Editor's note: This is part two of a five part series on the FFIEC IT Examination Handbooks, by Dorian Cougias, co-founder of the Unified Compliance Framework. New tips will premier each Tuesday in July on SearchFinancialSecurity.com. Read part one.
The FFIEC Business Continuity Planning Guide assists examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. It was also designed to provide helpful guidance to financial institutions regarding the implementation of their business continuity planning processes. By reading the FFIEC Business Continuity Planning Guide, these institutions and examiners are intended to recognize the following immediate goals and objectives:
- Identification of critical personnel, facilities, computer systems, operations, and equipment
- Priorities for processing, recovery, and mitigation
- Maximum downtime before recovery of operations
- Minimum resources required for recovery
The analysis
The FFIEC's continuity guide is more in-depth than either National Fire Protection Association or the BCI Good Practice Guidelines, which are both continuity guides with the same pedigree. When mapped to the Unified Compliance Framework (UCF), which has a total of 86 systems continuity specific controls, the FFIEC's continuity guideline only has 52 (or slightly more than half) of its controls that overlap. So what happened to the other controls in the FFIEC continuity guide? This question brings up an important point about the content within the FFIEC continuity planning guide, and the answer can be found by re-examining the FFIEC's continuity planning goals and objectives.
The numbers
How well does this guide achieve its objective? One way to determine its effectiveness is to compare it to other guides or the Systems Continuity controls already mapped to the UCF.
Here is a list of total unique controls within the FFIEC guide as compared to two other leading compliance guides:
142 – FFIEC Business Continuity Planning Guide
51 – NFPA 1600
44 – BCI Good Practice Guidelines
Here is a cross reference breakdown of the FFIEC guide compared with the UCF's IT Impact Zone controls to demonstrate how many of the FFIEC guide's controls fall outside of the systems continuity realm:
Leadership and high level planning: Eight
Audit and risk management: 16
Monitoring and measurement: Three
Technical security: 19
Physical security: 17
Systems Continuity: 52
Human resources management of IT personnel: Seven
Operational Management: 13
Design and implementation: Six
Privacy: One
Two more items to note are that 130 controls within the FFIEC guide have specific audit guidance assigned (for example, what to examine, what to test, who to interview), and 64 controls are cross referenced to pre-established IT governance metrics.
Controls outside of the direct realm of systems continuity
The FFIEC continuity planning guide has dedicated eight controls for creating inventory plans and then getting the board involved in the program by reviewing processes, policies, and procedures, all of which are a necessary precursor to proper continuity planning.
The guide also spends a fair amount of time (16 controls) on audit and risk management planning to ensure that the continuity plan is consistent with the organization's appetite for risk, and that the program itself can properly be audited (and adjusted) if necessary.
A total of 19 controls are dedicated to technical security for such topics as creating standard operating procedures for remote access in case of moving to a secondary site (or a pandemic), maintaining a proper incident management structure, team and processes.
Seventeen controls are dedicated to physical security items, such as maintaining proper environmental controls, such as HVAC, UPS, generator, fire suppression, etc., as well as physical security controls themselves. The physical security controls surround such topics as identifying access control points and the physical security of those points.
There aren't as many human resource controls as you might suspect, given that one of the goals and objectives was to organize critical personnel. Only seven total controls are found in this area, mainly surrounding training, cross training of backup staff. Others assign proper roles to various members such as IT line or operational management staff, facilities staff, outsourcing contracts, and security staff.
A total of 13 controls within the realm of operational management focus mainly on proper documentation of policies and procedures, with only a few controls focused on change management, and even fewer around backup operations!
Controls within the realm of systems continuity covered by the guide
Within the realm of systems continuity, the FFIEC Business Continuity Planning Guide is fairly thorough.
Five controls are dedicated to establishing a proper continuity framework, plan philosophy, roles and responsibilities, etc.
Fifteen controls are focused on planning considerations that surround personnel, critical resources, alternate power, damaged sites, emergency communications, and even insurance and cost considerations.
What seems strange is that only five controls surround backup planning considerations, with only two controls focused on preparing an alternate site.
The largest single set of controls around any specific topic is for creating, testing, maintaining, distribution, and training of the continuity plan itself.
Controls within the realm of systems continuity not covered by the guide
Within theUCF, we've examined all of the controls surrounding continuity planning, whether they can be found directly within a continuity-specific guide or not. The UCF has a total of 34 controls that are not found within the FFIEC's Business Continuity Planning Guide. Here's what the guide doesn't cover:
- Minimizing systems continuity requirements
- Service-level agreements for continuity planning
- Re-accreditation procedures for after-disaster scenarios
- Transportation of media
- Damage assessment
- Online and nearline storage considerations
- Alternate processing site configuration and testing
Our assessment
All-in-all, the FFIEC Business Continuity Planning Guide is a great continuity planning document. Because of its high alignment with specific audit guidance and the number of metrics that correspond to it, it could make a great continuity audit planning guide for any organization.
About the author:
Dorian J. Cougias is the co-founder and primary architect of the Unified Compliance Framework, the first and largest independent initiative to map IT controls across international regulations, standards, and best practices. A frequent speaker and well respected author, Cougias has written hundreds of articles and dozens of books, including the award-winning Backup Book: Disaster Recovery from Desktop to Data Center and most recently the Unified Compliance Series. Dorian has served as CIO of two global ad agencies and CEO of an international software company. He is currently an adjunct professor at the University of Delaware and the lead analyst at Network Frontiers, a company that focuses on systems continuity, regulatory compliance, and IT infrastructure. For more information, visit www.unifiedcompliance.com.
