Pub. 9 2014-2015 Issue 1

www.nebankers.org 18 Extraordinary Service for Extraordinary Members. I T’S ALWAYS GREAT TO HAVE AN EXPERT available. When you’re involved in legal work, you pay a lawyer. When you throw a banquet, you hire a caterer. When you’re a bank, you outsource technology. Tapping into the expertise available to you is one of the wisest things you can do. But when you do that, you’re putting a lot of trust in someone else’s hands. As the technology industry has moved into the thin air around us, we find ourselves virtually plugging in to services. We see this all the time with banks outsourcing their mission critical applications to compa- nies that specialize in core, accounting, etc. Because of this great shift, the bank regulatory agencies are understandably concerned with the current state of vendor management, making this clear with recently released material on the subject. Business continuity and contingency planning have been heavily discussed with the most recent focus on vendor management. What are business con- tinuity planning and business contin- gency planning? Are they not just two ways of saying the same thing? The topics are related, but each has very distinct features. A plan for business continuity is something the vendor must design and provide. The plan should describe what steps the vendor must take to restore service in response to an interruption. An interruption could be anything—nat- ural disasters, human error, or attacks on the company—that keeps your bank from accessing the vendor’s service. Just like you have a business continuity plan to ensure service continues for your customers, your vendor’s top concern should be that its customers receive the service for which they are paying. The vendor’s business continuity plan is a document that should be reviewed for adequacy and effectiveness on a regular basis for significant vendors. Plans for Vendor Continuity & Contingency Leticia Saiid, Security+, CoNetrix TECH TALK Contingency planning must be worked on by both the vendor and the bank. A contingency plan outlines how bank information will be handled if the vendor relationship comes to an end. This “end” could be for any number of reasons, and you should have a plan for each one when dealing with vendors providing critical services. Some termi- nation scenarios include: the natural end of a contract, the legal breaking of a contract based on unmet expectations, and business failure of the vendor. To be prepared for any of these situations, you (your bank) and the vendor have to work out a plan together for how you can retrieve your data. Being prepared for the unexpected, alternative arrange- ments should be considered to help you seamlessly transition into another com- parable provider. In order to do that, you need to have a pool of comparable providers defined. Here are some questions to consider as part of any disengagement plans you make: • Is there a cancellation clause in the contract? • How will we retrieve data from the vendor? • How long will it take to get the data? • What form will the data be in? • Will residual data be left with the vendor? • Will any downtime occur during the transition? So, as you consider your current vendor relationships, and any in the future, be sure to document how you would most likely respond if a break in the relationshipwould occur for any rea- son. Just like insurance, it’s something you have to have, but hope you never have to use.  Leticia Saiid is the tandem software support manager at CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem—a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit CoNetrix at www.conetrix.com .