Pub. 10 2015-2016 Issue 1

www.nebankers.org 16 Extraordinary Service for Extraordinary Members. Stephanie Chaumont is a security and compliance consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit the CoNetrix website at www. conetrix.com . F EBRUARY SAW A NEW APPENDIX added to the Federal Finan- cial Institutions Examination Council’s (FFIEC’s) Business Continuity Planning (BCP) Handbook. Appendix J: Strengthening the Resil- ience of Outsourced Technology Ser- vices marries two areas of information security that banks have been working on for years: vendor management and business continuity. As cloud computing and the outsourcing of technology ser- vices become more and more common, banks are depending on vendors for extremely critical aspects of business. Creating a BCP with recovery expecta- tions without considering a vendor’s (or multiple vendors’) restoration abilities would be bad planning on the bank’s part and could result in unhappy sur- prises should a disaster or business interruption occur. The new apendix consists of four areas regarding outsourced technology services and business continuity: • Third-Party Management – This section reinforces the importance of managing vendor risks with due diligence and oversight. It also empha- sizes contract reviews tomake sure the bank is protected and that security and continuity expectations are explicitly defined. A disaster is not the right time for those terms to be negotiated. • Third-Party Capacity – It is im- portant to have realistic expectations about a vendor’s ability to restore service following a disaster or business interruption. If your vendors are also servicing other banks or businesses in the area, restoration goals will more than likely be affected. It’s also impor- tant for banks to create termination contingency plans for some critical vendors to knowwhat the bank will do when the relationship ends—whether services will be outsourced to another vendor or brought in-house. • Testing With Third-Party Tech- nology Service Providers – Banks are already required to test their BCP with increasing levels of complexity. If you’re doing the same tests each year, it might be time to explore other ways of ensuring your plan is adequate. Scenarios mentioned in the appendix are a vendor’s outage, bank outage, cyber events affecting the bank, and a simultaneous attack on the bank and its service provider. I’ve seen many BCPs that are preparing for a physi- cal disaster with plans to immediately failover to other branches, but are your TECH TALK recovery plans also preparing for a lost connection to critical vendor services or the inability to access network files? Exploring and testing different sce- narios helps you see where your plan could be improved. This section also emphasizes the importance of review- ing or being involved in your critical vendors’ testing. • Cyber Resilience - Every good BCP is founded on risk assessment and management. Planning for disasters can be difficult when threats and their likelihood are not known. Many people view business continuity from a purely natural disaster standpoint, but it’s time to expand business in- terruption planning to malicious at- tacks meant for financial gain or just to cause trouble. Are your incident response procedures also up-to-date, and do they match up against today’s threat landscape? Is your Incident Response Team aware of and familiar with your procedures? Has the bank had conversations about the poten- tial need for third-party forensic and incident management services? These are good questions to ask long before a cyber incident has occurred. The concepts addressed in the ap- pendix are not new. It’s just that they’ve been living separate lives until now— your vendor manager has probably already been collecting BCPs and BCP tests from some of your critical vendors. Your BCPmanager has been testing your plan and tweaking restoration expecta- tions. Have these two been collaborat- ing on whether the bank’s continuity expectations align with what the vendor can reasonably provide? I wouldn’t as- sume so, even if your vendor manager and BCP manager are the same person, until you’ve had the conversations this appendix is asking you to have.  New Appendix, Same Principles Stephanie Chaumont , CISSP, CISA, Security+, CoNetrix