Examining the FFIEC Business Continuity Planning Guide

The FFIEC Business Continuity Planning Guide assists examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. It was also designed to provide helpful guidance to financial institutions regarding the implementation of their business continuity planning processes. By reading the FFIEC Business Continuity Planning Guide, these institutions and examiners are intended to recognize the following immediate goals and objectives:

The analysis
The FFIEC's continuity guide is more in-depth than either National Fire Protection Association or the BCI Good Practice Guidelines, which are both continuity guides with the same pedigree. When mapped to the Unified Compliance Framework (UCF), which has a total of 86 systems continuity specific controls, the FFIEC's continuity guideline only has 52 (or slightly more than half) of its controls that overlap. So what happened to the other controls in the FFIEC continuity guide? This question brings up an important point about the content within the FFIEC continuity planning guide, and the answer can be found by re-examining the FFIEC's continuity planning goals and objectives.

The numbers
How well does this guide achieve its objective? One way to determine its effectiveness is to compare it to other guides or the Systems Continuity controls already mapped to the UCF.

Here is a list of total unique controls within the FFIEC guide as compared to two other leading compliance guides:

142 – FFIEC Business Continuity Planning Guide
51 – NFPA 1600
44 – BCI Good Practice Guidelines

Here is a cross reference break

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Red Flags Rule compliance How AML compliance applies to remote deposit capture Tokenization and PCI compliance Data governance and classification The PCI compliance case for source code review Identity management for financial firms in turbulent times PCI DSS: Best practices for compliance Red Flag Rules compliance demands a risk-based approach Understanding the impact of new state data protection laws Understanding the FFIEC remote deposit capture guidance FFIEC compliance Red Flags Rule compliance Download presentations from Financial Information Security Decisions 2009 How AML compliance applies to remote deposit capture Swine flu: Pandemic planning wake-up call The truth about vendor management Industry reaction to FFIEC remote deposit capture guidance positive so far, says FDIC official Book chapter: Remote deposit capture risks Understanding the FFIEC remote deposit capture guidance FFIEC releases risk management guidance for remote deposit capture Using the FFIEC Examination handbooks to produce a harmonized audit guide Risk assessment and management in financial institutions Podcast: Fraud investigations Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment An advancement in GRC Swine flu puts spotlight on pandemic planning Forensic accounting success depends on information security support Advocacy group looks to foster trust in foreign service providers Observable activities are best security metric, panel says Protecting data in a merger and acquisition Industry reaction to FFIEC remote deposit capture guidance positive so far, says FDIC official

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary FFIEC compliance  (SearchFinancialSecurity.com) Podcast: What is FFIEC compliance?  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

down of the FFIEC guide compared with the UCF's IT Impact Zone controls to demonstrate how many of the FFIEC guide's controls fall outside of the systems continuity realm:

Leadership and high level planning: Eight
Audit and risk management: 16
Monitoring and measurement: Three
Technical security: 19
Physical security: 17
Systems Continuity: 52
Human resources management of IT personnel: Seven
Operational Management: 13
Design and implementation: Six
Privacy: One

Two more items to note are that 130 controls within the FFIEC guide have specific audit guidance assigned (for example, what to examine, what to test, who to interview), and 64 controls are cross referenced to pre-established IT governance metrics.

Controls outside of the direct realm of systems continuity
The FFIEC continuity planning guide has dedicated eight controls for creating inventory plans and then getting the board involved in the program by reviewing processes, policies, and procedures, all of which are a necessary precursor to proper continuity planning.

The guide also spends a fair amount of time (16 controls) on audit and risk management planning to ensure that the continuity plan is consistent with the organization's appetite for risk, and that the program itself can properly be audited (and adjusted) if necessary.

A total of 19 controls are dedicated to technical security for such topics as creating standard operating procedures for remote access in case of moving to a secondary site (or a pandemic), maintaining a proper incident management structure, team and processes.

Seventeen controls are dedicated to physical security items, such as maintaining proper environmental controls, such as HVAC, UPS, generator, fire suppression, etc., as well as physical security controls themselves. The physical security controls surround such topics as identifying access control points and the physical security of those points.

There aren't as many human resource controls as you might suspect, given that one of the goals and objectives was to organize critical personnel. Only seven total controls are found in this area, mainly surrounding training, cross training of backup staff. Others assign proper roles to various members such as IT line or operational management staff, facilities staff, outsourcing contracts, and security staff.

A total of 13 controls within the realm of operational management focus mainly on proper documentation of policies and procedures, with only a few controls focused on change management, and even fewer around backup operations!

Controls within the realm of systems continuity covered by the guide
Within the realm of systems continuity, the FFIEC Business Continuity Planning Guide is fairly thorough.

Five controls are dedicated to establishing a proper continuity framework, plan philosophy, roles and responsibilities, etc.

Fifteen controls are focused on planning considerations that surround personnel, critical resources, alternate power, damaged sites, emergency communications, and even insurance and cost considerations.

What seems strange is that only five controls surround backup planning considerations, with only two controls focused on preparing an alternate site.

The largest single set of controls around any specific topic is for creating, testing, maintaining, distribution, and training of the continuity plan itself.

Controls within the realm of systems continuity not covered by the guide
Within theUCF, we've examined all of the controls surrounding continuity planning, whether they can be found directly within a continuity-specific guide or not. The UCF has a total of 34 controls that are not found within the FFIEC's Business Continuity Planning Guide. Here's what the guide doesn't cover:

Our assessment
All-in-all, the FFIEC Business Continuity Planning Guide is a great continuity planning document. Because of its high alignment with specific audit guidance and the number of metrics that correspond to it, it could make a great continuity audit planning guide for any organization.

About the author:
Dorian J. Cougias is the co-founder and primary architect of the Unified Compliance Framework, the first and largest independent initiative to map IT controls across international regulations, standards, and best practices. A frequent speaker and well respected author, Cougias has written hundreds of articles and dozens of books, including the award-winning Backup Book: Disaster Recovery from Desktop to Data Center and most recently the Unified Compliance Series. Dorian has served as CIO of two global ad agencies and CEO of an international software company. He is currently an adjunct professor at the University of Delaware and the lead analyst at Network Frontiers, a company that focuses on systems continuity, regulatory compliance, and IT infrastructure. For more information, visit www.unifiedcompliance.com.