Disaster Recovery and Business Continuity Planning. (1) The Board shall immediately take all steps necessary to continue to improve the TSP’s Disaster Recovery (“DR”) and Business Continuity Planning (“BCP) processes and correct each deficiency cited in the December 21, 2012 Supervisory Letter (“Supervisory Letter”), the February 11, 2013 Limited Report of Examination (“▇▇▇”), and any subsequent supervisory communication from the Regulators. (2) Within one hundred and twenty (120) days of this Agreement, the TSP and the Board shall develop, approve, and submit an updated formal, written, enterprise-wide DR and BCP process that fully complies with the requirements set forth in the Business Continuity Planning Booklet of the FFIEC Information Technology Examination Handbook (“DR/BCP Process”) to the Director for prior written determination of no supervisory objection by the Regulators. The TSP shall promptly make and the Board shall promptly approve any revisions requested by the Regulators and resubmit the DR/BCP Process to the Director for review and determination of no supervisory objection by the Regulators. (3) At a minimum, the DR/BCP Process shall include for each TSP business unit: (a) a business impact analysis (“BIA”) that includes: (i) an assessment and prioritization of all business functions, systems, and resource requirements, including interdependencies, as part of a work flow analysis; (ii) recognition of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the TSP’s business functions, processes and its customers; (iii) the identification of legal and regulatory requirements for the TSP’s business functions and processes; (iv) an estimation of the maximum allowable operational downtime, as well as the acceptable level of losses (e.g., data, operations, financial) associated with the TSP’s business functions and processes; and (v) an estimation of recovery time objectives (“RTOs”), recovery point objectives (“RPOs”), and recovery of the critical path, each of which should be specifically defined. (b) a risk assessment process that includes: (i) an evaluation of the BIA assumptions using various threat scenarios; (ii) an analysis of threats based upon the impact to the TSP, its customers, and the financial markets it serves; (iii) the prioritization of potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and (iv) the performance of a “gap analysis” comparing the TSP’s existing DR/BCP to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact point objectives. (c) a risk management process that identifies, assesses, and reduces risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide DR/BCP that shall be: (i) based on a comprehensive BIA and risk assessment; (ii) documented in a written program; (iii) reviewed and approved by senior management and the Board at least annually; (iv) disseminated to appropriate employees along with appropriate training; (v) specific regarding what conditions should prompt implementation of the plan and the process for invoking the DR/BCP; (vi) specific regarding what immediate steps should be taken during a disruption; (vii) flexible to respond to unanticipated threat scenarios and changing internal conditions; (viii) focused on the impact of various threats that could potentially disrupt operations rather than on specific events; (ix) developed based on valid assumptions and an analysis of interdependencies; and (x) effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies. (d) a risk monitoring and testing process that ensures the DR/BCP remains viable and that includes: (i) incorporating the BIA and risk assessment into the DR/BCP and testing program (ii) developing a thorough testing program proving RTOs and RPOs to be achieved; (iii) assigning roles and responsibilities for implementation of the testing program (iv) completing testing of the DR/BCP on at least an annual basis; (v) an evaluation of the testing program and test results by senior management; (vi) reporting of plan summaries, testing results, testing limitations, problems or challenges discovered, and any independent review exceptions to the Board on at least an annual basis; (vii) assessing the testing program and test results on at least an annual basis by an independent party; and (viii) periodically revising the DR/BCP and testing program, based upon changes in business operations and the results of annual testing, audits, and reviews. (4) Upon receiving written notice of no supervisory objection from the Regulators, the Board shall promptly adopt the updated DR/BCP Process and direct and cause the TSP to implement and thereafter adhere to the DR/BCP Process. Following implementation of the DR/BCP Process, the TSP shall not take any action that will cause a significant deviation from, or material change to the DR/BCP Process, unless and until the TSP has received prior written notice of no supervisory objection from the Regulators.
Appears in 2 contracts
Sources: Technology Services Agreement, Agreement