Business Continuity

Financial Institution Contingency Plans for Service Provider and Third Party Services

1. Identify all the categories and sources of data input into the service provider’s systems by the thrift. Usually, these items are limited to branch and back-office online terminal input. Other items of input, such as automated teller machine (ATM) transactions, automated clearinghouse (ACH) transactions, and in-clearings ('on us' checks negotiated outside of the institution), are usually the responsibility of vendors that provide the respective processing services.

2. Describe the steps required to recover previously input data and prepare them for resubmission when requested by the service provider. (Institution management should realize that if the disaster takes place on a business day, online data entered on that day will not have been backed up offsite and will likely be lost.)

"..Reduce costs without sacrificing data integrity or performance..."

Computer systems in general are highly complex, too complex, in fact, to be administered at a discrete physical level. As computer technology has evolved, a higher proportion of CPU cycle time has been dedicated to abstracting the underlying hardware, memory management, input/output, and processor requirements from the user interface. Today, a computer user does not have to be conversant in assembly language programming to make a change in a spreadsheet. The interface and management of the underlying technology has been heavily virtualized.

Storage administration, by contrast, is still tedious, manual-intensive, and seemingly never-ending. The introduction of storage networking has centralized storage administrative tasks by consolidating dispersed direct-attached storage assets into larger, shared resources on a SAN. Fewer administrators can now manage more disk capacity and support more servers, but capacity for each server must still be monitored, logical units manually created and assigned, zones established and exported, and new storage assets manually brought online to service new application requirements. In addition, although shared storage represents a major technological advance over direct-attached storage, it has introduced its own complexity in terms of implementation and support. Complexity equates to cost. Finding ways to hide complexity, automate tedious tasks, streamline administration, and still satisfy the requirements of high performance and data availability saves money, and that is always the bottom line. That is the promise of storage virtualization, although many solutions today are still far short of this goal.

Does location security maintain an emergency plan?
Do procedures exist for protecting personnel and company property for all emergencies that may threaten a location, including the following:
Natural and human-made disasters
Threats or acts of violence against people or property
Political or civil disturbances
Initiation of emergency shutdown or evacuation
Designation of location and staffing of primary and alternate crisis management centers

Ensure that hardware redundancy is used to provide high availability where required.
Verify that redundant systems at separate sites are used where very high system availability is required.
Ensure that backup procedures are appropriate for respective systems.
Verify that systems can be restored from backup media.
Ensure that backup media can be retrieved promptly from off-site storage facilities.

Step #1: Monitor business communications for sensitive data
- Monitor business communication channels for confidential data using Data Leak Prevention (DLP) Solutions
For example, DLP technology can be used to find regulated information such as information about the Gramm-Leach-Bliley Act (GLBA) and the Sarbanes-Oxley Act, as well as customer data such as social security numbers and credit card information.

Step #2: Discover information assets
- Discover information assets
- Classify information assets