Back

Include coverage of all major components in the scope of testing the continuity plan.


CONTROL ID
12767
CONTROL TYPE
Testing
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Test the continuity plan, as necessary., CC ID: 00755

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • All BCP related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. The scope of testing should be comprehensive to cover the major components of the BCP as well as coordination and interfaces among important parties. Depending on the t… (6.1.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Since the computer system consists of the main unit, peripherals, communication devices/lines/terminal related devices, etc., in the event of a failure, it is necessary to confirm that the entire system, including those standby equipment, can work effectively. (P85.4. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • include procedures to verify the ability of their staff and contractors, ICT systems and ICT services to respond adequately to the scenarios defined in paragraph 89(a). (3.7.4 89(c), Final Report EBA Guidelines on ICT and security risk management)
  • Upon customer request, the cloud provider informs the cloud customers of the results of the restoration tests. Restoration tests are incorporated into the business continuity management of the cloud provider. (Section 5.6 RB-08 Description of additional requirements (availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The entity periodically tests the effectiveness of its business continuity and resiliency plans, procedures and capabilities to make sure that they continue to protect the entity from the adverse effects of unplanned system outages or damages that render systems and information assets unavailable or… (S7.5 Implements business continuity plan testing, Privacy Management Framework, Updated March 1, 2020)
  • Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan… (DS4.5 Testing of the IT Continuity Plan, CobiT, Version 4.1)
  • Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the poten… (A1.3 Implements Business Continuity Plan Testing, Trust Services Criteria)
  • Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the poten… (A1.3 ¶ 2 Bullet 1 Implements Business Continuity Plan Testing, Trust Services Criteria, (includes March 2020 updates))
  • Telecommuting to simulate and test remote access; (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The involvement of staff, technology, and facilities; (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; (TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The scope and level of detail of the testing program; (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Risk assumptions; (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties. (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Detailed information regarding the critical platforms, applications and business processes to be recovered; (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, inc… (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Testing includes network connectivity and identifies interdependencies; and (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:3 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Testing communication and remote access capability (e.g., switching to alternate equipment or telecommuting). (App A Objective 10:17g, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Level of testing conducted to ensure adequate preparation. (App A Tier 1 Objectives and Procedures Objective 3:3 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)