Business Continuity Planning

Policy Manual [Sample Client]

Table of Contents

Table of Contents

TABLE OF CONTENTS............................................................................................................................................ 1
CHAPTER 1 INTRODUCTION....................................................................................................................... 4
1.1 GOALS AND OBJECTIVES ..................................................................................... 5
1.2 REQUIRED REVIEW .............................................................................................. 5
1.3 APPLICABILITY ..................................................................................................... 5
1.4 ROLES AND RESPONSIBILITIES—SENIOR MANAGEMENT AND BOARD
OF DIRECTORS ...................................................................................................... 6
CHAPTER 2 ACCOUNTABILITY AND MONITORING ............................................................................ 7

e
2.1 INTERNAL CONTROLS .......................................................................................... 7
2.2 REPORTING REQUIREMENTS ............................................................................. 8
CHAPTER 3 STAFF AND TRAINING ........................................................................................................... 9
pl
3.1 ONGOING TRAINING ............................................................................................. 9
3.2 NEW HIRE TRAINING ......................................................................................... 10
CHAPTER 4 BUSINESS CONTINUITY PLANNING PROCESSES........................................................ 11
m
4.1 RISK ASSESSMENT PROCESS ............................................................................ 11
4.2 BUSINESS IMPACT ANALYSIS PROCESS ......................................................... 12
4.3 RECOVERY STRATEGY DEVELOPMENT PROCESS ....................................... 12
4.4 BUSINESS CONTINUITY PLAN DEVELOPMENT ............................................ 13
Sa

4.5 TESTING PROCESS .............................................................................................. 14

CHAPTER 5 BUSINESS CONTINUITY PLAN OVERVIEW .................................................................. 15
5.1 SCOPE .................................................................................................................... 15
5.2 BUSINESS CONTINUITY PLANNING AND TECHNOLOGY RECOVERY
DEFINITIONS........................................................................................................ 16
5.3 BUSINESS CONTINUITY PLAN OBJECTIVE .................................................... 16
CHAPTER 6 BUSINESS DESCRIPTION ................................................................................................... 17
6.1 OFFICE LOCATIONS ............................................................................................ 17
6.2 DATA CENTER LOCATIONS ............................................................................... 17
CHAPTER 7 EVENT TYPES ........................................................................................................................ 18
7.1 BUSINESS INTERRUPTIONS .............................................................................. 18
7.2 TECHNOLOGY DISASTERS ................................................................................. 18
CHAPTER 8 PLAN LOGISTICS ................................................................................................................... 19

Copyright © 2014 – 2018

[Sample Client] and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of [Sample Client] and its
licensor, no part of this work may be used, reproduced or transmitted in any form or by any means, by or to any party 1
outside of [Sample Client].
 Business Continuity Planning
Policy Manual [Sample Client]
Table of Contents

8.1 APPROVALS, MAINTENANCE, REVISIONS, AND EXECUTION

AUTHORITY ......................................................................................................... 19
8.2 PLAN LOCATION, DISTRIBUTION AND ACCESS ........................................... 19
CHAPTER 9 RISK ASSESSMENT ............................................................................................................... 20
9.1 RISK SCENARIOS ................................................................................................. 20
9.2 GAP ANALYSIS ..................................................................................................... 21
CHAPTER 10 BUSINESS IMPACT ANALYSIS .......................................................................................... 23
10.1 DETERMINE LEVELS OF IMPORTANCE BY BUSINESS FUNCTION ................ 24
10.2 ESTIMATE DOWNTIME TOLERANCES BY BUSINESS FUNCTION .................. 24
10.2.1 Recovery Time Objectives ..................................................................................... 24
10.2.2 Recovery Point Objectives ..................................................................................... 25

e
10.3 IDENTIFY RESOURCE REQUIREMENTS .............................................................. 25
10.4 ESTABLISH THE CRITICAL PATH FOR RECOVERY .......................................... 26
CHAPTER 11
11.1
11.2
11.3
pl
BUSINESS CONTINUITY ORGANIZATION ..................................................................... 27
ORGANIZATIONAL RESPONSIBILITIES .............................................................. 27
EMPLOYEE RESPONSIBILITIES ............................................................................ 28
DUTIES ...................................................................................................................... 28
m
CHAPTER 12 EVENT PHASES OBJECTIVES ............................................................................................ 29
12.1 RESPONSE PHASE OBJECTIVES ........................................................................... 29
12.2 BUSINESS RESUMPTION PHASE OBJECTIVES .................................................. 29
Sa

12.3 RELOCATION PHASE OBJECTIVES ...................................................................... 29

12.4 RETURN TO BUSINESS AS USUAL PHASE OBJECTIVES .................................. 30
CHAPTER 13 TEST PLANS AND EXECUTION ......................................................................................... 31
13.1 TEST PLAN COMPLEXITY ...................................................................................... 31
13.2 PHASE 1: TABLE‐TOP TESTING ........................................................................... 32
13.3 PHASE 2: TECHNOLOGY FAILOVER .................................................................... 32
13.4 PHASE 3: TECHNOLOGY FAILOVER AND OFF‐SITE BUSINESS
OPERATIONS ........................................................................................................ 33
13.5 CONTINUING REFINEMENTS ................................................................................ 33
CHAPTER 14 GENERAL EVENT PREPAREDNESS ................................................................................. 34
14.1 EMERGENCY MANAGEMENT/CRISIS RESPONSE TEAM CALL TREE ............ 35
14.2 CRITICAL PATH TO RECOVERY ........................................................................... 36
14.3 LIST OF EMPLOYEES AND CONTACT INFORMATION ..................................... 36
14.4 LIST OF VENDORS AND SERVICE PROVIDERS AND CONTACT
INFORMATION ..................................................................................................... 37
14.5 LIST OF CUSTOMERS AND CONTACT INFORMATION ..................................... 38

Copyright © 2014 – 2018

[Sample Client] and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of [Sample Client] and its
licensor, no part of this work may be used, reproduced or transmitted in any form or by any means, by or to any party 2
outside of [Sample Client].
 Business Continuity Planning
Policy Manual [Sample Client]
Table of Contents

14.6 LIST OF EQUIPMENT SUPPLIERS AND DATA STORAGE LOCATIONS .......... 39

14.7 LIST OF COMMUNICATIONS CARRIERS, ISPS, INTERNET HOSTING ........... 40
14.8 EVENT CHECKLIST.................................................................................................. 41
14.9 TECHNOLOGY AND INFRASTRUCTURE RECOVERY CHECKLIST .................. 42
CHAPTER 15 FFIEC TOOLS AND RESOURCES ....................................................................................... 43
15.1 BCP BOOKLET .......................................................................................................... 43
15.2 CYBERSECURITY ASSESSMENT TOOL ................................................................ 43
15.3 LESSONS LEARNED FROM HURRICANE KATRINA BROCHURE .................... 44
CHAPTER 16 AGENCY AND REGULATORY BCP REQUIREMENTS .................................................. 45
16.1 FANNIE MAE BCP REQUIREMENTS ..................................................................... 45
16.2 FREDDIE MAC BCP REQUIREMENTS .................................................................. 45
16.3 OCC REQUIREMENTS ............................................................................................. 47

e
pl
m
Sa

Copyright © 2014 – 2018

[Sample Client] and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of [Sample Client] and its
licensor, no part of this work may be used, reproduced or transmitted in any form or by any means, by or to any party 3
outside of [Sample Client].
 Business Continuity Planning
Policy Manual [Sample Client]
Introduction

Chapter 1 Introduction
[Sample Client] is committed to the highest standards of federal consumer compliance and requires all
management, employees, and third‐party vendors follow these policies and adhere to these standards.
In today’s environment, businesses leaders are increasingly aware of potential threats to their
businesses that may appear in many forms; terrorism, catastrophic natural disasters, pandemics, and
cyberattacks. Regulators likewise have taken a more careful view of the financial services industry’s
overall ability to respond to and recover from disruptive events that could impact the entire financial
system and undermine the public’s trust.
[Sample Client] recognizes the value of having a plan in place to protect its assets, to minimize its
financial losses, to maintain its business operations and to recover its technology in the case of

e
unplanned disruptive events. It is essential to [Sample Client] to maintain continuity of its operations
in support of its customers, business associates, stakeholders, regulatory obligations, and [Sample
pl
Client]’s own financial status and reputation. This policy is intended to serve as the framework for
developing [Sample Client]’s unique Business Continuity Plan (the Plan).
It is the policy of [Sample Client] to develop and maintain a Plan that considers strategies and
m
procedures to recover, resume, and maintain its critical business functions, processes, and
responsibilities. This Business Continuity Planning policy is intended to provide the framework for
developing and maintaining a Plan that is specific to the business needs, strategic goals and risk
appetite of [Sample Client], and that is relative to its size and complexity.
Sa

Senior management and the board of directors are committed to establishing and maintaining
emergency procedures, backup facilities, and a comprehensive plan that allows for the timely recovery
and resumption of operations and the fulfillment of the responsibilities and obligations of [Sample
Client]. Management fully supports and participates in the development, monitoring, testing, and
regular maintenance of the Plan.
The Plan will initially be developed in‐house; however, [Sample Client] may determine that an
outsourced vendor provides the best solution and implementation for the company.
In developing the Plan, management remains cognizant of and guided by specific information provided
by the Federal Financial Institutions Examination Council (FFIEC). As defined on the FFIEC website, the
Council is a formal interagency body empowered to prescribe uniform principles, standards, and report
forms for the federal examination of financial institutions by the Board of Governors of the Federal
Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union
Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer

Copyright © 2014 – 2018

[Sample Client] and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of [Sample Client] and its
licensor, no part of this work may be used, reproduced or transmitted in any form or by any means, by or to any party 4
outside of [Sample Client].
 Business Continuity Planning
Policy Manual [Sample Client]
Business Continuity Planning Processes
Risk Assessment Process

Chapter 4 Business Continuity Planning Processes

While the restoration of technology components is commonly seen as the focus of disaster recovery
efforts, the recovery of systems and data is not always enough to restore business operations. [Sample
Client] recognizes that the Plan must include the recovery, resumption, and maintenance of all aspects
of the business. The Plan considers critical processes as well as all business units and departments,
and how the enterprise as a whole will be able to respond to unplanned events.
As part of the Plan, management will prioritize the business objectives and critical operations that are
essential to the recovery and restoration efforts. Since it may not be possible to restore all business
operations simultaneously, it is critical to identify and plan for the restoration of technologies and
business units that are most urgent to the survival of the enterprise, the critical path.

e
The planning process should include participation from [Sample Client]’s management, from business
unit managers and supervisors, and from subject matter experts. Depending on the size and
pl
complexity of the organization a knowledgeable BCP Coordinator or a BCP Team is assigned to
coordinate the overall effort, from development through testing and ongoing maintenance of the Plan.
The planning process includes the following general areas:
m
 Risk Assessment
 Business Impact Analysis
 Recovery Strategy Development

Sa

Business Continuity and Technology Recovery Plan Development

 Testing and Maintaining the Plan
The process, however, is a continuous one that is reviewed and modified over time and in response to
changing operations, results of testing, recommendations from independent reviews of the Plan, and
the possibility of new types of threats. These areas are described generally below, and are explained in
more depth in later sections.

4.1 Risk Assessment Process

Risk assessment is the identification of probable threats that could impact the facilities and staff of
[Sample Client]. Threats may be of various types, severity, and likelihood. Risk assessment will
consider threats by analyzing impact, severity, and likelihood.
The risk assessment should consider non‐specific threats as well as specific threats. Non‐specific
threats are those where the impact to the business is similar, regardless of the specific nature of the

Copyright © 2014 – 2018

[Sample Client] and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of [Sample Client] and its
licensor, no part of this work may be used, reproduced or transmitted in any form or by any means, by or to any party 11
outside of [Sample Client].
 Business Continuity Planning
Policy Manual [Sample Client]
Event Types
Business Interruptions

Chapter 7 Event Types

The Plan anticipates interruptions to business operations, facilities, and technical infrastructures.
Physical damage, depending on severity, will affect business operations to a greater or lesser degree.

7.1 Business Interruptions

Business interruptions would affect [Sample Client]’s ability to communicate and conduct business,
during events such as a power or communications outage, or an event requiring evacuation or denied
access to the building housing personnel and internal networks. Business interruptions affect the
ability of [Sample Client] to conduct business as usual and to provide service to its customers.

e
Some examples of business interruptions include:
 Utility service provider outage, localized



Power grid fails due to overload or storms
Communications/internet service failures
pl
Information security breaches and cyber attacks
m
 Access to building is denied due to criminal activity in the area
 Nearby toxic spill impacts access to facility
 Pandemic warnings indicate quarantine of building
Sa

7.2 Technology Disasters

Technology Disasters are disruptions affecting the operation of the office facility, main data center,
workstations, communications infrastructure, or other physical assets, and that require rebuilding and
restoring communications and technology infrastructure in addition to restoring business operations.
Some examples include the following:

 Fire in the facility

 Physical damage to a building resulting from environmental or natural disaster, or criminal
activity
 Loss of power to the data center and ancillary generator power, if used as a mitigation strategy
 Prolonged loss of network connectivity to the primary data center

Copyright © 2014 – 2018

[Sample Client] and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of [Sample Client] and its
licensor, no part of this work may be used, reproduced or transmitted in any form or by any means, by or to any party 18
outside of [Sample Client].
 Business Continuity Planning
Policy Manual [Sample Client]
General Event Preparedness
Continuing Refinements

Chapter 14 General Event Preparedness

The following activities, lists, and procedures should be made a part of the Plan for quick reference.
The BPC coordinator holds responsibility for maintaining these types of supporting lists and checklists
with current information.
These lists are provided as starting points. For larger organizations, these lists will be maintained and
supplied by key personnel in various departments. For example, technology service providers and
equipment providers will be maintained by IT and employee contact information will be maintained by
Human Resources.

 Emergency Management / Crisis Response Team

 Critical Path to recovery

e
 Lists of:
o employees and contact information
o
o
o
customers and contact information
vendors and contact information
pl
equipment suppliers and data storage locations
m
o communications carriers, ISPs, internet hosting contact information, if available
 Business Continuity Checklist
 Technology Recovery Checklist
Sa

Copyright © 2014 – 2018

[Sample Client] and its licensor. ALL RIGHTS RESERVED. Without the prior written permission of [Sample Client] and its
licensor, no part of this work may be used, reproduced or transmitted in any form or by any means, by or to any party 34
outside of [Sample Client].