The Federal Financial Institutions Examination Council (FFIEC) has just published a revision to its IT Examination Handbook on business continuity planning (BCP) this February. It replaces the document published in 2003.

Of particular interest to us is its new Appendix J: Strengthening the Resilience of Outsourced Technology Services. It has a section titled Cyber Resilience, which contains clauses on the risks arising from malware, insider threats, Data or Systems Destruction and Corruption, Communications Infrastructure Disruption, and incident response.

The FFIEC agencies encourage financial institutions to adopt a cyclical, process-oriented approach to business continuity planning. This process-oriented approach will be discussed in the first part of the booklet, with additional information included in the appendices. The four steps in this process include:

1. Business Impact Analysis;
2. Risk assessment;
3. Risk management; and
4. Risk monitoring and testing.

The business continuity planning process involves the recovery, resumption, and maintenance of the entire business, not just the technology component. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be enough to restore business operations.

And very interesting, the guidelines specify that key tests should be observed, verified, and evaluated by independent parties. This provides assurance to the board and other stakeholders of the validity of the testing process and the accuracy of test results. This independent assessment is typically conducted by internal audit, although it can be performed by other qualified third parties.