Back

Establish, implement, and maintain a business continuity plan testing program.


CONTROL ID
14829
CONTROL TYPE
Testing
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational and Systems Continuity, CC ID: 00731

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a continuity test plan., CC ID: 04896
  • Test the continuity plan, as necessary., CC ID: 00755
  • Conduct external audits of the Business Continuity Plan testing program., CC ID: 13216


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Financial institutions should test their BCPs periodically. In particular, they should ensure that the BCPs of their critical business functions, supporting processes, information assets and their interdependencies (including those provided by third parties, where applicable) are tested at least ann… (3.7.4 87, Final Report EBA Guidelines on ICT and security risk management)
  • A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financ… (Board and Senior Management Responsibilities, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. (TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations. (TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing prog… (Principles of the Business Continuity Testing Program, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the BCP testing program is sufficient to demonstrate the financial institution's ability to meet its continuity objectives. (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • An evaluation of the reasonableness of assumptions used in developing the testing strategy. (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the financial institution's testing program enhances resilience through demonstrated ability to recover, resume, and maintain operations after disruptions, ranging from minor outages to wide-scale disasters consistent with the BIA and risk assessment. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Assess documented process/transaction flow charts to evaluate the thoroughness of the testing scope, plans and strategy. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine that the test assumptions are appropriate for core and significant firms and consider: (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Exercise and test results. (IX Action Summary ΒΆ 2 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the exercise and testing program is sufficient to allow management to assess the entity's ability to meet its continuity objectives. (VII, "Exercises and Tests") (App A Objective 10, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Whether test plans achieve their stated objectives based on reasonable assumptions. (App A Objective 3:5d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Audit monitoring of exercises and tests, reviewing test plans and results, and verifying that any issues are identified and appropriately escalated. (App A Objective 3:5e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Confirming that exercises, tests, and training are comprehensive and consistent with the exercise strategy. (App A Objective 2:5f, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Assess whether exercise and test methods are commensurate with the size and complexity of the entity and the criticality of the function to the entity. Verify that exercises and tests are designed to do following: (App A Objective 10:15, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Documentation of the scope, execution, and results of exercises and tests in which the entity is unable to directly participate. (App A Objective 10:21d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the entity participates in its critical third-party service providers' exercise and test program(s) at reasonable intervals. Assess the execution of the exercises and tests and whether they included the following: (App A Objective 10:22, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • If management performs tabletop exercises, determine whether targeted plans and procedures are reasonable, personnel understand their responsibilities, and different departmental or business unit plans are compatible with each other. (By themselves, tabletop exercises are likely insufficient to vali… (App A Objective 10:18, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that management clearly defines the characteristics of a successful test, which may include the following: (App A Objective 10:19, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the exercise and test assumptions are appropriate for core and significant firms and consider the following: (App A Objective 10:25, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Whether the significant firm participates in industry (e.g., U.S. Department of the Treasury's Hamilton Series and FS-ISAC's CAPS exercises) or cross-market tests sponsored by core firms, markets, or trade associations. Tests should incorporate verifying the connectivity from alternate sites and inc… (App A Objective 10:27b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the exercise and test program is sufficient to demonstrate the entity's ability to meet its continuity objectives and whether the results demonstrate the readiness of personnel to achieve the entity's recovery and resumption objectives. Determine whether management accomplishes the… (App A Objective 10:28, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Uses the software to assist in the identification of gaps in infrastructure security and resilience. (App A Objective 13:6f Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the frequency and methods of testing contingency plans are adequate. (App A Tier 2 Objectives and Procedures L.6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)