Back

Include third party recovery services in the scope of testing the continuity plan.


CONTROL ID
12766
CONTROL TYPE
Testing
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Test the continuity plan, as necessary., CC ID: 00755

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • important recovery services provided by vendors or counterparties should form part of the testing scope; (6.1.3 Bullet 3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Proactively seek assurance on the state of BCP preparedness of the service provider, or participate in joint testing, where possible. It should ensure the service provider regularly tests its BCP plans and that the tests validate the feasibility of the RTO, RPO and resumption operating capacities. S… (5.7.2 (b), Guidelines on Outsourcing)
  • For assurance on the functionality and effectiveness of its BCP plan, an institution should design and carry out regular, complete and meaningful BCP testing that is commensurate with the nature, scope and complexity of the outsourcing arrangement. For tests to be complete and meaningful, the instit… (5.7.3, Guidelines on Outsourcing)
  • Exercise the disaster response plan annually or upon significant changes, including if possible local emergency authorities. (BCR-10, Cloud Controls Matrix, v4.0)
  • Return to normal operations. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the use of cloud-based disaster recovery services integrate with and protect against data destruction with the same level of assurance as existing (internal) disaster recovery solutions. (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the client institution has received assurance, via testing documentation, that the third party can restore services to client institution and support typical volumes during a recovery event. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Assessed the entity's immediate or short-term space, systems, and personnel capacity to assume or transfer failed operations. (App A Objective 6:5b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Furthermore, management should discuss potential disaster scenarios with the entity's third- party service providers to prepare for an event. Subsequently, management should assess the entity's immediate or short-term space requirements, systems, and personnel capacity to assume or transfer failed o… (IV.A Action Summary ΒΆ 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Fuel requirements, both for fuel on-hand and contracts with suppliers for deliveries during events. (App A Objective 6:7b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the tests validate the core or significant firm's backup arrangements to confirm the following: (App A Objective 10:24, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The process to rank third-party service providers based on criticality, risk, and testing scope. (App A Objective 10:21a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)