and measurement Detective
    Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 Monitoring and measurement Detective
    Test the system for cross-site request forgery. CC ID 06296 Monitoring and measurement Detective
    Repeat penetration testing, as necessary. CC ID 06860 Monitoring and measurement Detective
    Test the system for covert channels. CC ID 10652 Monitoring and measurement Detective
    Test systems to determine which covert channels might be exploited. CC ID 10654 Monitoring and measurement Detective
    Repeat vulnerability scanning, as necessary. CC ID 11646 Monitoring and measurement Detective
    Perform internal vulnerability scans, as necessary. CC ID 00656 Monitoring and measurement Detective
    Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 Monitoring and measurement Preventive
    Test the system for unvalidated input. CC ID 01318 Monitoring and measurement Detective
    Test the system for proper error handling. CC ID 01324 Monitoring and measurement Detective
    Test the system for insecure data storage. CC ID 01325 Monitoring and measurement Detective
    Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 Monitoring and measurement Detective
    Perform self-tests on cryptographic modules within the system. CC ID 06537 Monitoring and measurement Detective
    Perform power-up tests on cryptographic modules within the system. CC ID 06538 Monitoring and measurement Detective
    Perform conditional tests on cryptographic modules within the system. CC ID 06539 Monitoring and measurement Detective
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152
    [Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3]
    Audits and risk management Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [Review the BIA and risk assessment to determine whether the prioritization of business functions is adequate. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:2]
    Audits and risk management Detective
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986
    [Review management's response to audit recommendations noted since the last examination. Consider the following Resolution of root causes rather than just specific audit deficiencies; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 2]
    Audits and risk management Detective
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Audits and risk management Detective
    Establish, implement, and maintain the audit plan. CC ID 01156 Audits and risk management Detective
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [Determine whether an adequate BIA and risk assessment have been completed. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3
    Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:1
    Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:5]
    Audits and risk management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601 Audits and risk management Detective
    Test all removable storage media for viruses and malicious code. CC ID 11861 Technical security Detective
    Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 Technical security Detective
    Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 Physical and environmental protection Preventive
    Implement operational requirements for card readers. CC ID 02225 Physical and environmental protection Preventive
    Test locks for physical security vulnerabilities. CC ID 04880 Physical and environmental protection Detective
    Involve auditors in reviewing and testing the business continuity program. CC ID 13211
    [Determine whether audit involvement in the business continuity program is effective, including: Audit participation in testing as an observer and as a reviewer of test plans and results; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 3
    {business continuity test result} Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 3
    {business continuity test process}{business continuity test result} Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 3]
    Operational and Systems Continuity Detective
    Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265
    [{test scenario} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: Tests of the ability to support peak transaction volumes from back-up facilities for extended periods. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2 Bullet 2
    {test strategy}{predetermined time frame} Determine whether the core firm's testing strategy includes plans to test the ability of significant firms, which clear or settle transactions, to recover critical clearing and settlement activities from geographically dispersed back-up sites within a reasonable time frame. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 8]
    Operational and Systems Continuity Detective
    Establish, implement, and maintain the organization's call tree. CC ID 01167
    [{primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1]
    Operational and Systems Continuity Detective
    Test the recovery plan, as necessary. CC ID 13290 Operational and Systems Continuity Detective
    Test the backup information, as necessary. CC ID 13303 Operational and Systems Continuity Detective
    Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397
    [{one}Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Reliance upon a single communications provider; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 1]
    Operational and Systems Continuity Detective
    Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399
    [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 5
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 3
    {alternate facility}Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Telecommunications and remote computing. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 4
    {alternate facility}Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Telecommunications and remote computing. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 4]
    Operational and Systems Continuity Detective
    Require telecommunications service providers to have adequate continuity plans. CC ID 01400 Operational and Systems Continuity Detective
    Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390
    [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3
    {backup media} Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: Back-up media; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Off-site storage. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 5]
    Operational and Systems Continuity Detective
    Test backup media for media integrity and information integrity, as necessary. CC ID 01401 Operational and Systems Continuity Detective
    Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 Operational and Systems Continuity Detective
    Test each restored system for media integrity and information integrity. CC ID 01920 Operational and Systems Continuity Detective
    Include stakeholders when testing restored systems, as necessary. CC ID 13066 Operational and Systems Continuity Corrective
    Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370
    [{takes into account}Review and verify that the written BCP:Take(s) into account: Financial disbursement (purchase authorities and expense reimbursement for senior management during a disaster); and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 8]
    Operational and Systems Continuity Detective
    Establish, implement, and maintain a business continuity plan testing program. CC ID 14829
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:6
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    Determine whether the BCP testing program is sufficient to demonstrate the financial institution's ability to meet its continuity objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: An evaluation of the reasonableness of assumptions used in developing the testing strategy. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 4
    {BCP testing program} Determine whether the financial institution's testing program enhances resilience through demonstrated ability to recover, resume, and maintain operations after disruptions, ranging from minor outages to wide-scale disasters consistent with the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12
    {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6
    {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6
    {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6
    {core firm} Determine that the test assumptions are appropriate for core and significant firms and consider: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7
    Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 1
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Operational and Systems Continuity Preventive
    Test the continuity plan, as necessary. CC ID 00755
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institution's mission critical operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:4
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11
    {bcp testing program}{region}{nation}Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Local, regional, or national testing/exercises. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 5]
    Operational and Systems Continuity Detective
    Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767
    [{BCP testing program}Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Telecommuting to simulate and test remote access; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 2
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    {bcp testing program} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The scope and level of detail of the testing program; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 1
    {bcp testing program} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The scope and level of detail of the testing program; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 1
    {connectivity testing}{test plan}Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 1
    {test plan}{backup telecommunications device} Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 3
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Risk assumptions; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 2
    {business continuity testing strategy}{enterprise-wide test} Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 3
    {business continuity testing strategy}{enterprise-wide test} Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 3
    {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6
    {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6
    {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6
    Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 1
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes network connectivity and identifies interdependencies; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 2]
    Operational and Systems Continuity Preventive
    Include third party recovery services in the scope of testing the continuity plan. CC ID 12766
    [Determine whether testing scenarios with critical third-parties considers: Return to normal operations. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 6
    Determine whether the use of cloud-based disaster recovery services integrate with and protect against data destruction with the same level of assurance as existing (internal) disaster recovery solutions. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:2
    Determine whether the use of cloud-based disaster recovery services integrate with and protect against data destruction with the same level of assurance as existing (internal) disaster recovery solutions. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:2
    Determine whether the client institution has received assurance, via testing documentation, that the third party can restore services to client institution and support typical volumes during a recovery event. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:7
    Determine whether the client institution has received assurance, via testing documentation, that the third party can restore services to client institution and support typical volumes during a recovery event. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:7]
    Operational and Systems Continuity Preventive
    Validate the emergency communications procedures during continuity plan tests. CC ID 12777
    [{BCP testing program}{internal communication} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Internal and external communications processes and links; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 3
    {BCP testing program}{internal communication} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Internal and external communications processes and links; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 3
    {business continuity testing strategy}{internal communication procedure}{external communication procedure}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 5
    {business continuity testing strategy}{internal communication procedure}{external communication procedure}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 5
    {business continuity testing strategy}{internal contact} Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Notification procedures to follow for internal and external contacts. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 6
    {business continuity testing strategy}{key stakeholders} Determine whether the strategy addresses staffing considerations, including: The ability to communicate with key internal and external stakeholders; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 2]
    Operational and Systems Continuity Preventive
    Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769
    [{critical third party} Evaluate how the financial institution ensures timeliness, thoroughness, and completeness of periodic testing with their critical providers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:4
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3
    Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Participation in third-party testing; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 4
    Determine that the test assumptions are appropriate for core and significant firms and consider: Other organizations in the immediate area that are also affected; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 3
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes critical subcontractors. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 3]
    Operational and Systems Continuity Preventive
    Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 Operational and Systems Continuity Detective
    Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757
    [{wide-scale disruption} Determine management's process for determining the scope of disaster recovery test scenarios, including whether management augments the tests with multiple concurrent or widespread interruptions to simulate the impact of "worst case" scenarios. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:10
    {wide-scale disruption} Determine management's process for determining the scope of disaster recovery test scenarios, including whether management augments the tests with multiple concurrent or widespread interruptions to simulate the impact of "worst case" scenarios. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:10
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A testing program to better ensure that the institution's pandemic planning practices and capabilities are effective and will allow critical operations to continue. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 4
    {BCP testing program}{table top exercise} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Table top operations exercises; and TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 4
    {business continuity testing strategy}{emergency response} Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6
    Determine whether testing scenarios with critical third-parties considers: An outage or disruption of the service provider; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 1
    Determine whether testing scenarios with critical third-parties considers: An outage or disruption at the financial institution; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 2
    Determine whether testing scenarios with critical third-parties considers: Crisis management; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 4
    Determine whether testing scenarios with critical third-parties considers: Cyber events; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 5
    Determine that the test assumptions are appropriate for core and significant firms and consider: Infrastructure (power, telecommunications, transportation) that is disrupted; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 4
    {business continuity testing strategy} Determine whether the testing strategy addresses various event scenarios, including potential issues encountered during a wide-scale disruption: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1
    {test scenario}{feasibility} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing disruption events affecting connectivity, capacity, and integrity of data transmission; and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 4
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {clearance activity}{geographic separation} Determine whether core and significant firm's strategies and plans address wide-scale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guidelines defined by the BCP and applicable industry standards, from geographically dispersed data centers and operations facilities. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 3
    {test scenario} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: Deviation from established test scripts to include unplanned events, such as the loss of key individuals or services; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2 Bullet 1]
    Operational and Systems Continuity Detective
    Analyze system interdependence during continuity plan tests. CC ID 13082
    [Determine whether the continuity strategy addresses interdependent components, including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7
    {internal interdependencies}{business continuity testing strategy} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: Expectations for testing internal and external interdependencies; and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 3
    {internal interdependencies}{business continuity testing strategy} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: Expectations for testing internal and external interdependencies; and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 3
    Determine that test scenarios reflect key interdependencies. Consider the following: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3
    Determine whether the significant firm has an external testing strategy that addresses key interdependencies, such as testing with third-party market providers and key customers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 9
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes network connectivity and identifies interdependencies; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 2]
    Operational and Systems Continuity Detective
    Validate the evacuation plans during continuity plan tests. CC ID 12760
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Assigned command center and assembly locations; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 2
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Assigned command center and assembly locations; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 2]
    Operational and Systems Continuity Preventive
    Test the continuity plan at the alternate facility. CC ID 01174
    [Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's alternative location to the TSPs' alternative location. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 3
    Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's alternative location to the TSPs' primary location; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 2
    Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's primary location to the TSPs' alternative location; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 1
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2
    {connectivity testing}{test plan}Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 1
    {test plan}{backup telecommunications device} Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 3
    {business continuity testing strategy} Determine whether the significant firm's external testing strategy includes testing from the significant firm's back-up sites to the core firms' back-up sites. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 10
    {clearance activity}{geographic separation} Determine whether core and significant firm's strategies and plans address wide-scale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guidelines defined by the BCP and applicable industry standards, from geographically dispersed data centers and operations facilities. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 3]
    Operational and Systems Continuity Detective
    Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388
    [{business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2
    {bcp testing program}{business continuity test result} Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institution's recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production recovery, achievement of operational priorities, timely recovery of data). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to perform transaction processing and settlement; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 1
    {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to perform transaction processing and settlement; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 1]
    Operational and Systems Continuity Preventive
    Review all third party's continuity plan test results. CC ID 01365
    [{technology service provider}{recovery time objective}{wide-scale disruption}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: DR/BCP test results for RTOs that provide evidence the TSP can recover from large scale disruptions and cyber events; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 1
    Determine whether management has received and reviewed testing results of their TSPs. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:10
    Determine whether management has received and reviewed testing results of their TSPs. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:10
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Third-party testing results; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 5
    {business continuity test} Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6
    Determine whether the significant firm meets the testing requirements of applicable core firms. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 11
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the institution receives adequate testing information which validates and demonstrates the recovery capability and capacity of their critical service providers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:9]
    Operational and Systems Continuity Detective
    Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 Operational and Systems Continuity Detective
    Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553
    [{retest} Determine whether an appropriate level of re-testing is conducted in a timely fashion to address test problems or failures. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 4]
    Operational and Systems Continuity Detective
    Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404
    [{business continuity testing strategy}{recovery of lost data} Determine whether the strategy addresses technology considerations, including: Testing recovery of data lost when switching to out-of-region, asynchronous back-up facilities. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 5]
    Operational and Systems Continuity Detective
    Conduct external audits of the Business Continuity Plan testing program. CC ID 13216
    [{incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program]
    Operational and Systems Continuity Detective
    Assess all incidents to determine what information was accessed. CC ID 01226
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Procedures for determining the nature and scope of the incident; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 2]
    Operational management Corrective
    Open a priority incident request after a security breach is detected. CC ID 04838 Operational management Corrective
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Operational management Corrective
    Test the incident response procedures. CC ID 01216
    [{cybersecurity} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9
    Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: A requirement for periodic testing of the incident response plan in the real-world threat landscape; and TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 8
    Determine whether testing scenarios with critical third-parties considers: An incident response plan; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 3]
    Operational management Detective
    Test proposed changes prior to their approval. CC ID 00548 Operational management Detective
    Perform risk assessments prior to approving change requests. CC ID 00888 Operational management Preventive
    Perform a patch test prior to deploying a patch. CC ID 00898 Operational management Detective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Operational management Detective
    Review changes to computer firmware. CC ID 12226 Operational management Detective
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Operational management Detective
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Operational management Detective
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 Operational management Detective
    Perform a risk assessment for each system development project. CC ID 01000 Systems design, build, and implementation Detective
    Conduct a post implementation review when the system design project ends. CC ID 01003 Systems design, build, and implementation Detective
    Test the exit plan, as necessary. CC ID 15495 Third Party and supply chain oversight Preventive
    Include third party requirements for personnel security in third party contracts. CC ID 00790 Third Party and supply chain oversight Detective
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Adherence to U.S. data confidentiality and security standards at a minimum by foreign-based service providers/subcontractors; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 6
    Evaluate data governance standards and expectations with third-party providers. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5
    {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1]
    Third Party and supply chain oversight Detective
    Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 Third Party and supply chain oversight Detective
    Establish the third party's service continuity. CC ID 00797
    [Review and verify that the written BCP: Addresses the recovery of vendors and outsourcing arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 2
    Review and verify that the written BCP: Addresses the recovery of vendors and outsourcing arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 2]
    Third Party and supply chain oversight Detective
    Determine the adequacy of a third party's alternate site preparations. CC ID 06879 Third Party and supply chain oversight Detective
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 Third Party and supply chain oversight Detective
    Perform risk assessments of third parties, as necessary. CC ID 06454 Third Party and supply chain oversight Detective
  • Training
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include cross-team coordination in continuity plan training. CC ID 16235 Operational and Systems Continuity Preventive
    Include stay at home order training in the continuity plan training. CC ID 14382 Operational and Systems Continuity Preventive
    Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 Operational and Systems Continuity Preventive
    Include personal protection in continuity plan training. CC ID 14394 Operational and Systems Continuity Preventive
Common Controls and
mandates by Classification
252 Mandated Controls - bold    
123 Implied Controls - italic     1085 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
1460 Total
  • Corrective
    90
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 Monitoring and measurement Communicate
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about filing Suspicious Activity Reports (SARs); TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 6]
    Monitoring and measurement Establish/Maintain Documentation
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Process or Activity
    Implement incident response procedures when rogue devices are discovered. CC ID 11880 Monitoring and measurement Technical Security
    Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 Monitoring and measurement Monitor and Evaluate Occurrences
    Isolate rogue devices after a rogue device has been detected. CC ID 07061 Monitoring and measurement Configuration
    Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 Monitoring and measurement Testing
    Reduce the maximum bandwidth of covert channels. CC ID 10655 Monitoring and measurement Technical Security
    Update the vulnerability scanners' vulnerability list. CC ID 10634 Monitoring and measurement Configuration
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 Monitoring and measurement Behavior
    Perform vulnerability assessments, as necessary. CC ID 11828 Monitoring and measurement Technical Security
    Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 Monitoring and measurement Technical Security
    Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 Monitoring and measurement Configuration
    Recommend mitigation techniques based on penetration test results. CC ID 04881 Monitoring and measurement Establish/Maintain Documentation
    Correct or mitigate vulnerabilities. CC ID 12497 Monitoring and measurement Technical Security
    Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 Monitoring and measurement Technical Security
    Implement a corrective action plan in response to the audit report. CC ID 06777
    [Review management's response to audit recommendations noted since the last examination. Consider the following Adequacy and timing of corrective action; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 1
    Review management's response to audit recommendations noted since the last examination. Consider the following Adequacy and timing of corrective action; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 1
    Discuss corrective action and communicate findings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13
    Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3
    Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3]
    Audits and risk management Establish/Maintain Documentation
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Audits and risk management Actionable Reports or Measurements
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Audits and risk management Acquisition/Sale of Assets or Services
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Audits and risk management Establish/Maintain Documentation
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 Audits and risk management Establish/Maintain Documentation
    Document residual risk in a residual risk report. CC ID 13664 Audits and risk management Establish/Maintain Documentation
    Remove malware when malicious code is discovered. CC ID 13691 Technical security Process or Activity
    Notify interested personnel and affected parties when malware is detected. CC ID 13689 Technical security Communicate
    Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 Technical security Establish/Maintain Documentation
    Incorporate the malicious code analysis into the patch management program. CC ID 10673 Technical security Technical Security
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463
    [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5]
    Physical and environmental protection Physical and Environmental Protection
    Document all lost badges in a lost badge list. CC ID 12448 Physical and environmental protection Establish/Maintain Documentation
    Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 Operational and Systems Continuity Systems Continuity
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define the conditions under which the back-up site would be used; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 4]
    Operational and Systems Continuity Systems Continuity
    Report changes in the continuity plan to senior management. CC ID 12757 Operational and Systems Continuity Communicate
    Restore systems and environments to be operational. CC ID 13476 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain the continuity procedures. CC ID 14236 Operational and Systems Continuity Establish/Maintain Documentation
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Operational and Systems Continuity Systems Continuity
    Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 Operational and Systems Continuity Configuration
    Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 Operational and Systems Continuity Process or Activity
    Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 Operational and Systems Continuity Physical and Environmental Protection
    Include stakeholders when testing restored systems, as necessary. CC ID 13066 Operational and Systems Continuity Testing
    Identify who can speak to the media in the emergency communications procedures. CC ID 12761
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Media representatives; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 4]
    Operational and Systems Continuity Communicate
    Determine the incident severity level when assessing the security incidents. CC ID 01650 Operational management Monitor and Evaluate Occurrences
    Escalate incidents, as necessary. CC ID 14861 Operational management Monitor and Evaluate Occurrences
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Operational management Process or Activity
    Respond to all alerts from security systems in a timely manner. CC ID 06434 Operational management Behavior
    Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 Operational management Process or Activity
    Contain the incident to prevent further loss. CC ID 01751
    [{incident containment procedure} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Steps to be taken to contain the problem; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 3]
    Operational management Process or Activity
    Refrain from accessing compromised systems. CC ID 01752 Operational management Technical Security
    Isolate compromised systems from the network. CC ID 01753 Operational management Technical Security
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 Operational management Log Management
    Change authenticators after a security incident has been detected. CC ID 06789 Operational management Technical Security
    Assess all incidents to determine what information was accessed. CC ID 01226
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Procedures for determining the nature and scope of the incident; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 2]
    Operational management Testing
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Operational management Monitor and Evaluate Occurrences
    Share incident information with interested personnel and affected parties. CC ID 01212
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about what is required for contacting affected customers; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 4]
    Operational management Data and Information Management
    Share data loss event information with the media. CC ID 01759 Operational management Behavior
    Share data loss event information with interconnected system owners. CC ID 01209 Operational management Establish/Maintain Documentation
    Report data loss event information to breach notification organizations. CC ID 01210 Operational management Data and Information Management
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Operational management Behavior
    Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 Operational management Behavior
    Delay sending incident response notifications under predetermined conditions. CC ID 00804 Operational management Behavior
    Establish, implement, and maintain incident response notifications. CC ID 12975 Operational management Establish/Maintain Documentation
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Operational management Communicate
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Operational management Business Processes
    Send paper incident response notifications to affected parties, as necessary. CC ID 00366 Operational management Behavior
    Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 Operational management Behavior
    Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 Operational management Behavior
    Telephone incident response notifications to affected parties, as necessary. CC ID 04650 Operational management Behavior
    Publish the incident response notification in a general circulation periodical. CC ID 04651 Operational management Behavior
    Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 Operational management Behavior
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Operational management Communicate
    Include incident recovery procedures in the Incident Management program. CC ID 01758 Operational management Establish/Maintain Documentation
    Change wireless access variables after a data loss event has been detected. CC ID 01756 Operational management Technical Security
    Eradicate the cause of the incident after the incident has been contained. CC ID 01757 Operational management Business Processes
    Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 Operational management Human Resources Management
    Re-image compromised systems with secure builds. CC ID 12086 Operational management Technical Security
    Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858
    [{reasonable method} Determine whether the methods by which personnel are granted temporary access (physical and logical), during continuity planning implementation periods, are reasonable. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:4
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Remote access; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 7
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational management Establish/Maintain Documentation
    Open a priority incident request after a security breach is detected. CC ID 04838 Operational management Testing
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Operational management Testing
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Operational management Communicate
    Approve back-out plans, as necessary. CC ID 13627 Operational management Establish/Maintain Documentation
    Deploy software patches in accordance with organizational standards. CC ID 07032 Operational management Configuration
    Patch software. CC ID 11825 Operational management Technical Security
    Patch the operating system, as necessary. CC ID 11824 Operational management Technical Security
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Operational management Configuration
    Remove outdated software after software has been updated. CC ID 11792 Operational management Configuration
    Update computer firmware, as necessary. CC ID 11755 Operational management Configuration
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Operational management Configuration
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Operational management Business Processes
    Establish, implement, and maintain a change acceptance testing log. CC ID 06392 Operational management Establish/Maintain Documentation
    Document approved configuration deviations. CC ID 08711 Operational management Establish/Maintain Documentation
    Terminate supplier relationships, as necessary. CC ID 13489 Third Party and supply chain oversight Business Processes
    Enforce third party Service Level Agreements, as necessary. CC ID 07098 Third Party and supply chain oversight Business Processes
  • Detective
    265
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish and maintain a compliance oversight committee. CC ID 00765 Leadership and high level objectives Establish Roles
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151
    [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5]
    Leadership and high level objectives Establish/Maintain Documentation
    Monitor the usage and capacity of critical assets. CC ID 14825 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor the usage and capacity of Information Technology assets. CC ID 00668
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Data centers and computer operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 1
    Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Data centers and computer operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 1
    Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Back-room operations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 2
    {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to handle increased workloads supporting critical operations for extended periods. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 8
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    {bcp testing program}{electronic banking}{ATM} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1
    Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 2]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 Monitoring and measurement Behavior
    Monitor systems for errors and faults. CC ID 04544
    [{Mission-Critical Application} Determine whether management has reviewed all interrelated components of each mission critical application and the underlying continuity strategy to determine "single point of failure" exposure. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:8]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Monitoring and measurement Log Management
    Monitor systems for inappropriate usage and other security violations. CC ID 00585
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225
    [{BCP and testing program} Determine whether the financial institution and service provider consider their susceptibility to simultaneous attacks in their business resilience planning, testing, and recovery strategies. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:6]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitoring and measurement Monitor and Evaluate Occurrences
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Monitoring and measurement Human Resources Management
    Detect unauthorized access to systems. CC ID 06798 Monitoring and measurement Monitor and Evaluate Occurrences
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitoring and measurement Monitor and Evaluate Occurrences
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitoring and measurement Monitor and Evaluate Occurrences
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitoring and measurement Monitor and Evaluate Occurrences
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 Monitoring and measurement Log Management
    Establish, implement, and maintain event logging procedures. CC ID 01335 Monitoring and measurement Log Management
    Monitor and evaluate system performance. CC ID 00651
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 Monitoring and measurement Establish/Maintain Documentation
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitoring and measurement Monitor and Evaluate Occurrences
    Implement file integrity monitoring. CC ID 01205
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Monitoring and measurement Technical Security
    Monitor and evaluate environmental threats. CC ID 13481 Monitoring and measurement Monitor and Evaluate Occurrences
    Test compliance controls for proper functionality. CC ID 00660 Monitoring and measurement Testing
    Adhere to the system security plan. CC ID 11640 Monitoring and measurement Testing
    Validate all testing assumptions in the test plans. CC ID 00663 Monitoring and measurement Testing
    Require testing procedures to be complete. CC ID 00664
    [{corresponding} Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Full-scope, end-to-end testing with a frequency commensurate with complexity and risk; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 1
    {full-scale test}{end-to-end testing} Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing is full-scale and end-to-end; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 1
    {full-scale test}{end-to-end testing} Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing is full-scale and end-to-end; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 1]
    Monitoring and measurement Testing
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Monitoring and measurement Testing
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitoring and measurement Monitor and Evaluate Occurrences
    Conduct Red Team exercises, as necessary. CC ID 12131 Monitoring and measurement Technical Security
    Test security systems and associated security procedures, as necessary. CC ID 11901
    [{business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7
    {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7
    {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7
    {business continuity testing strategy}{physical security} Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7]
    Monitoring and measurement Technical Security
    Test in scope systems for segregation of duties, as necessary. CC ID 13906 Monitoring and measurement Testing
    Identify risk management measures when testing in scope systems. CC ID 14960 Monitoring and measurement Process or Activity
    Scan organizational networks for rogue devices. CC ID 00536 Monitoring and measurement Testing
    Scan the network for wireless access points. CC ID 00370 Monitoring and measurement Testing
    Scan wireless networks for rogue devices. CC ID 11623 Monitoring and measurement Technical Security
    Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 Monitoring and measurement Testing
    Perform conformity assessments, as necessary. CC ID 15095 Monitoring and measurement Testing
    Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 Monitoring and measurement Technical Security
    Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 Monitoring and measurement Establish/Maintain Documentation
    Use dedicated user accounts when conducting penetration testing. CC ID 13728 Monitoring and measurement Testing
    Perform penetration tests, as necessary. CC ID 00655 Monitoring and measurement Testing
    Perform internal penetration tests, as necessary. CC ID 12471 Monitoring and measurement Technical Security
    Perform external penetration tests, as necessary. CC ID 12470 Monitoring and measurement Technical Security
    Include coverage of all in scope systems during penetration testing. CC ID 11957 Monitoring and measurement Testing
    Test the system for broken access controls. CC ID 01319 Monitoring and measurement Testing
    Test the system for broken authentication and session management. CC ID 01320 Monitoring and measurement Testing
    Test the system for insecure communications. CC ID 00535 Monitoring and measurement Testing
    Test the system for cross-site scripting attacks. CC ID 01321 Monitoring and measurement Testing
    Test the system for buffer overflows. CC ID 01322 Monitoring and measurement Testing
    Test the system for injection flaws. CC ID 01323 Monitoring and measurement Testing
    Test the system for Denial of Service. CC ID 01326 Monitoring and measurement Testing
    Test the system for insecure configuration management. CC ID 01327 Monitoring and measurement Testing
    Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 Monitoring and measurement Testing
    Test the system for cross-site request forgery. CC ID 06296 Monitoring and measurement Testing
    Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 Monitoring and measurement Technical Security
    Perform penetration testing on segmentation controls, as necessary. CC ID 12498 Monitoring and measurement Technical Security
    Verify segmentation controls are operational and effective. CC ID 12545 Monitoring and measurement Audits and Risk Management
    Repeat penetration testing, as necessary. CC ID 06860 Monitoring and measurement Testing
    Test the system for covert channels. CC ID 10652 Monitoring and measurement Testing
    Estimate the maximum bandwidth of any covert channels. CC ID 10653 Monitoring and measurement Technical Security
    Test systems to determine which covert channels might be exploited. CC ID 10654 Monitoring and measurement Testing
    Perform vulnerability scans, as necessary. CC ID 11637 Monitoring and measurement Technical Security
    Repeat vulnerability scanning, as necessary. CC ID 11646 Monitoring and measurement Testing
    Identify and document security vulnerabilities. CC ID 11857
    [{technology vulnerability}Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Technological and security vulnerabilities; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 1
    Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4
    Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4]
    Monitoring and measurement Technical Security
    Rank discovered vulnerabilities. CC ID 11940 Monitoring and measurement Investigate
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 Monitoring and measurement Technical Security
    Correlate vulnerability scan reports from the various systems. CC ID 10636 Monitoring and measurement Technical Security
    Perform internal vulnerability scans, as necessary. CC ID 00656 Monitoring and measurement Testing
    Perform vulnerability scans prior to installing payment applications. CC ID 12192 Monitoring and measurement Technical Security
    Implement scanning tools, as necessary. CC ID 14282 Monitoring and measurement Technical Security
    Repeat vulnerability scanning after an approved change occurs. CC ID 12468 Monitoring and measurement Technical Security
    Perform external vulnerability scans, as necessary. CC ID 11624 Monitoring and measurement Technical Security
    Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 Monitoring and measurement Technical Security
    Review applications for security vulnerabilities after the application is updated. CC ID 11938 Monitoring and measurement Technical Security
    Test the system for unvalidated input. CC ID 01318 Monitoring and measurement Testing
    Test the system for proper error handling. CC ID 01324 Monitoring and measurement Testing
    Test the system for insecure data storage. CC ID 01325 Monitoring and measurement Testing
    Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 Monitoring and measurement Testing
    Test the system for insecure cryptographic storage. CC ID 11635 Monitoring and measurement Technical Security
    Perform self-tests on cryptographic modules within the system. CC ID 06537 Monitoring and measurement Testing
    Perform power-up tests on cryptographic modules within the system. CC ID 06538 Monitoring and measurement Testing
    Perform conditional tests on cryptographic modules within the system. CC ID 06539 Monitoring and measurement Testing
    Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 Monitoring and measurement Configuration
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a corrective action plan. CC ID 00675 Monitoring and measurement Monitor and Evaluate Occurrences
    Include monitoring in the corrective action plan. CC ID 11645
    [Review management's response to audit recommendations noted since the last examination. Consider the following: Monitoring systems used to track the implementation of recommendations on an on- going basis TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 4]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152
    [Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3]
    Audits and risk management Testing
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [Review the BIA and risk assessment to determine whether the prioritization of business functions is adequate. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:2]
    Audits and risk management Testing
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986
    [Review management's response to audit recommendations noted since the last examination. Consider the following Resolution of root causes rather than just specific audit deficiencies; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 2]
    Audits and risk management Testing
    Review the adequacy of the internal auditor's work papers. CC ID 01146
    [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Prior regulatory reports of examination; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 2
    Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Pre-examination planning memos; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 1
    {work paper}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Prior examination workpapers; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 3]
    Audits and risk management Audits and Risk Management
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Audits and risk management Establish/Maintain Documentation
    Review the adequacy of the internal auditor's audit reports. CC ID 11620
    [{internal auditor} From the procedures performed: Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 3]
    Audits and risk management Audits and Risk Management
    Review past audit reports. CC ID 01155
    [{internal audit report}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Internal and external audit reports, including third-party reports; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 4
    {internal audit report}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Internal and external audit reports, including third-party reports; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 4]
    Audits and risk management Establish/Maintain Documentation
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Audits and risk management Establish/Maintain Documentation
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Audits and risk management Log Management
    Review the issues of non-compliance from past audit reports. CC ID 01148
    [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1
    Review management's response to audit recommendations noted since the last examination. Consider the following: Existence of any outstanding issues; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 3
    Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: Violations of law, rulings, regulations; TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 1]
    Audits and risk management Establish/Maintain Documentation
    Review management's response to issues raised in past audit reports. CC ID 01149
    [Review management's response to audit recommendations noted since the last examination. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2]
    Audits and risk management Audits and Risk Management
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Audits and risk management Testing
    Review the audit program scope as it relates to the organization's profile. CC ID 01159
    [Determine whether audit involvement in the business continuity program is effective, including: Audit coverage of the business continuity program; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 1]
    Audits and risk management Audits and Risk Management
    Establish, implement, and maintain the audit plan. CC ID 01156 Audits and risk management Testing
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Audits and risk management Business Processes
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and risk management Audits and Risk Management
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and risk management Audits and Risk Management
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and risk management Audits and Risk Management
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Audits and risk management Human Resources Management
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Audits and risk management Investigate
    Review the risk profiles, as necessary. CC ID 16561 Audits and risk management Audits and Risk Management
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Audits and risk management Establish/Maintain Documentation
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [{risk profile}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: The financial institution's overall risk assessment and profile. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 6]
    Audits and risk management Establish/Maintain Documentation
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Audits and Risk Management
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Audits and risk management Investigate
    Conduct a Business Impact Analysis, as necessary. CC ID 01147
    [Determine whether an adequate BIA and risk assessment have been completed. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3
    Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:5]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:1]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and risk management Audits and Risk Management
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Audits and risk management Investigate
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and terrorism; and TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 3]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468
    [Determine whether the financial institution and service provider consider their susceptibility to an insider threat and what impact this may have on business continuity and broader resilience. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:7
    {internal threat}Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Internally identified threats; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 2]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [{external threat} Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Consider the following: Externally identified threats (including security alerts, pandemic alerts, or emergency warnings published by information sharing organizations or local, state, and federal agencies). TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:4 Bullet 3]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills; TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 1]
    Audits and risk management Actionable Reports or Measurements
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and risk management Audits and Risk Management
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment]
    Audits and risk management Establish/Maintain Documentation
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Audits and risk management Process or Activity
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Audits and risk management Process or Activity
    Determine the effectiveness of risk control measures. CC ID 06601 Audits and risk management Testing
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and risk management Audits and Risk Management
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and risk management Audits and Risk Management
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Audits and risk management Process or Activity
    Scan for malicious code, as necessary. CC ID 11941 Technical security Investigate
    Test all removable storage media for viruses and malicious code. CC ID 11861 Technical security Testing
    Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 Technical security Testing
    Log and react to all malicious code activity. CC ID 07072 Technical security Monitor and Evaluate Occurrences
    Analyze the behavior and characteristics of the malicious code. CC ID 10672 Technical security Technical Security
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and environmental protection Physical and Environmental Protection
    Detect anomalies in physical barriers. CC ID 13533 Physical and environmental protection Investigate
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and environmental protection Physical and Environmental Protection
    Test locks for physical security vulnerabilities. CC ID 04880 Physical and environmental protection Testing
    Lock all lockable equipment cabinets. CC ID 11673 Physical and environmental protection Physical and Environmental Protection
    Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 Physical and environmental protection Monitor and Evaluate Occurrences
    Report anomalies in the visitor log to appropriate personnel. CC ID 14755 Physical and environmental protection Investigate
    Log when the vault is accessed. CC ID 06725 Physical and environmental protection Log Management
    Log when the cabinet is accessed. CC ID 11674 Physical and environmental protection Log Management
    Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 Physical and environmental protection Monitor and Evaluate Occurrences
    Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 Physical and environmental protection Monitor and Evaluate Occurrences
    Monitor physical entry point alarms. CC ID 01639 Physical and environmental protection Physical and Environmental Protection
    Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 Physical and environmental protection Monitor and Evaluate Occurrences
    Monitor for alarmed security doors being propped open. CC ID 06684 Physical and environmental protection Monitor and Evaluate Occurrences
    Involve auditors in reviewing and testing the business continuity program. CC ID 13211
    [Determine whether audit involvement in the business continuity program is effective, including: Audit participation in testing as an observer and as a reviewer of test plans and results; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 3
    {business continuity test result} Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 3
    {business continuity test process}{business continuity test result} Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 3]
    Operational and Systems Continuity Testing
    Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212
    [Determine whether audit involvement in the business continuity program is effective, including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11]
    Operational and Systems Continuity Investigate
    Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218
    [{assess}Determine whether audit involvement in the business continuity program is effective, including: Assessment of business continuity preparedness during line(s) of business reviews; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 2]
    Operational and Systems Continuity Investigate
    Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265
    [{test scenario} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: Tests of the ability to support peak transaction volumes from back-up facilities for extended periods. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2 Bullet 2
    {test strategy}{predetermined time frame} Determine whether the core firm's testing strategy includes plans to test the ability of significant firms, which clear or settle transactions, to recover critical clearing and settlement activities from geographically dispersed back-up sites within a reasonable time frame. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 8]
    Operational and Systems Continuity Testing
    Identify all stakeholders critical to the continuity of operations. CC ID 12741 Operational and Systems Continuity Systems Continuity
    Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Operational and Systems Continuity Monitor and Evaluate Occurrences
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {impact analysis}{service interruption} Determine whether the BCP incorporates management's analysis of the impact on operations if essential functions or services provided by outside parties are disrupted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:7
    {internal factor}Interview management and review the business continuity request information to identify: Any other internal or external factors that could affect the business continuity process. TTIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 5]
    Operational and Systems Continuity Systems Continuity
    Monitor and evaluate business continuity management system performance. CC ID 12410 Operational and Systems Continuity Monitor and Evaluate Occurrences
    Establish, implement, and maintain the organization's call tree. CC ID 01167
    [{primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1]
    Operational and Systems Continuity Testing
    Determine the cause for the activation of the recovery plan. CC ID 13291 Operational and Systems Continuity Investigate
    Test the recovery plan, as necessary. CC ID 13290 Operational and Systems Continuity Testing
    Test the backup information, as necessary. CC ID 13303 Operational and Systems Continuity Testing
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Operational and Systems Continuity Establish/Maintain Documentation
    Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 Operational and Systems Continuity Systems Continuity
    Define and prioritize critical business functions. CC ID 00736
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process]
    Operational and Systems Continuity Establish/Maintain Documentation
    Identify all critical business records. CC ID 00737 Operational and Systems Continuity Records Management
    Establish, implement, and maintain a critical personnel list. CC ID 00739 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a critical resource list. CC ID 00740 Operational and Systems Continuity Establish/Maintain Documentation
    Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743
    [Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at the institution. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:6
    Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4
    {data communication} Determine whether the financial institution and service provider are considering al- ternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of data and voice communications between facilities and service providers. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 3]
    Operational and Systems Continuity Establish/Maintain Documentation
    Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397
    [{one}Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Reliance upon a single communications provider; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 1]
    Operational and Systems Continuity Testing
    Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399
    [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 5
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 3
    {alternate facility}Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Telecommunications and remote computing. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 4
    {alternate facility}Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Telecommunications and remote computing. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 4]
    Operational and Systems Continuity Testing
    Require telecommunications service providers to have adequate continuity plans. CC ID 01400 Operational and Systems Continuity Testing
    Designate an alternate facility in the continuity plan. CC ID 00742 Operational and Systems Continuity Establish/Maintain Documentation
    Determine which data elements to back up. CC ID 13483 Operational and Systems Continuity Data and Information Management
    Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390
    [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3
    {backup media} Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: Back-up media; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Off-site storage. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 5]
    Operational and Systems Continuity Testing
    Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 Operational and Systems Continuity Systems Continuity
    Test backup media for media integrity and information integrity, as necessary. CC ID 01401 Operational and Systems Continuity Testing
    Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 Operational and Systems Continuity Testing
    Test each restored system for media integrity and information integrity. CC ID 01920 Operational and Systems Continuity Testing
    Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370
    [{takes into account}Review and verify that the written BCP:Take(s) into account: Financial disbursement (purchase authorities and expense reimbursement for senior management during a disaster); and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 8]
    Operational and Systems Continuity Testing
    Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 Operational and Systems Continuity Business Processes
    Review the beneficiaries of the insurance policy. CC ID 16563 Operational and Systems Continuity Business Processes
    Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 Operational and Systems Continuity Establish/Maintain Documentation
    Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 Operational and Systems Continuity Establish/Maintain Documentation
    Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 Operational and Systems Continuity Establish/Maintain Documentation
    Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 Operational and Systems Continuity Establish/Maintain Documentation
    Identify employees who have family members who are first responders or medical personnel. CC ID 14389 Operational and Systems Continuity Human Resources Management
    Test the continuity plan, as necessary. CC ID 00755
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institution's mission critical operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:4
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11
    {bcp testing program}{region}{nation}Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Local, regional, or national testing/exercises. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 5]
    Operational and Systems Continuity Testing
    Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 Operational and Systems Continuity Testing
    Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757
    [{wide-scale disruption} Determine management's process for determining the scope of disaster recovery test scenarios, including whether management augments the tests with multiple concurrent or widespread interruptions to simulate the impact of "worst case" scenarios. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:10
    {wide-scale disruption} Determine management's process for determining the scope of disaster recovery test scenarios, including whether management augments the tests with multiple concurrent or widespread interruptions to simulate the impact of "worst case" scenarios. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:10
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A testing program to better ensure that the institution's pandemic planning practices and capabilities are effective and will allow critical operations to continue. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 4
    {BCP testing program}{table top exercise} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Table top operations exercises; and TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 4
    {business continuity testing strategy}{emergency response} Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6
    Determine whether testing scenarios with critical third-parties considers: An outage or disruption of the service provider; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 1
    Determine whether testing scenarios with critical third-parties considers: An outage or disruption at the financial institution; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 2
    Determine whether testing scenarios with critical third-parties considers: Crisis management; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 4
    Determine whether testing scenarios with critical third-parties considers: Cyber events; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 5
    Determine that the test assumptions are appropriate for core and significant firms and consider: Infrastructure (power, telecommunications, transportation) that is disrupted; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 4
    {business continuity testing strategy} Determine whether the testing strategy addresses various event scenarios, including potential issues encountered during a wide-scale disruption: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1
    {test scenario}{feasibility} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing disruption events affecting connectivity, capacity, and integrity of data transmission; and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 4
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {test strategy} Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution's testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 1
    {clearance activity}{geographic separation} Determine whether core and significant firm's strategies and plans address wide-scale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guidelines defined by the BCP and applicable industry standards, from geographically dispersed data centers and operations facilities. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 3
    {test scenario} Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: Deviation from established test scripts to include unplanned events, such as the loss of key individuals or services; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 2 Bullet 1]
    Operational and Systems Continuity Testing
    Analyze system interdependence during continuity plan tests. CC ID 13082
    [Determine whether the continuity strategy addresses interdependent components, including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7
    {internal interdependencies}{business continuity testing strategy} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: Expectations for testing internal and external interdependencies; and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 3
    {internal interdependencies}{business continuity testing strategy} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: Expectations for testing internal and external interdependencies; and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 3
    Determine that test scenarios reflect key interdependencies. Consider the following: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3
    Determine whether the significant firm has an external testing strategy that addresses key interdependencies, such as testing with third-party market providers and key customers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 9
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes network connectivity and identifies interdependencies; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 2]
    Operational and Systems Continuity Testing
    Test the continuity plan at the alternate facility. CC ID 01174
    [Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's alternative location to the TSPs' alternative location. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 3
    Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's alternative location to the TSPs' primary location; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 2
    Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: From the institution's primary location to the TSPs' alternative location; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 1
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2
    {connectivity testing}{test plan}Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 1
    {test plan}{backup telecommunications device} Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 3
    {business continuity testing strategy} Determine whether the significant firm's external testing strategy includes testing from the significant firm's back-up sites to the core firms' back-up sites. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 10
    {clearance activity}{geographic separation} Determine whether core and significant firm's strategies and plans address wide-scale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guidelines defined by the BCP and applicable industry standards, from geographically dispersed data centers and operations facilities. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 3]
    Operational and Systems Continuity Testing
    Review all third party's continuity plan test results. CC ID 01365
    [{technology service provider}{recovery time objective}{wide-scale disruption}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: DR/BCP test results for RTOs that provide evidence the TSP can recover from large scale disruptions and cyber events; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 1
    Determine whether management has received and reviewed testing results of their TSPs. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:10
    Determine whether management has received and reviewed testing results of their TSPs. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:10
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Third-party testing results; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 5
    {business continuity test} Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6
    Determine whether the significant firm meets the testing requirements of applicable core firms. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 11
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the significant firm participates in "street" or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 12
    Determine whether the institution receives adequate testing information which validates and demonstrates the recovery capability and capacity of their critical service providers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:9]
    Operational and Systems Continuity Testing
    Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 Operational and Systems Continuity Testing
    Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553
    [{retest} Determine whether an appropriate level of re-testing is conducted in a timely fashion to address test problems or failures. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 4]
    Operational and Systems Continuity Testing
    Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404
    [{business continuity testing strategy}{recovery of lost data} Determine whether the strategy addresses technology considerations, including: Testing recovery of data lost when switching to out-of-region, asynchronous back-up facilities. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 5]
    Operational and Systems Continuity Testing
    Conduct external audits of the Business Continuity Plan testing program. CC ID 13216
    [{incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program]
    Operational and Systems Continuity Testing
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Operational management Monitor and Evaluate Occurrences
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Operational management Monitor and Evaluate Occurrences
    Identify root causes of incidents that force system changes. CC ID 13482 Operational management Investigate
    Respond to and triage when an incident is detected. CC ID 06942 Operational management Monitor and Evaluate Occurrences
    Document the incident and any relevant evidence in the incident report. CC ID 08659 Operational management Establish/Maintain Documentation
    Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 Operational management Investigate
    Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 Operational management Establish/Maintain Documentation
    Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 Operational management Establish/Maintain Documentation
    Analyze the incident response process following an incident response. CC ID 13179 Operational management Investigate
    Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 Operational management Log Management
    Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 Operational management Behavior
    Avoid false positive incident response notifications. CC ID 04732 Operational management Behavior
    Include information required by law in incident response notifications. CC ID 00802 Operational management Establish/Maintain Documentation
    Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 Operational management Establish/Maintain Documentation
    Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 Operational management Monitor and Evaluate Occurrences
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Operational management Investigate
    Test the incident response procedures. CC ID 01216
    [{cybersecurity} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9
    Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: A requirement for periodic testing of the incident response plan in the real-world threat landscape; and TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 8
    Determine whether testing scenarios with critical third-parties considers: An incident response plan; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 3]
    Operational management Testing
    Test proposed changes prior to their approval. CC ID 00548 Operational management Testing
    Examine all changes to ensure they correspond with the change request. CC ID 12345 Operational management Business Processes
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Operational management Process or Activity
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Operational management Investigate
    Collect data about the network environment when certifying the network. CC ID 13125 Operational management Investigate
    Review the patch log for missing patches. CC ID 13186 Operational management Technical Security
    Perform a patch test prior to deploying a patch. CC ID 00898 Operational management Testing
    Test software patches for any potential compromise of the system's security. CC ID 13175 Operational management Testing
    Review changes to computer firmware. CC ID 12226 Operational management Testing
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Operational management Testing
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Operational management Technical Security
    Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 Operational management Establish/Maintain Documentation
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Operational management Testing
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 Operational management Testing
    Establish, implement, and maintain a configuration change log. CC ID 08710 Operational management Configuration
    Formally approve the initiation of each project phase. CC ID 00997 Systems design, build, and implementation Systems Design, Build, and Implementation
    Perform a risk assessment for each system development project. CC ID 01000 Systems design, build, and implementation Testing
    Identify accreditation tasks. CC ID 00999 Systems design, build, and implementation Systems Design, Build, and Implementation
    Conduct a post implementation review when the system design project ends. CC ID 01003 Systems design, build, and implementation Testing
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Third Party and supply chain oversight Process or Activity
    Include a termination provision clause in third party contracts. CC ID 01367
    [{TSP}{contract termination}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Right to terminate language (if the TSP defaults on SLAs and RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 4]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Include third party requirements for personnel security in third party contracts. CC ID 00790 Third Party and supply chain oversight Testing
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Adherence to U.S. data confidentiality and security standards at a minimum by foreign-based service providers/subcontractors; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 6
    Evaluate data governance standards and expectations with third-party providers. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5
    {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1]
    Third Party and supply chain oversight Testing
    Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 Third Party and supply chain oversight Testing
    Establish the third party's service continuity. CC ID 00797
    [Review and verify that the written BCP: Addresses the recovery of vendors and outsourcing arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 2
    Review and verify that the written BCP: Addresses the recovery of vendors and outsourcing arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 2]
    Third Party and supply chain oversight Testing
    Determine the adequacy of a third party's alternate site preparations. CC ID 06879 Third Party and supply chain oversight Testing
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Third Party and supply chain oversight Data and Information Management
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 Third Party and supply chain oversight Testing
    Document supply chain dependencies in the supply chain management program. CC ID 08900 Third Party and supply chain oversight Establish/Maintain Documentation
    Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 Third Party and supply chain oversight Establish/Maintain Documentation
    Approve all Service Level Agreements. CC ID 00843 Third Party and supply chain oversight Establish/Maintain Documentation
    Track all chargeable items in Service Level Agreements. CC ID 11616 Third Party and supply chain oversight Business Processes
    Document all chargeable items in Service Level Agreements. CC ID 00844 Third Party and supply chain oversight Establish/Maintain Documentation
    Perform risk assessments of third parties, as necessary. CC ID 06454 Third Party and supply chain oversight Testing
    Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 Third Party and supply chain oversight Audits and Risk Management
    Assess third parties' business continuity capabilities during due diligence. CC ID 12077
    [Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1
    Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1
    Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1
    {take into account}Review and verify that the written BCP: Take(s) into account: Vendor(s) ability to service contracted customer base in the event of a major disaster or regional event; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 4
    {third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9
    {third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9
    Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2
    {backup and recovery capability} Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Recovery capabilities and capacity of the service provider; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 1
    {TSP} Determine whether institution management has assessed the adequacy of the TSPs' business continuity program through their vendor management program (e.g. contract requirements, third-party reviews). TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:11
    {predetermined time frame} Determine the extent to which core and significant firms have demonstrated through testing or routine use that they have the ability to recover and, if relevant, resume operations within the specified time frames addressed in the BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 2
    {foreign-based third party} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Management's assessment of the foreign-based provider's resilience architecture and strategy. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 2
    {foreign-based third party} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Management's assessment of the foreign-based provider's resilience architecture and strategy. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 2]
    Third Party and supply chain oversight Business Processes
    Review third parties' backup policies. CC ID 13043
    [{data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1]
    Third Party and supply chain oversight Systems Continuity
    Assess third parties' abilities to provide services during due diligence. CC ID 12074
    [Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Cyber resilience and preparedness; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 2
    Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Significant downtime that would threaten the financial institution's business resilience; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 3]
    Third Party and supply chain oversight Business Processes
    Assess third parties' use of subcontractors during due diligence. CC ID 12073
    [Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: Service provider's oversight of subcontractors. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 4]
    Third Party and supply chain oversight Business Processes
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Process or Activity
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Testing requirements with the TSP; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 7]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Third Party and supply chain oversight Establish/Maintain Documentation
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Third Party and supply chain oversight Establish/Maintain Documentation
    Assess the effectiveness of third party services provided to the organization. CC ID 13142 Third Party and supply chain oversight Business Processes
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4]
    Third Party and supply chain oversight Monitor and Evaluate Occurrences
    Monitor third parties' financial conditions. CC ID 13170 Third Party and supply chain oversight Monitor and Evaluate Occurrences
  • IT Impact Zone
    12
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    1093
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Analyze organizational objectives, functions, and activities. CC ID 00598 Leadership and high level objectives Monitor and Evaluate Occurrences
    Analyze the business environment in which the organization operates. CC ID 12798
    [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    {configuration change}{component change}Interview management and review the business continuity request information to identify: IT environments and changes to configuration or components; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 3]
    Leadership and high level objectives Business Processes
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Leadership and high level objectives Process or Activity
    Include key processes in the analysis of the internal business environment. CC ID 12947 Leadership and high level objectives Process or Activity
    Include existing information in the analysis of the internal business environment. CC ID 12943 Leadership and high level objectives Process or Activity
    Include resources in the analysis of the internal business environment. CC ID 12942 Leadership and high level objectives Process or Activity
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Leadership and high level objectives Process or Activity
    Include incentives in the analysis of the internal business environment. CC ID 12940 Leadership and high level objectives Process or Activity
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Leadership and high level objectives Process or Activity
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Leadership and high level objectives Process or Activity
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Leadership and high level objectives Process or Activity
    Align assets with business functions and the business environment. CC ID 13681 Leadership and high level objectives Business Processes
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Leadership and high level objectives Communicate
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863
    [Interview management and review the business continuity request information to identify: Any significant changes in management, business strategies or internal business processes that could affect the business recovery process; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 1]
    Leadership and high level objectives Monitor and Evaluate Occurrences
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Leadership and high level objectives Monitor and Evaluate Occurrences
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Leadership and high level objectives Establish Roles
    Establish, implement, and maintain a strategic plan. CC ID 12784 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a decision management strategy. CC ID 06913 Leadership and high level objectives Establish/Maintain Documentation
    Take actions in accordance with the decision-making criteria. CC ID 12909
    [{business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Crisis management decision process; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 3]
    Leadership and high level objectives Process or Activity
    Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 Leadership and high level objectives Establish/Maintain Documentation
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Leadership and high level objectives Establish/Maintain Documentation
    Align business continuity objectives with the business continuity policy. CC ID 12408
    [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process]
    Leadership and high level objectives Establish/Maintain Documentation
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630
    [{test strategy} Determine if test plans adequately complement testing strategies. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2]
    Leadership and high level objectives Business Processes
    Establish, implement, and maintain a financial management program. CC ID 13228 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain financial reports. CC ID 14770
    [Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1]
    Leadership and high level objectives Establish/Maintain Documentation
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Leadership and high level objectives Establish/Maintain Documentation
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Leadership and high level objectives Establish/Maintain Documentation
    Include the business need justification for lost value in the financial report. CC ID 15588 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Leadership and high level objectives Communicate
    Include financial statements in the financial report, as necessary. CC ID 14775 Leadership and high level objectives Establish/Maintain Documentation
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Leadership and high level objectives Establish/Maintain Documentation
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Leadership and high level objectives Establish/Maintain Documentation
    Include material contingencies in the financial statement. CC ID 16596 Leadership and high level objectives Establish/Maintain Documentation
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Leadership and high level objectives Establish/Maintain Documentation
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Leadership and high level objectives Establish/Maintain Documentation
    Include assets and liabilities in the call report. CC ID 16729 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Leadership and high level objectives Communicate
    Monitor all outbound traffic from all systems. CC ID 12970 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitoring and measurement Monitor and Evaluate Occurrences
    Address operational anomalies within the incident management system. CC ID 11633 Monitoring and measurement Audits and Risk Management
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Monitoring and measurement Audits and Risk Management
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitoring and measurement Monitor and Evaluate Occurrences
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 Monitoring and measurement Log Management
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Monitoring and measurement Testing
    Include identity information of suspects in the suspicious activity report. CC ID 16648 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Monitoring and measurement Communicate
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Monitoring and measurement Communicate
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitoring and measurement Monitor and Evaluate Occurrences
    Allow expected changes during file integrity monitoring. CC ID 12090 Monitoring and measurement Technical Security
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitoring and measurement Monitor and Evaluate Occurrences
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Monitoring and measurement Establish/Maintain Documentation
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Monitoring and measurement Process or Activity
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1]
    Monitoring and measurement Establish/Maintain Documentation
    Monitor the organization's exposure to threats, as necessary. CC ID 06494
    [{escalation and response plan} Determine whether the BCP addresses management monitoring of alert systems that provide information regarding the threat and progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:5]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Implement a fraud detection system. CC ID 13081 Monitoring and measurement Business Processes
    Monitor for new vulnerabilities. CC ID 06843 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain a compliance testing strategy. CC ID 00659 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Monitoring and measurement Testing
    Establish, implement, and maintain a system security plan. CC ID 01922 Monitoring and measurement Testing
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Establish/Maintain Documentation
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Establish/Maintain Documentation
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Establish/Maintain Documentation
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Establish/Maintain Documentation
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Establish/Maintain Documentation
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Establish/Maintain Documentation
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Communicate
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Establish/Maintain Documentation
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Establish/Maintain Documentation
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Establish/Maintain Documentation
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Process or Activity
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Establish/Maintain Documentation
    Create specific test plans to test each system component. CC ID 00661 Monitoring and measurement Establish/Maintain Documentation
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Establish/Maintain Documentation
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Establish/Maintain Documentation
    Approve the system security plan. CC ID 14241 Monitoring and measurement Business Processes
    Review the test plans for each system component. CC ID 00662 Monitoring and measurement Establish/Maintain Documentation
    Document validated testing processes in the testing procedures. CC ID 06200 Monitoring and measurement Establish/Maintain Documentation
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Monitoring and measurement Establish/Maintain Documentation
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Monitoring and measurement Testing
    Implement automated audit tools. CC ID 04882 Monitoring and measurement Acquisition/Sale of Assets or Services
    Assign senior management to approve test plans. CC ID 13071
    [From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5]
    Monitoring and measurement Human Resources Management
    Establish, implement, and maintain a testing program. CC ID 00654
    [{business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Monitoring and measurement Behavior
    Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 Monitoring and measurement Establish/Maintain Documentation
    Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 Monitoring and measurement Establish/Maintain Documentation
    Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 Monitoring and measurement Establish/Maintain Documentation
    Include the scope in the security assessment and authorization policy. CC ID 14220 Monitoring and measurement Establish/Maintain Documentation
    Include the purpose in the security assessment and authorization policy. CC ID 14219 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 Monitoring and measurement Communicate
    Include management commitment in the security assessment and authorization policy. CC ID 14189 Monitoring and measurement Establish/Maintain Documentation
    Include compliance requirements in the security assessment and authorization policy. CC ID 14183 Monitoring and measurement Establish/Maintain Documentation
    Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 Monitoring and measurement Communicate
    Employ third parties to carry out testing programs, as necessary. CC ID 13178 Monitoring and measurement Human Resources Management
    Document improvement actions based on test results and exercises. CC ID 16840 Monitoring and measurement Establish/Maintain Documentation
    Define the test requirements for each testing program. CC ID 13177
    [Determine whether the institution relies on proxy testing. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:8
    From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5
    From the procedures performed: Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Monitoring and measurement Establish/Maintain Documentation
    Include test requirements for the use of human subjects in the testing program. CC ID 16222 Monitoring and measurement Testing
    Test the in scope system in accordance with its intended purpose. CC ID 14961 Monitoring and measurement Testing
    Perform network testing in accordance with organizational standards. CC ID 16448 Monitoring and measurement Testing
    Test user accounts in accordance with organizational standards. CC ID 16421 Monitoring and measurement Testing
    Include mechanisms for emergency stops in the testing program. CC ID 14398 Monitoring and measurement Establish/Maintain Documentation
    Document the business need justification for authorized wireless access points. CC ID 12044 Monitoring and measurement Establish/Maintain Documentation
    Deny network access to rogue devices until network access approval has been received. CC ID 11852 Monitoring and measurement Configuration
    Establish, implement, and maintain conformity assessment procedures. CC ID 15032 Monitoring and measurement Establish/Maintain Documentation
    Share conformity assessment results with affected parties and interested personnel. CC ID 15113 Monitoring and measurement Communicate
    Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 Monitoring and measurement Communicate
    Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 Monitoring and measurement Communicate
    Create technical documentation assessment certificates in an official language. CC ID 15110 Monitoring and measurement Establish/Maintain Documentation
    Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 Monitoring and measurement Testing
    Define the test frequency for each testing program. CC ID 13176 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a penetration test program. CC ID 01105 Monitoring and measurement Behavior
    Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 Monitoring and measurement Communicate
    Align the penetration test program with industry standards. CC ID 12469 Monitoring and measurement Establish/Maintain Documentation
    Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 Monitoring and measurement Establish Roles
    Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 Monitoring and measurement Testing
    Retain penetration test results according to internal policy. CC ID 10049 Monitoring and measurement Records Management
    Retain penetration test remediation action records according to internal policy. CC ID 11629 Monitoring and measurement Records Management
    Ensure protocols are free from injection flaws. CC ID 16401 Monitoring and measurement Process or Activity
    Establish, implement, and maintain a business line testing strategy. CC ID 13245 Monitoring and measurement Establish/Maintain Documentation
    Include facilities in the business line testing strategy. CC ID 13253
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3]
    Monitoring and measurement Establish/Maintain Documentation
    Include electrical systems in the business line testing strategy. CC ID 13251
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Monitoring and measurement Establish/Maintain Documentation
    Include mechanical systems in the business line testing strategy. CC ID 13250
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Monitoring and measurement Establish/Maintain Documentation
    Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Monitoring and measurement Establish/Maintain Documentation
    Include emergency power supplies in the business line testing strategy. CC ID 13247
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Monitoring and measurement Establish/Maintain Documentation
    Include environmental controls in the business line testing strategy. CC ID 13246
    [Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 1]
    Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a vulnerability management program. CC ID 15721 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 Monitoring and measurement Establish/Maintain Documentation
    Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 Monitoring and measurement Technical Security
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 Monitoring and measurement Communicate
    Maintain vulnerability scan reports as organizational records. CC ID 12092 Monitoring and measurement Records Management
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Monitoring and measurement Business Processes
    Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 Monitoring and measurement Testing
    Approve the vulnerability management program. CC ID 15722 Monitoring and measurement Process or Activity
    Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 Monitoring and measurement Establish Roles
    Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 Monitoring and measurement Technical Security
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663
    [Determine examination scope and objectives for reviewing the business continuity planning program. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1]
    Monitoring and measurement Establish/Maintain Documentation
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 Audits and risk management Establish Roles
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Audits and risk management Establish Roles
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Audits and risk management Establish Roles
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Audits and risk management Establish/Maintain Documentation
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Audits and risk management Establish/Maintain Documentation
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Audits and risk management Establish/Maintain Documentation
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199
    [{internal auditor} From the procedures performed: Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 3]
    Audits and risk management Establish/Maintain Documentation
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200
    [{matters requiring attention}Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 2
    Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the report of examination. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:4
    Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: The potential impact of your conclusions on composite and component ratings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:2 Bullet 3
    {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4
    {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4
    {BCP testing program} From the procedures performed: Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 4]
    Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain an audit program. CC ID 00684 Audits and risk management Establish/Maintain Documentation
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Audits and risk management Establish/Maintain Documentation
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [Establish the scope of the examination by focusing on those factors that present the greatest degree of risk to the institution or service provider. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:5]
    Audits and risk management Establish/Maintain Documentation
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Audits and Risk Management
    Include materiality levels in the audit terms. CC ID 01238 Audits and risk management Establish/Maintain Documentation
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239
    [Interview management and review the business continuity request information to identify: Any material changes in the audit program, scope, or schedule related to business continuity activities; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 2]
    Audits and risk management Establish/Maintain Documentation
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Business Processes
    Audit in scope audit items and compliance documents. CC ID 06730 Audits and risk management Audits and Risk Management
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [Organize and document your work papers to ensure clear support for significant findings and conclusions. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:5]
    Audits and risk management Actionable Reports or Measurements
    Document any after the fact changes to the engagement file. CC ID 07002 Audits and risk management Establish/Maintain Documentation
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Audits and risk management Establish/Maintain Documentation
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Audits and risk management Establish/Maintain Documentation
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038
    [Organize and document your work papers to ensure clear support for significant findings and conclusions. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:5]
    Audits and risk management Records Management
    Establish and maintain organizational audit reports. CC ID 06731 Audits and risk management Establish/Maintain Documentation
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Audits and Risk Management
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117
    [Discuss corrective action and communicate findings. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13]
    Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Audits and risk management Communicate
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Audits and risk management Communicate
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Behavior
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Audits and risk management Establish/Maintain Documentation
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Audits and risk management Establish/Maintain Documentation
    Assign responsibility for remediation actions. CC ID 13622 Audits and risk management Human Resources Management
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Audits and risk management Establish/Maintain Documentation
    Assess the quality of the audit program in regards to its documentation. CC ID 11622
    [Determine whether audit involvement in the business continuity program is effective, including: Documentation of audit findings TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 4]
    Audits and risk management Audits and Risk Management
    Include the audit criteria in the audit plan. CC ID 15262 Audits and risk management Establish/Maintain Documentation
    Include a list of reference documents in the audit plan. CC ID 15260 Audits and risk management Establish/Maintain Documentation
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Audits and risk management Establish/Maintain Documentation
    Include the allocation of resources in the audit plan. CC ID 15251 Audits and risk management Establish/Maintain Documentation
    Include communication protocols in the audit plan. CC ID 15247 Audits and risk management Establish/Maintain Documentation
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Audits and risk management Establish/Maintain Documentation
    Include meeting schedules in the audit plan. CC ID 15245 Audits and risk management Establish/Maintain Documentation
    Include the time frames for the audit in the audit plan. CC ID 15244 Audits and risk management Establish/Maintain Documentation
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Audits and risk management Establish/Maintain Documentation
    Include the locations to be audited in the audit plan. CC ID 15242 Audits and risk management Establish/Maintain Documentation
    Include the processes to be audited in the audit plan. CC ID 15241 Audits and risk management Establish/Maintain Documentation
    Include audit objectives in the audit plan. CC ID 15240 Audits and risk management Establish/Maintain Documentation
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Audits and risk management Communicate
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a risk management program. CC ID 12051
    [{third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4]
    Audits and risk management Establish/Maintain Documentation
    Include the scope of risk management activities in the risk management program. CC ID 13658 Audits and risk management Establish/Maintain Documentation
    Integrate the risk management program with the organization's business activities. CC ID 13661 Audits and risk management Business Processes
    Integrate the risk management program into daily business decision-making. CC ID 13659 Audits and risk management Business Processes
    Include managing mobile risks in the risk management program. CC ID 13535 Audits and risk management Establish/Maintain Documentation
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and risk management Audits and Risk Management
    Include regular updating in the risk management system. CC ID 14990 Audits and risk management Business Processes
    Establish, implement, and maintain risk management strategies. CC ID 13209 Audits and risk management Establish/Maintain Documentation
    Include off-site storage of supplies in the risk management strategies. CC ID 13221
    [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: Supplies; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 2]
    Audits and risk management Establish/Maintain Documentation
    Include data quality in the risk management strategies. CC ID 15308 Audits and risk management Data and Information Management
    Include the use of alternate service providers in the risk management strategies. CC ID 13217
    [Determine whether management has considered the possibility of transferring critical aspects of the institution's operation to alternate backup providers or other industry participants to ensure continuity of operations in extreme situations. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:4]
    Audits and risk management Establish/Maintain Documentation
    Include minimizing service interruptions in the risk management strategies. CC ID 13215
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development]
    Audits and risk management Establish/Maintain Documentation
    Include off-site storage in the risk mitigation strategies. CC ID 13213
    [Determine whether adequate risk mitigation strategies have been considered for: Secure and up-to-date off-site storage of: System documentation (e.g. topologies; inventory listing; firewall, router, and network configurations; operating procedures). TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 4]
    Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Establish/Maintain Documentation
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 Audits and risk management Establish Roles
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [Determine whether the financial institution's and TSP's risk management strategies are designed to achieve resilience, such as the ability to effectively respond to wide-scale disruptions, including cyber attacks and attacks on multiple critical infrastructure sectors. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10]
    Audits and risk management Establish/Maintain Documentation
    Address past incidents in the risk assessment program. CC ID 12743 Audits and risk management Audits and Risk Management
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Audits and risk management Establish/Maintain Documentation
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Audits and risk management Establish/Maintain Documentation
    Establish and maintain the factors and context for risk to the organization. CC ID 12230 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain insurance requirements. CC ID 16562 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Audits and risk management Communicate
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Audits and risk management Communicate
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Audits and risk management Business Processes
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Audits and risk management Business Processes
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903
    [Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Large scale disruptive events that could affect the ability to service clients; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 1
    {state-of-the-art}Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Significant downtime that would threaten the financial institution's business resiliency. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 3
    {state-of-the-art}Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: Cyber events that could impact the ability to service clients; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 2]
    Audits and risk management Business Processes
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Audits and risk management Process or Activity
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Establish/Maintain Documentation
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Audits and risk management Establish/Maintain Documentation
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Audits and risk management Establish/Maintain Documentation
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Audits and risk management Establish/Maintain Documentation
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Audits and risk management Communicate
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Audits and risk management Establish/Maintain Documentation
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Audits and risk management Establish/Maintain Documentation
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 Audits and risk management Establish/Maintain Documentation
    Use the risk taxonomy when managing risk. CC ID 12280 Audits and risk management Behavior
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Audits and risk management Establish/Maintain Documentation
    Include compliance requirements in the risk assessment policy. CC ID 14121 Audits and risk management Establish/Maintain Documentation
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Audits and risk management Establish/Maintain Documentation
    Include management commitment in the risk assessment policy. CC ID 14119 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Audits and risk management Establish/Maintain Documentation
    Include the scope in the risk assessment policy. CC ID 14117 Audits and risk management Establish/Maintain Documentation
    Include the purpose in the risk assessment policy. CC ID 14116 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Audits and risk management Communicate
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Audits and risk management Establish/Maintain Documentation
    Analyze the organization's information security environment. CC ID 13122 Audits and risk management Technical Security
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Audits and risk management Establish/Maintain Documentation
    Document cybersecurity risks. CC ID 12281 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Audits and risk management Establish/Maintain Documentation
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Audits and risk management Human Resources Management
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account the target environment. CC ID 06479 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and risk management Audits and Risk Management
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Audits and risk management Establish/Maintain Documentation
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities]
    Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Audits and risk management Establish/Maintain Documentation
    Document organizational risk criteria. CC ID 12277 Audits and risk management Establish/Maintain Documentation
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Audits and risk management Technical Security
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and risk management Audits and Risk Management
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4]
    Audits and risk management Audits and Risk Management
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Audits and risk management Establish/Maintain Documentation
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Technical events such as communication failure, power failure, equipment and software failure, transportation system disruptions, and water system disruptions; TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 2
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4
    Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4]
    Audits and risk management Audits and Risk Management
    Approve the threat and risk classification scheme. CC ID 15693 Audits and risk management Business Processes
    Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and risk management Audits and Risk Management
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Audits and risk management Establish/Maintain Documentation
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Audits and risk management Establish/Maintain Documentation
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Audits and risk management Establish/Maintain Documentation
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Audits and risk management Establish/Maintain Documentation
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Audits and risk management Establish/Maintain Documentation
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Audits and risk management Establish/Maintain Documentation
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and risk management Audits and Risk Management
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Audits and risk management Communicate
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458
    [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5]
    Audits and risk management Establish/Maintain Documentation
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [Determine whether an adequate BIA and risk assessment have been completed. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3
    Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:1
    Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:5]
    Audits and risk management Testing
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241
    [Review the risk assessment and determine whether the includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Pandemics. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:4 Bullet 4]
    Audits and risk management Establish/Maintain Documentation
    Include physical assets in the scope of the risk assessment. CC ID 13075 Audits and risk management Establish/Maintain Documentation
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Audits and risk management Establish/Maintain Documentation
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and risk management Audits and Risk Management
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and risk management Audits and Risk Management
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and risk management Audits and Risk Management
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Audits and risk management Establish/Maintain Documentation
    Create a risk assessment report based on the risk assessment results. CC ID 15695 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Audits and risk management Communicate
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Communicate
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Audits and risk management Business Processes
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 Audits and risk management Behavior
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Audits and Risk Management
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Audits and risk management Establish/Maintain Documentation
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Audits and risk management Establish/Maintain Documentation
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Audits and risk management Establish/Maintain Documentation
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222
    [Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Audits and risk management Establish/Maintain Documentation
    Include pandemic risks in the Business Impact Analysis. CC ID 13219
    [{continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4]
    Audits and risk management Establish/Maintain Documentation
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3
    Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:3]
    Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 Audits and risk management Communicate
    Establish, implement, and maintain a risk register. CC ID 14828 Audits and risk management Establish/Maintain Documentation
    Document organizational risk tolerance in a risk register. CC ID 09961 Audits and risk management Establish/Maintain Documentation
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Audits and risk management Business Processes
    Review the Business Impact Analysis, as necessary. CC ID 12774
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment
    Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    Review the BIA and risk assessment to determine whether the prioritization of business functions is adequate. TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:2]
    Audits and risk management Business Processes
    Analyze and quantify the risks to in scope systems and information. CC ID 00701 Audits and risk management Audits and Risk Management
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703
    [The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and - Performing a "gap analysis" that compares the existing Business Continuity Planning to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution. Risk Assessment]
    Audits and risk management Audits and Risk Management
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and risk management Audits and Risk Management
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis]
    Audits and risk management Establish/Maintain Documentation
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Audits and risk management Investigate
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Audits and risk management Behavior
    Document the results of the gap analysis. CC ID 16271 Audits and risk management Establish/Maintain Documentation
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and risk management Audits and Risk Management
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and risk management Audits and Risk Management
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain a risk treatment plan. CC ID 11983 Audits and risk management Establish/Maintain Documentation
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Audits and risk management Establish/Maintain Documentation
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and risk management Audits and Risk Management
    Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 Audits and risk management Audits and Risk Management
    Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 Audits and risk management Audits and Risk Management
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Audits and risk management Establish/Maintain Documentation
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Audits and risk management Establish/Maintain Documentation
    Include change control processes in the risk treatment plan. CC ID 11981 Audits and risk management Establish/Maintain Documentation
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Audits and risk management Establish/Maintain Documentation
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Audits and risk management Establish/Maintain Documentation
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Audits and risk management Establish/Maintain Documentation
    Include risk assessment results in the risk treatment plan. CC ID 11978 Audits and risk management Establish/Maintain Documentation
    Include a description of usage in the risk treatment plan. CC ID 11977 Audits and risk management Establish/Maintain Documentation
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 Audits and risk management Communicate
    Approve the risk treatment plan. CC ID 13495 Audits and risk management Audits and Risk Management
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 Audits and risk management Establish/Maintain Documentation
    Review and approve the risk assessment findings. CC ID 06485
    [{risk profile}Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: The financial institution's overall risk assessment and profile. TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 6]
    Audits and risk management Establish/Maintain Documentation
    Include risk responses in the risk management program. CC ID 13195 Audits and risk management Establish/Maintain Documentation
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Audits and risk management Business Processes
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Audits and risk management Establish/Maintain Documentation
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Audits and risk management Establish/Maintain Documentation
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Audits and risk management Business Processes
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and risk management Audits and Risk Management
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Audits and risk management Establish/Maintain Documentation
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Audits and risk management Monitor and Evaluate Occurrences
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Audits and risk management Communicate
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Audits and risk management Communicate
    Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 Audits and risk management Establish/Maintain Documentation
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Audits and risk management Establish/Maintain Documentation
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Audits and risk management Communicate
    Evaluate the cyber insurance market. CC ID 12695 Audits and risk management Business Processes
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Audits and risk management Business Processes
    Acquire cyber insurance, as necessary. CC ID 12693 Audits and risk management Business Processes
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Audits and risk management Establish/Maintain Documentation
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Audits and risk management Monitor and Evaluate Occurrences
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Audits and risk management Establish/Maintain Documentation
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Audits and risk management Establish/Maintain Documentation
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Audits and risk management Establish/Maintain Documentation
    Include management commitment in the supply chain risk management policy. CC ID 14709 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Audits and risk management Establish/Maintain Documentation
    Include the scope in the supply chain risk management policy. CC ID 14707 Audits and risk management Establish/Maintain Documentation
    Include the purpose in the supply chain risk management policy. CC ID 14706 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Audits and risk management Communicate
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Audits and risk management Establish/Maintain Documentation
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Audits and risk management Establish/Maintain Documentation
    Include dates in the supply chain risk management plan. CC ID 15617 Audits and risk management Establish/Maintain Documentation
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Audits and risk management Establish/Maintain Documentation
    Include supply chain risk management procedures in the risk management program. CC ID 13190 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Audits and risk management Communicate
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Audits and risk management Human Resources Management
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Audits and risk management Communicate
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Technical security Establish/Maintain Documentation
    Control access rights to organizational assets. CC ID 00004 Technical security Technical Security
    Establish access rights based on least privilege. CC ID 01411 Technical security Technical Security
    Assign user permissions based on job responsibilities. CC ID 00538
    [{authentication credential} Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and if they also include business continuity planning responsibilities. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:6
    {authentication credential} Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and if they also include business continuity planning responsibilities. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:6]
    Technical security Technical Security
    Control user privileges. CC ID 11665 Technical security Technical Security
    Review all user privileges, as necessary. CC ID 06784 Technical security Technical Security
    Review each user's access capabilities when their role changes. CC ID 00524
    [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5
    {alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5]
    Technical security Technical Security
    Establish, implement, and maintain a data loss prevention program. CC ID 13050
    [Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1]
    Technical security Establish/Maintain Documentation
    Include the data loss prevention strategy as part of the data loss prevention program. CC ID 13051 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain a malicious code protection program. CC ID 00574
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Technical security Establish/Maintain Documentation
    Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 Technical security Communicate
    Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 Technical security Communicate
    Establish, implement, and maintain malicious code protection procedures. CC ID 15483 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain a malicious code protection policy. CC ID 15478 Technical security Establish/Maintain Documentation
    Restrict downloading to reduce malicious code attacks. CC ID 04576 Technical security Behavior
    Install security and protection software, as necessary. CC ID 00575 Technical security Configuration
    Install and maintain container security solutions. CC ID 16178 Technical security Technical Security
    Protect the system against replay attacks. CC ID 04552 Technical security Technical Security
    Define and assign roles and responsibilities for malicious code protection. CC ID 15474 Technical security Establish Roles
    Lock antivirus configurations. CC ID 10047 Technical security Configuration
    Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain procedures for provisioning shared resources. CC ID 12181 Technical security Establish/Maintain Documentation
    Employ an open virtualization format for provisioning software for virtual machines, as necessary. CC ID 12356
    [Determine whether the financial institution and service provider manage the underlying virtualization platform upon which cloud disaster recovery services are based to minimize the impact of attacks designed to cause data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:3]
    Technical security Configuration
    Establish, implement, and maintain a physical security program. CC ID 11757 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain a facility physical security program. CC ID 00711
    [{facility physical security program} Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Physical security facilities - the adequacy of physical perimeter security, physical access controls, protection services, and video monitoring. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 3
    {facility physical security program} Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Physical security facilities - the adequacy of physical perimeter security, physical access controls, protection services, and video monitoring. TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 3]
    Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain opening procedures for businesses. CC ID 16671 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain closing procedures for businesses. CC ID 16670 Physical and environmental protection Establish/Maintain Documentation
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Physical and environmental protection Establish/Maintain Documentation
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 Physical and environmental protection Behavior
    Protect the facility from crime. CC ID 06347 Physical and environmental protection Physical and Environmental Protection
    Define communication methods for reporting crimes. CC ID 06349 Physical and environmental protection Establish/Maintain Documentation
    Include identification cards or badges in the physical security program. CC ID 14818 Physical and environmental protection Establish/Maintain Documentation
    Protect facilities from eavesdropping. CC ID 02222 Physical and environmental protection Physical and Environmental Protection
    Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 Physical and environmental protection Technical Security
    Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 Physical and environmental protection Establish/Maintain Documentation
    Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 Physical and environmental protection Physical and Environmental Protection
    Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 Physical and environmental protection Physical and Environmental Protection
    Create security zones in facilities, as necessary. CC ID 16295 Physical and environmental protection Physical and Environmental Protection
    Establish clear zones around any sensitive facilities. CC ID 02214 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain floor plans. CC ID 16419 Physical and environmental protection Establish/Maintain Documentation
    Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 Physical and environmental protection Establish/Maintain Documentation
    Post floor plans of critical facilities in secure locations. CC ID 16138 Physical and environmental protection Communicate
    Post and maintain security signage for all facilities. CC ID 02201 Physical and environmental protection Establish/Maintain Documentation
    Inspect items brought into the facility. CC ID 06341 Physical and environmental protection Physical and Environmental Protection
    Maintain all physical security systems. CC ID 02206 Physical and environmental protection Physical and Environmental Protection
    Maintain all security alarm systems. CC ID 11669 Physical and environmental protection Physical and Environmental Protection
    Identify and document physical access controls for all physical entry points. CC ID 01637 Physical and environmental protection Establish/Maintain Documentation
    Control physical access to (and within) the facility. CC ID 01329 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain physical access procedures. CC ID 13629 Physical and environmental protection Establish/Maintain Documentation
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and environmental protection Physical and Environmental Protection
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain a visitor access permission policy. CC ID 06699 Physical and environmental protection Establish/Maintain Documentation
    Escort visitors within the facility, as necessary. CC ID 06417 Physical and environmental protection Establish/Maintain Documentation
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and environmental protection Physical and Environmental Protection
    Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 Physical and environmental protection Testing
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Physical and environmental protection Behavior
    Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 Physical and environmental protection Establish/Maintain Documentation
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Physical and environmental protection Establish/Maintain Documentation
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Physical and environmental protection Establish/Maintain Documentation
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Physical and environmental protection Monitor and Evaluate Occurrences
    Establish, implement, and maintain physical identification procedures. CC ID 00713 Physical and environmental protection Establish/Maintain Documentation
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Physical and environmental protection Human Resources Management
    Implement physical identification processes. CC ID 13715 Physical and environmental protection Process or Activity
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Physical and environmental protection Process or Activity
    Issue photo identification badges to all employees. CC ID 12326 Physical and environmental protection Physical and Environmental Protection
    Implement operational requirements for card readers. CC ID 02225 Physical and environmental protection Testing
    Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 Physical and environmental protection Establish/Maintain Documentation
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and environmental protection Physical and Environmental Protection
    Manage constituent identification inside the facility. CC ID 02215 Physical and environmental protection Behavior
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Physical and environmental protection Human Resources Management
    Manage visitor identification inside the facility. CC ID 11670 Physical and environmental protection Physical and Environmental Protection
    Issue visitor identification badges to all non-employees. CC ID 00543 Physical and environmental protection Behavior
    Secure unissued visitor identification badges. CC ID 06712 Physical and environmental protection Physical and Environmental Protection
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Physical and environmental protection Behavior
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Physical and environmental protection Establish/Maintain Documentation
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Physical and environmental protection Process or Activity
    Include error handling controls in identification issuance procedures. CC ID 13709 Physical and environmental protection Establish/Maintain Documentation
    Include an appeal process in the identification issuance procedures. CC ID 15428 Physical and environmental protection Business Processes
    Include information security in the identification issuance procedures. CC ID 15425 Physical and environmental protection Establish/Maintain Documentation
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Physical and environmental protection Process or Activity
    Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 Physical and environmental protection Establish/Maintain Documentation
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Physical and environmental protection Establish/Maintain Documentation
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and environmental protection Physical and Environmental Protection
    Enforce dual control for badge assignments. CC ID 12328 Physical and environmental protection Physical and Environmental Protection
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and environmental protection Physical and Environmental Protection
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Physical and environmental protection Establish/Maintain Documentation
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Physical and environmental protection Human Resources Management
    Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 Physical and environmental protection Establish/Maintain Documentation
    Prevent tailgating through physical entry points. CC ID 06685 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain a door security standard. CC ID 06686 Physical and environmental protection Establish/Maintain Documentation
    Install doors so that exposed hinges are on the secured side. CC ID 06687 Physical and environmental protection Configuration
    Install emergency doors to permit egress only. CC ID 06688 Physical and environmental protection Configuration
    Install contact alarms on doors, as necessary. CC ID 06710 Physical and environmental protection Configuration
    Use locks to protect against unauthorized physical access. CC ID 06342 Physical and environmental protection Physical and Environmental Protection
    Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 Physical and environmental protection Configuration
    Secure unissued access mechanisms. CC ID 06713 Physical and environmental protection Technical Security
    Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 Physical and environmental protection Establish/Maintain Documentation
    Change cipher lock codes, as necessary. CC ID 06651 Physical and environmental protection Technical Security
    Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain a window security standard. CC ID 06689 Physical and environmental protection Establish/Maintain Documentation
    Install contact alarms on openable windows, as necessary. CC ID 06690 Physical and environmental protection Configuration
    Install glass break alarms on windows, as necessary. CC ID 06691 Physical and environmental protection Configuration
    Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 Physical and environmental protection Establish/Maintain Documentation
    Install and maintain security lighting at all physical entry points. CC ID 02205 Physical and environmental protection Physical and Environmental Protection
    Use vandal resistant light fixtures for all security lighting. CC ID 16130 Physical and environmental protection Physical and Environmental Protection
    Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 Physical and environmental protection Physical and Environmental Protection
    Secure the loading dock with physical access controls or security guards. CC ID 06703 Physical and environmental protection Physical and Environmental Protection
    Isolate loading areas from information processing facilities, if possible. CC ID 12028 Physical and environmental protection Physical and Environmental Protection
    Screen incoming mail and deliveries. CC ID 06719 Physical and environmental protection Physical and Environmental Protection
    Protect access to the facility's mechanical systems area. CC ID 02212 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain elevator security guidelines. CC ID 02232 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain stairwell security guidelines. CC ID 02233 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain glass opening security guidelines. CC ID 02234 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain after hours facility access procedures. CC ID 06340 Physical and environmental protection Establish/Maintain Documentation
    Establish a security room, if necessary. CC ID 00738 Physical and environmental protection Physical and Environmental Protection
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749
    [Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1
    Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1]
    Physical and environmental protection Physical and Environmental Protection
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and environmental protection Physical and Environmental Protection
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain vault physical security standards. CC ID 02203 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain emergency exit procedures. CC ID 01252 Physical and environmental protection Establish/Maintain Documentation
    Establish, Implement, and maintain a camera operating policy. CC ID 15456 Physical and environmental protection Establish/Maintain Documentation
    Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 Physical and environmental protection Communicate
    Establish and maintain a visitor log. CC ID 00715 Physical and environmental protection Log Management
    Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 Physical and environmental protection Establish/Maintain Documentation
    Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 Physical and environmental protection Behavior
    Record the visitor's name in the visitor log. CC ID 00557 Physical and environmental protection Log Management
    Record the visitor's organization in the visitor log. CC ID 12121 Physical and environmental protection Log Management
    Record the visitor's acceptable access areas in the visitor log. CC ID 12237 Physical and environmental protection Log Management
    Record the date and time of entry in the visitor log. CC ID 13255 Physical and environmental protection Establish/Maintain Documentation
    Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 Physical and environmental protection Establish/Maintain Documentation
    Retain all records in the visitor log as prescribed by law. CC ID 00572 Physical and environmental protection Log Management
    Establish, implement, and maintain a physical access log. CC ID 12080 Physical and environmental protection Establish/Maintain Documentation
    Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 Physical and environmental protection Log Management
    Store facility access logs in off-site storage. CC ID 06958 Physical and environmental protection Log Management
    Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 Physical and environmental protection Monitor and Evaluate Occurrences
    Configure video cameras to cover all physical entry points. CC ID 06302 Physical and environmental protection Configuration
    Configure video cameras to prevent physical tampering or disablement. CC ID 06303 Physical and environmental protection Configuration
    Retain video events according to Records Management procedures. CC ID 06304 Physical and environmental protection Records Management
    Establish, implement, and maintain physical security threat reports. CC ID 02207 Physical and environmental protection Establish/Maintain Documentation
    Build and maintain fencing, as necessary. CC ID 02235 Physical and environmental protection Physical and Environmental Protection
    Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 Physical and environmental protection Physical and Environmental Protection
    Physically segregate business areas in accordance with organizational standards. CC ID 16718 Physical and environmental protection Physical and Environmental Protection
    Employ security guards to provide physical security, as necessary. CC ID 06653 Physical and environmental protection Establish Roles
    Establish, implement, and maintain a facility wall standard. CC ID 06692 Physical and environmental protection Establish/Maintain Documentation
    Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 Physical and environmental protection Physical and Environmental Protection
    Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 Physical and environmental protection Configuration
    Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 Physical and environmental protection Behavior
    Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 Physical and environmental protection Behavior
    Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 Physical and environmental protection Business Processes
    Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 Physical and environmental protection Behavior
    Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 Physical and environmental protection Behavior
    Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain removable storage media controls. CC ID 06680 Physical and environmental protection Data and Information Management
    Establish, implement, and maintain storage media access control procedures. CC ID 00959
    [Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1
    Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1]
    Physical and environmental protection Establish/Maintain Documentation
    Require removable storage media be in the custody of an authorized individual. CC ID 12319 Physical and environmental protection Behavior
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a business continuity policy. CC ID 12405
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include compliance requirements in the business continuity policy. CC ID 14237 Operational and Systems Continuity Establish/Maintain Documentation
    Include coordination amongst entities in the business continuity policy. CC ID 14235 Operational and Systems Continuity Establish/Maintain Documentation
    Include management commitment in the business continuity policy. CC ID 14233 Operational and Systems Continuity Establish/Maintain Documentation
    Include the scope in the business continuity policy. CC ID 14231 Operational and Systems Continuity Establish/Maintain Documentation
    Include roles and responsibilities in the business continuity policy. CC ID 14190 Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 Operational and Systems Continuity Communicate
    Include the purpose in the business continuity policy. CC ID 14188 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a business continuity testing policy. CC ID 13235
    [{business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include testing cycles and test scope in the business continuity testing policy. CC ID 13236
    [{business continuity testing policy} Determine whether the testing policy establishes a testing cycle with increasing levels of test scope and complexity. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 3]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include documentation requirements in the business continuity testing policy. CC ID 14377 Operational and Systems Continuity Establish/Maintain Documentation
    Include reporting requirements in the business continuity testing policy. CC ID 14397 Operational and Systems Continuity Establish/Maintain Documentation
    Include test requirements for crisis management in the business continuity testing policy. CC ID 13240
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include test requirements for support functions in the business continuity testing policy. CC ID 13239
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257
    [{business continuity testing strategy}{bcp and testing program} Determine whether the testing strategy addresses the documentation requirements for all facets of the continuity testing program, including test scenarios, plans, scripts, results, and reporting. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 5]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include data recovery in the business continuity testing strategy. CC ID 13262
    [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include testing critical applications in the business continuity testing strategy. CC ID 13261
    [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include reconciling transaction data in the business continuity testing strategy. CC ID 13260
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to reconcile transaction data; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 3
    Determine that the test assumptions are appropriate for core and significant firms and consider: Whether continuity arrangements continue to operate until all pending transactions are closed. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 6]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252
    [{business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Incorporating the results of telecommunications diversity assessments and confirming telecommunications circuit diversity; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 3
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Incorporating the results of telecommunications diversity assessments and confirming telecommunications circuit diversity; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 3
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2
    {business continuity testing strategy} Determine whether the strategy addresses technology considerations, including: Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 2]
    Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a continuity framework. CC ID 00732
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5]
    Operational and Systems Continuity Establish/Maintain Documentation
    Establish and maintain the scope of the continuity framework. CC ID 11908 Operational and Systems Continuity Establish/Maintain Documentation
    Include network security in the scope of the continuity framework. CC ID 16327 Operational and Systems Continuity Establish/Maintain Documentation
    Explain any exclusions to the scope of the continuity framework. CC ID 12236 Operational and Systems Continuity Establish/Maintain Documentation
    Refrain from including exclusions that could affect business continuity. CC ID 12740 Operational and Systems Continuity Records Management
    Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 Operational and Systems Continuity Establish/Maintain Documentation
    Include business units in the scope of the continuity framework. CC ID 11898
    [Determine whether the board and senior management has ensured that integral groups are involved in the business continuity process (e.g. business line management, risk management, IT, facilities management, and audit). TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:3]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include business functions in the scope of the continuity framework. CC ID 12699 Operational and Systems Continuity Establish/Maintain Documentation
    Include information security continuity in the scope of the continuity framework. CC ID 12009
    [{take into account}Review and verify that the written BCP: Take(s) into account: Security; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 7
    Determine that the BCP includes appropriate security procedures. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Security; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 1
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Systems Continuity
    Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development]
    Operational and Systems Continuity Systems Continuity
    Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 Operational and Systems Continuity Establish/Maintain Documentation
    Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    Interview management and review the business continuity request information to identify: TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3]
    Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a shelter in place plan. CC ID 16260 Operational and Systems Continuity Establish/Maintain Documentation
    Designate safe rooms in the shelter in place plan. CC ID 16276 Operational and Systems Continuity Establish/Maintain Documentation
    Include Quality Management in the continuity framework. CC ID 12239 Operational and Systems Continuity Establish/Maintain Documentation
    Establish and maintain a system continuity plan philosophy. CC ID 00734 Operational and Systems Continuity Establish/Maintain Documentation
    Define the executive vision of the continuity planning process. CC ID 01243
    [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1
    {business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include a pandemic plan in the continuity plan. CC ID 06800
    [{escalation and response plan} Determine whether the BCP addresses management monitoring of alert systems that provide information regarding the threat and progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:5
    {continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4
    {continuity strategy} Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:4
    Determine whether the BCP effectively addresses pandemic issues. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A documented strategy that provides for scaling the institution's pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of humans contracting the disease overseas, first cases within the United States, and first cases within the organization itself. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 2]
    Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733
    [{incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Roles and responsibilities of crisis management group members; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 1
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define responsibilities and decision-making authorities for designated teams or staff members; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 2
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Define responsibilities and decision-making authorities for designated teams or staff members; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 2
    {business continuity testing policy} Determine whether the testing policy identifies key roles and responsibilities of the participants in the testing program. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 2]
    Operational and Systems Continuity Establish Roles
    Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 Operational and Systems Continuity Systems Continuity
    Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761
    [Determine whether adequate risk mitigation strategies have been considered for: Preparation for return to normal operations once the permanent facilities are available. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 6]
    Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 Operational and Systems Continuity Communicate
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    [business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    [business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Determine the existence of an appropriate enterprise-wide BCP. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5
    Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavailable for long periods. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:8]
    Operational and Systems Continuity Establish/Maintain Documentation
    Identify all stakeholders in the continuity plan. CC ID 13256
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 Operational and Systems Continuity Communicate
    Maintain normal security levels when an emergency occurs. CC ID 06377 Operational and Systems Continuity Systems Continuity
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Operational and Systems Continuity Systems Continuity
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development]
    Operational and Systems Continuity Human Resources Management
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234
    [{business continuity function} Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities]
    Operational and Systems Continuity Establish/Maintain Documentation
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: Back-up site employees are independent of the staff located at the primary site, at the time of disruption; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 2
    Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: : Trained employees are located at the back-up site at the time of disruption; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 1
    Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavailable for long periods. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:8
    {unavailability} Determine that the test assumptions are appropriate for core and significant firms and consider: Staff members at primary sites, who are located at both data centers and operations facilities, are unavailable for an extended period; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 2
    {business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4
    Determine whether the strategy addresses staffing considerations, including: TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate staff; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 4]
    Operational and Systems Continuity Human Resources Management
    Include the in scope system's location in the continuity plan. CC ID 16246 Operational and Systems Continuity Systems Continuity
    Include the system description in the continuity plan. CC ID 16241 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain redundant systems. CC ID 16354 Operational and Systems Continuity Configuration
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Operational and Systems Continuity Establish/Maintain Documentation
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Operational and Systems Continuity Behavior
    Include the continuity strategy in the continuity plan. CC ID 13189
    [Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization's business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Operational and Systems Continuity Technical Security
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Participants' roles and responsibilities, defined decision makers, and rotation of test participants; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Document and use the lessons learned to update the continuity plan. CC ID 10037
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:6
    From the procedures performed: Document conclusions related to the quality and effectiveness of the business continuity process. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 2]
    Operational and Systems Continuity Establish/Maintain Documentation
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Government and community coordination. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 11
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Process or Activity
    Record business continuity management system performance for posterity. CC ID 12411 Operational and Systems Continuity Monitor and Evaluate Occurrences
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Government and community coordination. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 11
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Process or Activity
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242
    [{third party service provider} Determine whether the institution has a copy of the TSPs' BCP and incorporates it, as appropriate, into their plans. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:9]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include incident management procedures in the continuity plan. CC ID 13244
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Crisis management (responsibility for disaster declaration and dealing with outside parties); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 5
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Operational and Systems Continuity Establish/Maintain Documentation
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057
    [{include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that a large number of the institution's staff are unavailable for prolonged periods. Such procedures could include social distancing to minimize staff contact, telecommuting, or conducting operations from alternative sites. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 3]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Operational and Systems Continuity Establish/Maintain Documentation
    Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 Operational and Systems Continuity Establish Roles
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Operational and Systems Continuity Communicate
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Operational and Systems Continuity Establish/Maintain Documentation
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Operational and Systems Continuity Configuration
    Install a generator sized to support the facility. CC ID 06709 Operational and Systems Continuity Configuration
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Operational and Systems Continuity Acquisition/Sale of Assets or Services
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Operational and Systems Continuity Establish/Maintain Documentation
    Include notifications to alternate facilities in the continuity plan. CC ID 13220
    [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Include procedures for notifying the back-up site; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 5]
    Operational and Systems Continuity Establish/Maintain Documentation
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Operational and Systems Continuity Systems Continuity
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: Staff and management succession plans; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 6]
    Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain damage assessment procedures. CC ID 01267 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a recovery plan. CC ID 13288 Operational and Systems Continuity Establish/Maintain Documentation
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Operational and Systems Continuity Communicate
    Include procedures to restore network connectivity in the recovery plan. CC ID 16250 Operational and Systems Continuity Establish/Maintain Documentation
    Include addressing backup failures in the recovery plan. CC ID 13298 Operational and Systems Continuity Establish/Maintain Documentation
    Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 Operational and Systems Continuity Establish/Maintain Documentation
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Operational and Systems Continuity Human Resources Management
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Operational and Systems Continuity Establish/Maintain Documentation
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Operational and Systems Continuity Establish/Maintain Documentation
    Include the criteria for activation in the recovery plan. CC ID 13293 Operational and Systems Continuity Establish/Maintain Documentation
    Include escalation procedures in the recovery plan. CC ID 16248 Operational and Systems Continuity Establish/Maintain Documentation
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 Operational and Systems Continuity Communicate
    Include restoration procedures in the continuity plan. CC ID 01169
    [Determine whether adequate risk mitigation strategies have been considered for: Recovery of data (e.g. backlogged transactions, reconciliation procedures); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 5
    Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1
    Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1]
    Operational and Systems Continuity Establish Roles
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    {third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4
    Determine whether adequate risk mitigation strategies have been considered for: BCP; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 3
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: According to its priority ranking in the risk assessment; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 1
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: Considering long-term recovery arrangements. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 3]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include the recovery plan in the continuity plan. CC ID 01377
    [A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery; - Business continuity planning includes the integration of the institution's role in financial markets; - Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and - Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Business Continuity Planning Process
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Review and verify that the written BCP: Addresses the recovery of each business unit/department/function/application: Considering interdependencies among systems; and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 2
    {data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4]
    Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Operational and Systems Continuity Communicate
    Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 Operational and Systems Continuity Systems Continuity
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Operational and Systems Continuity Systems Continuity
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain organizational facility continuity plans. CC ID 02224
    [{take into account}Review and verify that the written BCP: Take(s) into account: Facilities; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 5
    If the organization is relying on outside facilities for recovery, determine whether the recovery site: Is available for use until the institution achieves full recovery from the disaster and resumes activity at the institution's own facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 3]
    Operational and Systems Continuity Establish/Maintain Documentation
    Install and maintain redundant telecommunication feeds for critical assets. CC ID 00726 Operational and Systems Continuity Configuration
    Install and maintain redundant power supplies for critical facilities. CC ID 06355 Operational and Systems Continuity Configuration
    Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 Operational and Systems Continuity Physical and Environmental Protection
    Install and maintain dedicated power lines to critical facilities. CC ID 06357 Operational and Systems Continuity Physical and Environmental Protection
    Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 Operational and Systems Continuity Configuration
    Install electro-magnetic shielding around all electrical cabling. CC ID 06358 Operational and Systems Continuity Physical and Environmental Protection
    Install electrical grounding equipment. CC ID 06359 Operational and Systems Continuity Physical and Environmental Protection
    Implement redundancy in life-safety systems. CC ID 02228 Operational and Systems Continuity Physical and Environmental Protection
    Include bomb threat procedures and bomb procedures in the organizational facility continuity plan. CC ID 02229 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735
    [{internal business process}Determine whether the continuity strategy addresses interdependent components, including: Internal systems and business processes. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 5]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include emergency operating procedures in the continuity plan. CC ID 11694
    [{emergency procedure} Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Explain actions to be taken in specific emergencies; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 3]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 Operational and Systems Continuity Establish/Maintain Documentation
    Review and prioritize the importance of each business unit. CC ID 01165 Operational and Systems Continuity Systems Continuity
    Review and prioritize the importance of each business process. CC ID 11689
    [{internal business process}Determine whether the continuity strategy addresses interdependent components, including: Internal systems and business processes. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 5]
    Operational and Systems Continuity Establish/Maintain Documentation
    Document the mean time to failure for system components. CC ID 10684 Operational and Systems Continuity Systems Continuity
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Operational and Systems Continuity Audits and Risk Management
    Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241
    [{business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2
    {business continuity testing strategy}{reasonableness}{cost benefit analysis} Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2]
    Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis
    {bcp testing program}{business continuity test result} Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institution's recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production recovery, achievement of operational priorities, timely recovery of data). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 1
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity); TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 4
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity); TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 4]
    Operational and Systems Continuity Establish/Maintain Documentation
    Define and prioritize critical business records. CC ID 11687 Operational and Systems Continuity Establish/Maintain Documentation
    Include the protection of personnel in the continuity plan. CC ID 06378
    [{take into account} Review and verify that the written BCP: Take(s) into account: Personnel; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Identify alternate personnel for each person on the critical personnel list. CC ID 12771
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to relocate or engage staff from alternate sites; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 5]
    Operational and Systems Continuity Human Resources Management
    Define the triggering events for when to activate the pandemic plan. CC ID 06801 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a critical third party list. CC ID 06815
    [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8
    Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2
    Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2
    Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2
    Determine whether the financial institution and service provider have made advance arrangements for both third-party computer forensics and incident management services in advance of a wide-scale cyber security event. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:8
    Determine whether the financial institution and service provider have made advance arrangements for both third-party computer forensics and incident management services in advance of a wide-scale cyber security event. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:8
    Determine whether the continuity strategy addresses interdependent components, including: Key suppliers/business partners; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 4]
    Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1
    {technology service provider}Determine whether the continuity strategy addresses interdependent components, including: Third-party technology providers; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 3]
    Operational and Systems Continuity Behavior
    Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741
    [{third party service providers} Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:8
    {third party service providers} Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:8]
    Operational and Systems Continuity Establish/Maintain Documentation
    Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 Operational and Systems Continuity Establish/Maintain Documentation
    Include workstation continuity procedures in the continuity plan. CC ID 01378 Operational and Systems Continuity Establish/Maintain Documentation
    Include server continuity procedures in the continuity plan. CC ID 01379
    [Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the TSP's facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:7]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include website continuity procedures in the continuity plan. CC ID 01380 Operational and Systems Continuity Establish/Maintain Documentation
    Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 Operational and Systems Continuity Data and Information Management
    Include near-line capabilities in the continuity plan. CC ID 01383 Operational and Systems Continuity Establish/Maintain Documentation
    Include online capabilities in the continuity plan. CC ID 11690 Operational and Systems Continuity Establish/Maintain Documentation
    Include mainframe continuity procedures in the continuity plan. CC ID 01382 Operational and Systems Continuity Establish/Maintain Documentation
    Include telecommunications continuity procedures in the continuity plan. CC ID 11691
    [Determine whether the continuity strategy addresses interdependent components, including: Telecommunications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 2
    {voice service}Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of telephony and electronic messaging due to the convergence of voice and data services on the same network; and TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 2
    {data communication} Determine whether the financial institution and service provider are considering al- ternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: Disruption of data and voice communications between facilities and service providers. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 3]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include system continuity procedures in the continuity plan. CC ID 01268
    [{Mission-Critical Application} Determine whether management has reviewed all interrelated components of each mission critical application and the underlying continuity strategy to determine "single point of failure" exposure. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:8]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 Operational and Systems Continuity Establish/Maintain Documentation
    Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 Operational and Systems Continuity Establish/Maintain Documentation
    Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 Operational and Systems Continuity Establish/Maintain Documentation
    Include emergency power continuity procedures in the continuity plan. CC ID 01254
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate power supplies (e.g. uninterruptible power source, back-up generators); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 4
    Determine whether the continuity strategy addresses interdependent components, including: Utilities; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include evacuation procedures in the continuity plan. CC ID 12773 Operational and Systems Continuity Systems Continuity
    Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374
    [{take into account}Review and verify that the written BCP:Take(s) into account: Manual operating procedures. TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 9]
    Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 Operational and Systems Continuity Establish/Maintain Documentation
    Separate the alternate facility from the primary facility through geographic separation. CC ID 01394
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate facilities; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 1
    Determine whether satisfactory consideration has been given to geographic diversity for: Alternate processing locations; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 2
    Determine that back-up sites are fully independent of the critical infrastructure components that support the primary sites. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 5]
    Operational and Systems Continuity Physical and Environmental Protection
    Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 Operational and Systems Continuity Establish/Maintain Documentation
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250
    [{take into account}Review and verify that the written BCP: Take(s) into account: Technology issues (hardware, software, network, data processing equipment, telecommunications, remote computing, vital records, electronic banking systems, telephone banking systems, utilities); TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 3
    {backup hardware} Determine whether the BCP includes appropriate hardware back-up and recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include a backup rotation scheme in the backup policy. CC ID 16219 Operational and Systems Continuity Establish/Maintain Documentation
    Include naming conventions in the backup policy. CC ID 16218 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258
    [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Operating systems; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 2
    Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Utility programs; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 4
    {data backup}Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Data; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 1
    {data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4]
    Operational and Systems Continuity Systems Continuity
    Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 Operational and Systems Continuity Systems Continuity
    Establish and maintain off-site electronic media storage facilities. CC ID 00957 Operational and Systems Continuity Physical and Environmental Protection
    Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 Operational and Systems Continuity Configuration
    Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 Operational and Systems Continuity Establish/Maintain Documentation
    Store backup media at an off-site electronic media storage facility. CC ID 01332 Operational and Systems Continuity Data and Information Management
    Transport backup media in lockable electronic media storage containers. CC ID 01264 Operational and Systems Continuity Data and Information Management
    Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 Operational and Systems Continuity Systems Continuity
    Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 Operational and Systems Continuity Data and Information Management
    Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 Operational and Systems Continuity Data and Information Management
    Perform backup procedures for in scope systems. CC ID 11692 Operational and Systems Continuity Process or Activity
    Perform full backups in accordance with organizational standards. CC ID 16376 Operational and Systems Continuity Data and Information Management
    Perform incremental backups in accordance with organizational standards. CC ID 16375 Operational and Systems Continuity Data and Information Management
    Back up all records. CC ID 11974 Operational and Systems Continuity Systems Continuity
    Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 Operational and Systems Continuity Data and Information Management
    Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259
    [A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes; - Identification of the legal and regulatory requirements for the institution's business functions and processes; - Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and - Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path. Business Impact Analysis]
    Operational and Systems Continuity Establish/Maintain Documentation
    Encrypt backup data. CC ID 00958 Operational and Systems Continuity Configuration
    Log the execution of each backup. CC ID 00956 Operational and Systems Continuity Establish/Maintain Documentation
    Digitally sign disk images, as necessary. CC ID 06814 Operational and Systems Continuity Establish/Maintain Documentation
    Include emergency communications procedures in the continuity plan. CC ID 00750
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the TSP's facilities. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:7
    Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Customers; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 3
    {authorities}Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Local, state, and federal agencies; and TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 5
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Regulators. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 6
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Notification standards (employees, customers, regulators, vendors, service providers); TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 9
    Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at the institution. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:6
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2]
    Operational and Systems Continuity Establish/Maintain Documentation
    Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 Operational and Systems Continuity Systems Continuity
    Maintain contact information for key third parties in a readily accessible manner. CC ID 12764
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Critical service providers; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 1
    Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Key financial correspondents; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 2
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1
    {primary contact information}Review and verify that the written BCP Include(s) emergency preparedness and crisis management plans that Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Log important conversations conducted during emergencies with third parties. CC ID 12763 Operational and Systems Continuity Log Management
    Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762
    [{take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    {take into account}Review and verify that the written BCP: Take(s) into account: Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2
    Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Designate a knowledgeable public relations spokesperson; and TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 7]
    Operational and Systems Continuity Communicate
    Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770
    [{take into account}Review and verify that the written BCP:Take(s) into account: Liquidity; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 6]
    Operational and Systems Continuity Acquisition/Sale of Assets or Services
    Minimize system continuity requirements. CC ID 00753 Operational and Systems Continuity Establish/Maintain Documentation
    Include purchasing insurance in the continuity plan. CC ID 00762
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Insurance; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 10
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Establish/Maintain Documentation
    Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 Operational and Systems Continuity Acquisition/Sale of Assets or Services
    Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 Operational and Systems Continuity Acquisition/Sale of Assets or Services
    Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 Operational and Systems Continuity Establish/Maintain Documentation
    Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 Operational and Systems Continuity Establish/Maintain Documentation
    Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 Operational and Systems Continuity Establish/Maintain Documentation
    Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 Operational and Systems Continuity Establish/Maintain Documentation
    Validate information security continuity controls regularly. CC ID 12008 Operational and Systems Continuity Systems Continuity
    Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760
    [Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9
    {include} Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Based on a comprehensive BIA and risk assessment; - Documented in a written program; - Reviewed and approved by the board and senior management at least annually; - Disseminated to financial institution employees; - Properly managed when the maintenance and development of the BCP is outsourced to a third-party; - Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP; - Specific regarding what immediate steps should be taken during a disruption; - Flexible to respond to unanticipated threat scenarios and changing internal conditions; - Focused on the impact of various threats that could potentially disrupt operations rather than on specific events; - Developed based on valid assumptions and an analysis of interdependencies; and - Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. Business Continuity Plan Development
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Timely distribution of revised plans to personnel. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 2
    {business continuity testing strategy}Determine whether the strategy addresses staffing considerations, including: Staff access to key documentation (plans, procedures, and forms); and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 7
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    {third party service provider} Determine whether the institution has a copy of the TSPs' BCP and incorporates it, as appropriate, into their plans. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:9]
    Operational and Systems Continuity Establish/Maintain Documentation
    Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a pandemic plan. CC ID 13214
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: An oversight program to ensure ongoing reviews and updates to the pandemic plan, so that policies, standards, and procedures include up-to-date, relevant information provided by governmental sources or by the institution's monitoring program. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 5]
    Operational and Systems Continuity Establish/Maintain Documentation
    Match emergency policies to the level of disruption anticipated in the pandemic plan. CC ID 14375 Operational and Systems Continuity Establish/Maintain Documentation
    Identify tasks that can be accomplished at alternate work sites. CC ID 14393 Operational and Systems Continuity Process or Activity
    Include work that will be suspended during the pandemic in the pandemic plan. CC ID 14380 Operational and Systems Continuity Establish/Maintain Documentation
    Include alternate work locations in the pandemic plan. CC ID 14376 Operational and Systems Continuity Establish/Maintain Documentation
    Assign pandemic planning roles and responsibilities, as necessary. CC ID 13230
    [Determine whether the BCP addresses the assignment of responsibility for pandemic planning, preparing, testing, responding, and recovering. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:2]
    Operational and Systems Continuity Establish Roles
    Include modifications to the absenteeism policy in the pandemic plan. CC ID 13232
    [{absenteeism policy} Determine whether the BCP addresses modifications to normal compensation and absenteeism polices to be enacted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:9]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include remote access requirements in the pandemic plan. CC ID 13233
    [Determine whether management has analyzed remote access requirements, including the infrastructure capabilities and capacity that may be necessary during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:10]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include a compensation plan in the pandemic plan. CC ID 13231
    [{absenteeism policy} Determine whether the BCP addresses modifications to normal compensation and absenteeism polices to be enacted during a pandemic. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:9]
    Operational and Systems Continuity Establish/Maintain Documentation
    Revalidate exceptions to the pandemic plan, as necessary. CC ID 14395 Operational and Systems Continuity Establish/Maintain Documentation
    Approve exceptions to the pandemic plan, as necessary. CC ID 14392 Operational and Systems Continuity Establish/Maintain Documentation
    Include a list of which emergency policies will preempt organizational policies during a pandemic in the pandemic plan. CC ID 14374 Operational and Systems Continuity Establish/Maintain Documentation
    Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 Operational and Systems Continuity Systems Continuity
    Include coverage for alternate facilities for all offices in contingency arrangements. CC ID 00746
    [Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8
    Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Work locations for business functions; and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 3
    Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Workspace recovery - the adequacy of floor space, desk top computers, network connectivity, e-mail access, and telephone service; and TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 2]
    Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745
    [{alternate facility} Determine whether there is a comprehensive, written agreement or contract for alternative processing or facility recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331 Operational and Systems Continuity Establish/Maintain Documentation
    Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330 Operational and Systems Continuity Establish/Maintain Documentation
    Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329 Operational and Systems Continuity Establish/Maintain Documentation
    Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328 Operational and Systems Continuity Establish/Maintain Documentation
    Include that the shared service provider will not oversubscribe their services in the Service Level Agreement. CC ID 04892 Operational and Systems Continuity Establish/Maintain Documentation
    Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893
    [Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395
    [{alternate facility} Review and verify that the written BCP: Include(s) emergency preparedness and crisis management plans that: Identify a current inventory of items needed for off-site processing; TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 6
    {enough} If the organization is relying on outside facilities for recovery, determine whether the recovery site: Provides sufficient processing time for the anticipated workload based on emergency priorities; and TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 2
    {capability}{independent} If the organization is relying on in-house systems at separate physical locations for recovery, verify that the equipment is capable of independently processing all critical applications. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:2
    {enough} If the organization is relying on outside facilities for recovery, determine whether the recovery site: Has the ability to process the required volume; TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 1
    {recovery site} Determine how the recovery facility's customers would be accommodated if simultaneous disaster conditions were to occur to several customers during the same period of time. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:4
    Determine that back-up sites are able to support typical payment and settlement volumes for an extended period. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 4
    {alternate facility} Determine whether the organization ensures that when any changes (e.g. hardware or software upgrades or modifications) in the production environment occur that a process is in place to make or verify a similar change in each alternate recovery location. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:5]
    Operational and Systems Continuity Configuration
    Establish, implement, and maintain logical access controls at alternate facilities. CC ID 13227
    [{physical access control} Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:2]
    Operational and Systems Continuity Technical Security
    Establish, implement, and maintain physical access controls for alternate facilities. CC ID 13226
    [{physical access control} Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:2]
    Operational and Systems Continuity Physical and Environmental Protection
    Notify the primary facilities of any changes at the alternate facilities that could affect the continuity plan. CC ID 13225
    [Determine whether the organization is kept informed of any changes at the recovery site that might require adjustments to the organization's software or its recovery plan(s). TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:6]
    Operational and Systems Continuity Communicate
    Protect backup systems and restoration systems at the alternate facility. CC ID 04883
    [Determine whether adequate risk mitigation strategies have been considered for: Back-up of: Applications; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 3]
    Operational and Systems Continuity Systems Continuity
    Train personnel on the continuity plan. CC ID 00759
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:6
    Verify that appropriate policies, standards, and processes address business continuity planning issues including: Employee training; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 8
    Determine whether the tests validate the core and significant firm's back-up arrangements to ensure that: : Back-up site employees are able to recover clearing and settlement of open transactions within the timeframes addressed in the BCP and applicable industry guidance. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 3
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational and Systems Continuity Behavior
    Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 Operational and Systems Continuity Behavior
    Incorporate simulated events into the continuity plan training. CC ID 01402
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Operational and Systems Continuity Behavior
    Include cross-team coordination in continuity plan training. CC ID 16235 Operational and Systems Continuity Training
    Include stay at home order training in the continuity plan training. CC ID 14382 Operational and Systems Continuity Training
    Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 Operational and Systems Continuity Training
    Include personal protection in continuity plan training. CC ID 14394 Operational and Systems Continuity Training
    Establish, implement, and maintain a business continuity plan testing program. CC ID 14829
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:6
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    Determine whether the BCP testing program is sufficient to demonstrate the financial institution's ability to meet its continuity objectives. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: An evaluation of the reasonableness of assumptions used in developing the testing strategy. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 4
    {BCP testing program} Determine whether the financial institution's testing program enhances resilience through demonstrated ability to recover, resume, and maintain operations after disruptions, ranging from minor outages to wide-scale disasters consistent with the BIA and risk assessment. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12
    {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6
    {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6
    {test plans}{test strategy} Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6
    {core firm} Determine that the test assumptions are appropriate for core and significant firms and consider: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7
    Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 1
    {business continuity test result} Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2]
    Operational and Systems Continuity Testing
    Establish, implement, and maintain a continuity test plan. CC ID 04896
    [{sudden operational failure} Determine that the test assumptions are appropriate for core and significant firms and consider: Primary data centers and operations facilities that are completely inoperable without notice; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 1
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed schedules to complete each test; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 7
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Sequential, step-by-step procedures for staff and external parties, including instructions regarding transaction data and references to manual work-around processes, as needed; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 5
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4
    {business continuity testing strategy}{test frequency}{be consistent with}{RTO}{RPO} Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include success criteria for testing the plan in the continuity test plan. CC ID 14877 Operational and Systems Continuity Establish/Maintain Documentation
    Include recovery procedures in the continuity test plan. CC ID 14876 Operational and Systems Continuity Establish/Maintain Documentation
    Include test scripts in the continuity test plan. CC ID 14875 Operational and Systems Continuity Establish/Maintain Documentation
    Include test objectives and scope of testing in the continuity test plan. CC ID 14874 Operational and Systems Continuity Establish/Maintain Documentation
    Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 Operational and Systems Continuity Establish/Maintain Documentation
    Include the succession plan in the continuity test plan, as necessary. CC ID 14401 Operational and Systems Continuity Establish/Maintain Documentation
    Include contact information in the continuity test plan. CC ID 14399 Operational and Systems Continuity Establish/Maintain Documentation
    Include testing all system components in the continuity test plan. CC ID 13508 Operational and Systems Continuity Establish/Maintain Documentation
    Include test scenarios in the continuity test plan. CC ID 13506 Operational and Systems Continuity Establish/Maintain Documentation
    Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Test event dates and time stamps; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 3]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767
    [{BCP testing program}Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Telecommuting to simulate and test remote access; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 2
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1
    {bcp testing program} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The scope and level of detail of the testing program; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 1
    {bcp testing program} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The scope and level of detail of the testing program; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 1
    {connectivity testing}{test plan}Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 1
    {test plan}{backup telecommunications device} Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 3
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Risk assumptions; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 2
    {business continuity testing strategy}{enterprise-wide test} Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 3
    {business continuity testing strategy}{enterprise-wide test} Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 3
    {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6
    {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6
    {critical application}{critical business process} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Detailed information regarding the critical platforms, applications and business processes to be recovered; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6
    Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 1
    {test strategy}{critical business system} Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes network connectivity and identifies interdependencies; and TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 2]
    Operational and Systems Continuity Testing
    Include third party recovery services in the scope of testing the continuity plan. CC ID 12766
    [Determine whether testing scenarios with critical third-parties considers: Return to normal operations. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 6
    Determine whether the use of cloud-based disaster recovery services integrate with and protect against data destruction with the same level of assurance as existing (internal) disaster recovery solutions. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:2
    Determine whether the use of cloud-based disaster recovery services integrate with and protect against data destruction with the same level of assurance as existing (internal) disaster recovery solutions. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:2
    Determine whether the client institution has received assurance, via testing documentation, that the third party can restore services to client institution and support typical volumes during a recovery event. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:7
    Determine whether the client institution has received assurance, via testing documentation, that the third party can restore services to client institution and support typical volumes during a recovery event. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:7]
    Operational and Systems Continuity Testing
    Validate the emergency communications procedures during continuity plan tests. CC ID 12777
    [{BCP testing program}{internal communication} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Internal and external communications processes and links; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 3
    {BCP testing program}{internal communication} Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Internal and external communications processes and links; TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 3
    {business continuity testing strategy}{internal communication procedure}{external communication procedure}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 5
    {business continuity testing strategy}{internal communication procedure}{external communication procedure}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 5
    {business continuity testing strategy}{internal contact} Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Notification procedures to follow for internal and external contacts. TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 6
    {business continuity testing strategy}{key stakeholders} Determine whether the strategy addresses staffing considerations, including: The ability to communicate with key internal and external stakeholders; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 2]
    Operational and Systems Continuity Testing
    Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769
    [{critical third party} Evaluate how the financial institution ensures timeliness, thoroughness, and completeness of periodic testing with their critical providers. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:4
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3
    Determine whether testing with third-party providers is included in the institution's enterprise BCP testing program. When testing with the critical service providers, determine whether management considered testing: TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Participation in third-party testing; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 4
    Determine that the test assumptions are appropriate for core and significant firms and consider: Other organizations in the immediate area that are also affected; TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 3
    Determine whether the financial institution has a process to ensure they are included in their critical third-party providers' testing program(s) at reasonable intervals. Consider whether: Testing includes critical subcontractors. TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 3]
    Operational and Systems Continuity Testing
    Validate the evacuation plans during continuity plan tests. CC ID 12760
    [Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Assigned command center and assembly locations; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 2
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: Assigned command center and assembly locations; TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 2]
    Operational and Systems Continuity Testing
    Include predefined goals and realistic conditions during off-site testing. CC ID 01175 Operational and Systems Continuity Establish/Maintain Documentation
    Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388
    [{business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    {business continuity testing strategy}Determine whether the testing strategy includes testing the effectiveness of an institution's crisis management process for responding to emergencies, including: Coordination with business lines, IT, internal audit, and facilities management; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 4
    Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The involvement of staff, technology, and facilities; TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2
    {bcp testing program}{business continuity test result} Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institution's recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production recovery, achievement of operational priorities, timely recovery of data). TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {critical business and support function} Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1
    {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to perform transaction processing and settlement; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 1
    {business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: The ability to perform transaction processing and settlement; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 1]
    Operational and Systems Continuity Testing
    Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548
    [Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5
    {incorporate}{develop}{assign}{complete}{evaluate}{assess}{revise}{bcp and testing program} Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing program; - Development of an enterprise-wide testing program; - Assignment of roles and responsibilities for implementation of the testing program; - Completion of annual, or more frequent, tests of the BCP; - Evaluation of the testing program and the test results by senior management and the board; - Assessment of the testing program and test results by an independent party; and - Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Principles of the Business Continuity Testing Program
    Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Business continuity test results; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 5
    Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, including: A summary of test results (e.g. based on goals and objectives, successes and failures, and deviations from test plans or test scripts) using quantifiable measurement criteria. TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 8]
    Operational and Systems Continuity Actionable Reports or Measurements
    Approve the continuity plan test results. CC ID 15718 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Establish Roles
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 Human Resources management Establish Roles
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991
    [[business continuity policy] A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; - Ensuring that the BCP is independently reviewed and approved at least annually; - Ensuring employees are trained and aware of their roles in the implementation of the BCP; - Ensuring the BCP is regularly tested on an enterprise-wide basis; - Reviewing the BCP testing program and test results on a regular basis; and - Ensuring the BCP is continually updated to reflect the current operating environment. Board and Senior Management Responsibilities
    Determine the quality of business continuity plan oversight and support provided by the board and senior management. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2
    {BCP and testing program} Determine whether a senior manager or committee has been assigned responsibility to oversee the development, implementation, and maintenance of the BCP and the testing program. TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:2
    {board committee} Determine whether the Board or a committee thereof and senior management provide appropriate oversight of the institution's pandemic preparedness program. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:1]
    Human Resources management Human Resources Management
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources management Human Resources Management
    Assign the roles and responsibilities for the change control program. CC ID 13118
    [Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1
    Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 1]
    Human Resources management Human Resources Management
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822
    [{business continuity testing strategy} Determine whether the strategy addresses staffing considerations, including: Staff and management succession plans; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 6]
    Human Resources management Human Resources Management
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 Human Resources management Establish Roles
    Implement a staff rotation plan. CC ID 12772 Human Resources management Human Resources Management
    Rotate duties amongst the critical roles and positions. CC ID 06554
    [{business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4]
    Human Resources management Establish Roles
    Train all personnel and third parties, as necessary. CC ID 00785 Human Resources management Behavior
    Establish, implement, and maintain an education methodology. CC ID 06671 Human Resources management Business Processes
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786
    [{alternate personnel}{system access}{data access}{facility access} Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5
    {business continuity testing strategy}{critical operation}{cross-train} Determine whether the strategy addresses staffing considerations, including: The accessibility, rotation, and cross training of staff necessary to support critical business operations; TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4]
    Human Resources management Behavior
    Establish, implement, and maintain training plans. CC ID 00828 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a security awareness program. CC ID 11746 Human Resources management Establish/Maintain Documentation
    Document security awareness requirements. CC ID 12146 Human Resources management Establish/Maintain Documentation
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800
    [Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5]
    Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain an occupational health and safety management system. CC ID 16201 Human Resources management Business Processes
    Establish, implement, and maintain an occupational health and safety policy. CC ID 00716 Human Resources management Establish/Maintain Documentation
    Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073
    [Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:6]
    Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Human Resources management Establish/Maintain Documentation
    Provide protective face masks for critical personnel, as necessary. CC ID 06803
    [Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1]
    Human Resources management Human Resources Management
    Establish, implement, and maintain an insider threat program. CC ID 10687
    [Determine whether the financial institution and service provider consider their susceptibility to an insider threat and what impact this may have on business continuity and broader resilience. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:7]
    Human Resources management Human Resources Management
    Establish, implement, and maintain a customer service program. CC ID 00846 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Operational management Business Processes
    Include detection procedures in the Incident Management program. CC ID 00588
    [{intrusion detection plan} Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:3]
    Operational management Establish/Maintain Documentation
    Categorize the incident following an incident response. CC ID 13208 Operational management Technical Security
    Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 Operational management Establish/Maintain Documentation
    Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 Operational management Establish/Maintain Documentation
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Operational management Data and Information Management
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Operational management Communicate
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Operational management Communicate
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Operational management Establish/Maintain Documentation
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Operational management Communicate
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Operational management Communicate
    Remediate security violations according to organizational standards. CC ID 12338 Operational management Business Processes
    Include data loss event notifications in the Incident Response program. CC ID 00364
    [{data corruption}Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 9
    {data corruption}Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Data destruction and corruption. TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 9]
    Operational management Establish/Maintain Documentation
    Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 Operational management Establish/Maintain Documentation
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Operational management Establish/Maintain Documentation
    Submit written requests to delay the notification of affected parties. CC ID 16783 Operational management Communicate
    Revoke the written request to delay the notification. CC ID 16843 Operational management Process or Activity
    Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 Operational management Establish/Maintain Documentation
    Refrain from charging for providing incident response notifications. CC ID 13876 Operational management Business Processes
    Title breach notifications "Notice of Data Breach". CC ID 12977 Operational management Establish/Maintain Documentation
    Display titles of incident response notifications clearly and conspicuously. CC ID 12986 Operational management Establish/Maintain Documentation
    Display headings in incident response notifications clearly and conspicuously. CC ID 12987 Operational management Establish/Maintain Documentation
    Design the incident response notification to call attention to its nature and significance. CC ID 12984 Operational management Establish/Maintain Documentation
    Use plain language to write incident response notifications. CC ID 12976 Operational management Establish/Maintain Documentation
    Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 Operational management Establish/Maintain Documentation
    Refrain from including restricted information in the incident response notification. CC ID 16806 Operational management Actionable Reports or Measurements
    Include the affected parties rights in the incident response notification. CC ID 16811 Operational management Establish/Maintain Documentation
    Include details of the investigation in incident response notifications. CC ID 12296 Operational management Establish/Maintain Documentation
    Include the issuer's name in incident response notifications. CC ID 12062 Operational management Establish/Maintain Documentation
    Include a "What Happened" heading in breach notifications. CC ID 12978 Operational management Establish/Maintain Documentation
    Include a general description of the data loss event in incident response notifications. CC ID 04734 Operational management Establish/Maintain Documentation
    Include time information in incident response notifications. CC ID 04745 Operational management Establish/Maintain Documentation
    Include the identification of the data source in incident response notifications. CC ID 12305 Operational management Establish/Maintain Documentation
    Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 Operational management Establish/Maintain Documentation
    Include the type of information that was lost in incident response notifications. CC ID 04735 Operational management Establish/Maintain Documentation
    Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 Operational management Establish/Maintain Documentation
    Include a "What We Are Doing" heading in the breach notification. CC ID 12982 Operational management Establish/Maintain Documentation
    Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 Operational management Establish/Maintain Documentation
    Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 Operational management Establish/Maintain Documentation
    Include a "For More Information" heading in breach notifications. CC ID 12981 Operational management Establish/Maintain Documentation
    Include details of the companies and persons involved in incident response notifications. CC ID 12295 Operational management Establish/Maintain Documentation
    Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 Operational management Establish/Maintain Documentation
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Operational management Establish/Maintain Documentation
    Include any consequences in the incident response notifications. CC ID 12604 Operational management Establish/Maintain Documentation
    Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 Operational management Establish/Maintain Documentation
    Include a "What You Can Do" heading in the breach notification. CC ID 12980 Operational management Establish/Maintain Documentation
    Include contact information in incident response notifications. CC ID 04739 Operational management Establish/Maintain Documentation
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Operational management Communicate
    Post the incident response notification on the organization's website. CC ID 16809 Operational management Process or Activity
    Document the determination for providing a substitute incident response notification. CC ID 16841 Operational management Process or Activity
    Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 Operational management Behavior
    Include contact information in the substitute incident response notification. CC ID 16776 Operational management Establish/Maintain Documentation
    Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 Operational management Establish/Maintain Documentation
    Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 Operational management Behavior
    Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 Operational management Behavior
    Establish, implement, and maintain a containment strategy. CC ID 13480 Operational management Establish/Maintain Documentation
    Include the containment approach in the containment strategy. CC ID 13486 Operational management Establish/Maintain Documentation
    Include response times in the containment strategy. CC ID 13485 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a restoration log. CC ID 12745 Operational management Establish/Maintain Documentation
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Operational management Data and Information Management
    Include a description of the restored data in the restoration log. CC ID 15462 Operational management Data and Information Management
    Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 Operational management Establish/Maintain Documentation
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Operational management Establish/Maintain Documentation
    Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 Operational management Monitor and Evaluate Occurrences
    Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 Operational management Investigate
    Update the incident response procedures using the lessons learned. CC ID 01233 Operational management Establish/Maintain Documentation
    Include incident management procedures in the Incident Management program. CC ID 12689 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Operational management Establish/Maintain Documentation
    Create an incident response report following an incident response. CC ID 12700 Operational management Establish/Maintain Documentation
    Submit the incident response report to the proper authorities in a timely manner. CC ID 12705
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about contacting the appropriate regulator; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 5]
    Operational management Communicate
    Include incident response team structures in the Incident Response program. CC ID 01237 Operational management Establish/Maintain Documentation
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Teams and responsibilities; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 1]
    Operational management Establish Roles
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Operational management Establish Roles
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Operational management Establish Roles
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Operational management Establish Roles
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Operational management Establish Roles
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Operational management Establish Roles
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Operational management Establish Roles
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Operational management Establish Roles
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Operational management Establish Roles
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 Operational management Establish Roles
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Operational management Establish Roles
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Operational management Human Resources Management
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Operational management Establish/Maintain Documentation
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Operational management Communicate
    Include coverage of all system components in the Incident Response program. CC ID 11955
    [{intrusion detection plan} Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used. TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:3
    {cybersecurity} Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9
    Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: Details about addressing zero-day attacks; TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 7]
    Operational management Establish/Maintain Documentation
    Include business continuity procedures in the Incident Response program. CC ID 06433
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Incident response; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 6
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational management Establish/Maintain Documentation
    Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 Operational management Establish/Maintain Documentation
    Document the results of incident response tests and provide them to senior management. CC ID 14857 Operational management Actionable Reports or Measurements
    Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 Operational management Establish/Maintain Documentation
    Include performance requirements in the Service Level Agreement. CC ID 00841
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Inclusion of reasonable performance standards (e.g., SLAs, RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 3]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a change control program. CC ID 00886
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Change control process; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 3
    {configuration change}{component change}Interview management and review the business continuity request information to identify: IT environments and changes to configuration or components; TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 3
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Operational management Establish/Maintain Documentation
    Include potential consequences of unintended changes in the change control program. CC ID 12243 Operational management Establish/Maintain Documentation
    Include version control in the change control program. CC ID 13119 Operational management Establish/Maintain Documentation
    Include service design and transition in the change control program. CC ID 13920 Operational management Establish/Maintain Documentation
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Operational management Maintenance
    Integrate configuration management procedures into the change control program. CC ID 13646 Operational management Technical Security
    Establish, implement, and maintain a back-out plan. CC ID 13623 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 Operational management Establish/Maintain Documentation
    Manage change requests. CC ID 00887 Operational management Business Processes
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Operational management Establish/Maintain Documentation
    Establish and maintain a change request approver list. CC ID 06795 Operational management Establish/Maintain Documentation
    Document all change requests in change request forms. CC ID 06794 Operational management Establish/Maintain Documentation
    Approve tested change requests. CC ID 11783 Operational management Data and Information Management
    Validate the system before implementing approved changes. CC ID 01510 Operational management Systems Design, Build, and Implementation
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Operational management Behavior
    Establish, implement, and maintain emergency change procedures. CC ID 00890 Operational management Establish/Maintain Documentation
    Perform emergency changes, as necessary. CC ID 12707 Operational management Process or Activity
    Back up emergency changes after the change has been performed. CC ID 12734 Operational management Process or Activity
    Log emergency changes after they have been performed. CC ID 12733 Operational management Establish/Maintain Documentation
    Perform risk assessments prior to approving change requests. CC ID 00888 Operational management Testing
    Implement changes according to the change control program. CC ID 11776 Operational management Business Processes
    Provide audit trails for all approved changes. CC ID 13120 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a patch management program. CC ID 00896 Operational management Process or Activity
    Document the sources of all software updates. CC ID 13316 Operational management Establish/Maintain Documentation
    Implement patch management software, as necessary. CC ID 12094 Operational management Technical Security
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Operational management Technical Security
    Establish, implement, and maintain a patch management policy. CC ID 16432 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain patch management procedures. CC ID 15224 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a patch log. CC ID 01642 Operational management Establish/Maintain Documentation
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Operational management Business Processes
    Establish, implement, and maintain a software release policy. CC ID 00893 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain traceability documentation. CC ID 16388 Operational management Systems Design, Build, and Implementation
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Operational management Behavior
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Operational management Data and Information Management
    Update associated documentation after the system configuration has been changed. CC ID 00891 Operational management Establish/Maintain Documentation
    Document the organization's local environments. CC ID 06726
    [Determine the need to proceed to Tier II objectives and procedures for additional validation to support conclusions related to any of the Tier I objectives and procedures. TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 1]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain local environment security profiles. CC ID 07037 Operational management Establish/Maintain Documentation
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Operational management Establish/Maintain Documentation
    Include security requirements in the local environment security profile. CC ID 15717 Operational management Establish/Maintain Documentation
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Operational management Establish/Maintain Documentation
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Operational management Establish/Maintain Documentation
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Operational management Establish/Maintain Documentation
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Operational management Establish/Maintain Documentation
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Operational management Establish/Maintain Documentation
    Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 Operational management Communicate
    Update the local environment security profile, as necessary. CC ID 07043 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Establish/Maintain Documentation
    Remove all unnecessary functionality. CC ID 00882 System hardening through configuration management Configuration
    Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 System hardening through configuration management Configuration
    Configure the File Replication service properly. CC ID 05068
    [{data backup}{data recovery}Verify that appropriate policies, standards, and processes address business continuity planning issues including: Data synchronization, back-up, and recovery; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    System hardening through configuration management Configuration
    Configure Data Backup and Recovery settings in accordance with organizational standards. CC ID 08406
    [{backup hardware} Determine whether the BCP includes appropriate hardware back-up and recovery. TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6]
    System hardening through configuration management Configuration
    Configure the "Retain deleted items for the specified number of days" to organizational standards. CC ID 08407 System hardening through configuration management Configuration
    Configure the "Do not permanently delete items until the database has been backed up" to organizational standards. CC ID 08490 System hardening through configuration management Configuration
    Configure the "Keep deleted mailboxes for the specified number of days" to organizational standards. CC ID 08600 System hardening through configuration management Configuration
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain a system design project management framework. CC ID 00990 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain project management standards. CC ID 00992
    [Verify that appropriate policies, standards, and processes address business continuity planning issues including: Project management; TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 2
    The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Training; - Notification Standards; - Insurance; and - Government and Community. Other Policies, Standards and Processes]
    Systems design, build, and implementation Establish/Maintain Documentation
    Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain a project program documentation standard. CC ID 00995 Systems design, build, and implementation Establish/Maintain Documentation
    Include budgeting for projects in the project management standard. CC ID 13136 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain integrated project plans. CC ID 01056 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain a project control program. CC ID 01612 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain a project test plan. CC ID 01001 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain a project team plan. CC ID 06533 Systems design, build, and implementation Establish/Maintain Documentation
    Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain a project management training plan. CC ID 01002 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 Acquisition or sale of facilities, technology, and services Business Processes
    Establish, implement, and maintain an electronic commerce program. CC ID 08617 Acquisition or sale of facilities, technology, and services Business Processes
    Establish, implement, and maintain payment transaction security measures. CC ID 13088 Acquisition or sale of facilities, technology, and services Technical Security
    Protect the integrity of application service transactions. CC ID 12017
    [Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 2]
    Acquisition or sale of facilities, technology, and services Business Processes
    Establish, implement, and maintain a supply chain management program. CC ID 11742
    [{third party management} Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 Third Party and supply chain oversight Establish/Maintain Documentation
    Review and update all contracts, as necessary. CC ID 11612 Third Party and supply chain oversight Establish/Maintain Documentation
    Document and maintain supply chain processes. CC ID 08816 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain an exit plan. CC ID 15492 Third Party and supply chain oversight Establish/Maintain Documentation
    Include roles and responsibilities in the exit plan. CC ID 15497 Third Party and supply chain oversight Establish/Maintain Documentation
    Test the exit plan, as necessary. CC ID 15495 Third Party and supply chain oversight Testing
    Include contingency plans in the third party management plan. CC ID 10030 Third Party and supply chain oversight Establish/Maintain Documentation
    Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 Third Party and supply chain oversight Systems Continuity
    Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of the product or service to be provided in third party contracts. CC ID 06509 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of the products or services fees in third party contracts. CC ID 10018 Third Party and supply chain oversight Establish/Maintain Documentation
    Include which parties are responsible for which fees in third party contracts. CC ID 10019 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the type of information being transmitted in the information flow agreement. CC ID 14245 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the security requirements in the information flow agreement. CC ID 14244 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the interface characteristics in the information flow agreement. CC ID 14240 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 Third Party and supply chain oversight Establish/Maintain Documentation
    Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of the data or information to be covered in third party contracts. CC ID 06510
    [{data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Data governance expectations. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 8
    Evaluate data governance standards and expectations with third-party providers. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5
    {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1
    {data classification}{data accuracy}{data backup}Evaluate data governance standards and expectations with third-party providers. Consider: Data protection, classification, accuracy, availability and back-up; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 1
    Evaluate data governance standards and expectations with third-party providers. Consider: Data volume and growth. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 2
    Evaluate data governance standards and expectations with third-party providers. Consider: Data volume and growth. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:5 Bullet 2]
    Third Party and supply chain oversight Business Processes
    Include text about data ownership in third party contracts. CC ID 06502 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the contract duration in third party contracts. CC ID 16221 Third Party and supply chain oversight Establish/Maintain Documentation
    Include roles and responsibilities in third party contracts. CC ID 13487 Third Party and supply chain oversight Establish/Maintain Documentation
    Include cryptographic keys in third party contracts. CC ID 16179 Third Party and supply chain oversight Establish/Maintain Documentation
    Include bankruptcy provisions in third party contracts. CC ID 16519 Third Party and supply chain oversight Establish/Maintain Documentation
    Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 Third Party and supply chain oversight Establish/Maintain Documentation
    Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a reporting structure in third party contracts. CC ID 06532 Third Party and supply chain oversight Establish/Maintain Documentation
    Include points of contact in third party contracts. CC ID 12355 Third Party and supply chain oversight Establish/Maintain Documentation
    Include financial reporting in third party contracts, as necessary. CC ID 13573 Third Party and supply chain oversight Establish/Maintain Documentation
    Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512
    [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Review of independent third-party assessments and regulatory reports; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 2
    {technology service provider}{recovery time objective}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: Independent audit reports that support the RTOs; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 2]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 Third Party and supply chain oversight Establish/Maintain Documentation
    Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516
    [{third party service providers} Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Include training requirements in third party contracts. CC ID 16367 Third Party and supply chain oversight Acquisition/Sale of Assets or Services
    Include an indemnification and liability clause in third party contracts. CC ID 06517 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522
    [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Awareness and oversight of service provider's use of subcontractors. TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 7]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Include text regarding foreign-based third parties in third party contracts. CC ID 06722
    [{foreign-based third party}{offshore production data}{offshore backup data} For foreign-based third-party service providers determine if management has adequately addressed production and back-up data that remains offshore. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12
    {foreign-based third party}{offshore production data}{offshore backup data} For foreign-based third-party service providers determine if management has adequately addressed production and back-up data that remains offshore. Consider: TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Include change control clauses in third party contracts, as necessary. CC ID 06523 Third Party and supply chain oversight Establish/Maintain Documentation
    Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115
    [Interview management and review the business continuity request information to identify: Changes in key service providers (technology, communication, back-up/recovery, etc.) and software vendors; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 4
    Interview management and review the business continuity request information to identify: Changes in key service providers (technology, communication, back-up/recovery, etc.) and software vendors; and TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 4
    Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Periodic reporting to an appropriate oversight committee; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 6]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Include triggers for renegotiating the contract in third party contracts. CC ID 06527 Third Party and supply chain oversight Establish/Maintain Documentation
    Include change control notification processes in third party contracts. CC ID 06524 Third Party and supply chain oversight Establish/Maintain Documentation
    Include cost structure changes in third party contracts. CC ID 10021 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a choice of venue clause in third party contracts. CC ID 06520 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a dispute resolution clause in third party contracts. CC ID 06519 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 Third Party and supply chain oversight Establish/Maintain Documentation
    Include early termination contingency plans in the third party contracts. CC ID 06526 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 Third Party and supply chain oversight Establish/Maintain Documentation
    Include termination costs in third party contracts. CC ID 10023 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about obtaining adequate insurance in third party contracts. CC ID 06880 Third Party and supply chain oversight Establish/Maintain Documentation
    Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 Third Party and supply chain oversight Establish/Maintain Documentation
    Include end-of-life information in third party contracts. CC ID 15265 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 Third Party and supply chain oversight Establish/Maintain Documentation
    Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 Third Party and supply chain oversight Establish/Maintain Documentation
    Include disclosure requirements in third party contracts. CC ID 08825 Third Party and supply chain oversight Business Processes
    Include requirements for alternate processing facilities in third party contracts. CC ID 13059 Third Party and supply chain oversight Establish/Maintain Documentation
    Document the organization's supply chain in the supply chain management program. CC ID 09958 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish and maintain a Third Party Service Provider list. CC ID 12480 Third Party and supply chain oversight Establish/Maintain Documentation
    Include required information in the Third Party Service Provider list. CC ID 14429 Third Party and supply chain oversight Establish/Maintain Documentation
    Include subcontractors in the Third Party Service Provider list. CC ID 14425 Third Party and supply chain oversight Establish/Maintain Documentation
    Include alternate service providers in the Third Party Service Provider list. CC ID 14420 Third Party and supply chain oversight Establish/Maintain Documentation
    Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 Third Party and supply chain oversight Communicate
    Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 Third Party and supply chain oversight Establish/Maintain Documentation
    Include all contract dates in the Third Party Service Provider list. CC ID 14421 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 Third Party and supply chain oversight Establish/Maintain Documentation
    Include criticality of services in the Third Party Service Provider list. CC ID 14428 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of data used in the Third Party Service Provider list. CC ID 14427 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the location of services provided in the Third Party Service Provider list. CC ID 14423 Third Party and supply chain oversight Establish/Maintain Documentation
    Document supply chain transactions in the supply chain management program. CC ID 08857 Third Party and supply chain oversight Business Processes
    Document the supply chain's critical paths in the supply chain management program. CC ID 10032 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 Third Party and supply chain oversight Establish/Maintain Documentation
    Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 Third Party and supply chain oversight Physical and Environmental Protection
    Establish, implement, and maintain Operational Level Agreements. CC ID 13637 Third Party and supply chain oversight Establish/Maintain Documentation
    Include technical processes in operational level agreements, as necessary. CC ID 13639 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 Third Party and supply chain oversight Process or Activity
    Include the responsible party for managing complaints in third party contracts. CC ID 10022 Third Party and supply chain oversight Establish Roles
    Categorize all suppliers in the supply chain management program. CC ID 00792 Third Party and supply chain oversight Establish/Maintain Documentation
    Include risk management procedures in the supply chain management policy. CC ID 08811 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 Third Party and supply chain oversight Business Processes
    Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 Third Party and supply chain oversight Business Processes
    Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [{offshore data storage}{risk profile} For foreign-based third-party service providers determine if management has ade- quately addressed production and back-up data that remains offshore. Consider: Evidence of management's evaluation of whether storage of data offshore (production or back-up) meets the financial institution's risk appetite and profile; and TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 1]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain a supply chain management policy. CC ID 08808 Third Party and supply chain oversight Establish/Maintain Documentation
    Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 Third Party and supply chain oversight Business Processes
    Require third parties to employ a Chief Information Security Officer. CC ID 12057 Third Party and supply chain oversight Human Resources Management
    Include supplier assessment principles in the supply chain management policy. CC ID 08809 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the third party selection process in the supply chain management policy. CC ID 13132 Third Party and supply chain oversight Establish/Maintain Documentation
    Select suppliers based on their qualifications. CC ID 00795 Third Party and supply chain oversight Establish/Maintain Documentation
    Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a clear management process in the supply chain management policy. CC ID 08810 Third Party and supply chain oversight Establish/Maintain Documentation
    Include roles and responsibilities in the supply chain management policy. CC ID 15499 Third Party and supply chain oversight Establish/Maintain Documentation
    Include third party due diligence standards in the supply chain management policy. CC ID 08812 Third Party and supply chain oversight Establish/Maintain Documentation
    Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 Third Party and supply chain oversight Communicate
    Require suppliers to commit to the supply chain management policy. CC ID 08813 Third Party and supply chain oversight Establish/Maintain Documentation
    Support third parties in building their capabilities. CC ID 08814 Third Party and supply chain oversight Business Processes
    Implement measurable improvement plans with all third parties. CC ID 08815 Third Party and supply chain oversight Business Processes
    Post a list of compliant third parties on the organization's website. CC ID 08817 Third Party and supply chain oversight Business Processes
    Use third parties that are compliant with the applicable requirements. CC ID 08818 Third Party and supply chain oversight Business Processes
    Establish, implement, and maintain a conflict minerals policy. CC ID 08943 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 Third Party and supply chain oversight Establish/Maintain Documentation
    Include all in scope materials in the conflict minerals policy. CC ID 08945 Third Party and supply chain oversight Establish/Maintain Documentation
    Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 Third Party and supply chain oversight Establish/Maintain Documentation
    Include all applicable authority documents in the conflict minerals policy. CC ID 08947 Third Party and supply chain oversight Establish/Maintain Documentation
    Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 Third Party and supply chain oversight Establish/Maintain Documentation
    Make the conflict minerals policy Publicly Available Information. CC ID 08949 Third Party and supply chain oversight Data and Information Management
    Establish and maintain a conflict materials report. CC ID 08823 Third Party and supply chain oversight Establish/Maintain Documentation
    Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 Third Party and supply chain oversight Establish/Maintain Documentation
    Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 Third Party and supply chain oversight Establish/Maintain Documentation
    Identify supply sources for secondary materials. CC ID 08822 Third Party and supply chain oversight Business Processes
    Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 Third Party and supply chain oversight Business Processes
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Third Party and supply chain oversight Business Processes
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Third Party and supply chain oversight Communicate
    Include the audit scope in the third party external audit report. CC ID 13138 Third Party and supply chain oversight Establish/Maintain Documentation
    Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856
    [Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Review of independent third-party assessments and regulatory reports; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 2
    {Management Information System}Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: Regular review of MIS reporting (e.g., adherence to RTOs); TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 3]
    Third Party and supply chain oversight Business Processes
    Review the supply chain's service delivery on a regular basis. CC ID 12010 Third Party and supply chain oversight Business Processes
    Establish, implement, and maintain outsourcing contracts. CC ID 13124 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130
    [{TSP}Assess whether the third-party TSP's contract provides for the following elements to ensure business resiliency: TSP accountability for actions/inactions of subcontractors should the subcontractor fail to provide necessary service(s) for business recovery capabilities; TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 5]
    Third Party and supply chain oversight Establish/Maintain Documentation