Transcription
TheDefinitiveGuide forBanksMaintaining Operations Before, During, and After an Incident 2019 - Agility Recovery,All Rights Reserved.
Banks: Maintaining Operations Before, During, and After an IncidentTable of Contents1.How Safe is Your Bank?32.Assemble a Disaster Recovery Team43.Create Your Disaster Recovery Plan64.Test, Fine-tune, and Retest Your Disaster Recovery Plan75. 10 Ways a Disaster Recovery Solutions Provider CanHelp You With Testing96.What is a Go-Bag?107.Regulatory Compliance and Disaster Recovery118. Lessons From Major Hurricanes: How to Protect Yourselffrom the Next Weather Disaster129.13Testing and Preparedness are the Keys to SurvivalThe only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover—all in one.Copyright 2019 - Agility Recovery, All Rights Reserved.2
Banks: Maintaining Operations Before, During, and After an Incident1. How Safe is Your Bank?Think back to August 17th, 2017. That’s the dayHurricane Harvey first reached tropical stormstatus in the Atlantic and became the 8thnamed storm of the season. By the time it finallywas downgraded to a tropical depression onAugust 30th, it had spread devastation acrossTexas & Louisiana, rivaling the most costly stormin US history by accumulating an estimatedEstablish Disaster RecoveryProtocolsTo enable your bank to conduct critical businessfunctions before, during and after a disaster, establishthe following basic disaster recovery protocols:Assemble a disaster recovery team 190 billion in damage.Create a disaster recovery planHundreds of financial institutions were out of operationfor days, some of them weeks. If your bank came to ahalt as a result of a hurricane or any other disaster, yourealize the importance of business continuity. Beingable to maintain operations through any disruptionprovides uninterrupted service to your clients. If yourbank has never been stopped in its tracks by a majordisaster, or even a minor incident, you’re very fortunate.But what about the future?Test, fine-tune and retest your disasterrecovery planParticularly in today’s world of increased cybersecurityrisk, it is critical to identify the gaps in your businesscontinuity plan and determine how you can close thosegaps before a disaster strikes. In addition, SarbanesOxley requires business leaders to ensure that internalcontrols will protect the organization from fraud. If partsof your infrastructure are down, that can be a difficultpromise to fulfill.Regularly examining and testing your disaster readinesswill help your bank be prepared for any kind ofdisruption. It will also ensure that you can bring systemsback online quickly and efficiently.The only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover—all in one.Copyright 2019 - Agility Recovery, All Rights Reserved.3
Banks: Maintaining Operations Before, During, and After an Incident2. Assemble a DisasterRecovery TeamGet your employees involved in the disaster responseplanning process. Let them know you’re ready forwhatever crisis may occur and build buy-in to a cultureof preparedness. Together, you can design a planto accommodate challenges the team might facein a disaster.Responsibility of the Disaster Teamguidance, oversight and approval of Provideresources for the continuity program.the implementation and routine testing of Facilitatethe program.collaboration and buy-in across Ensureall departments. Execute the plan should the need arise.The only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover—all in one.Copyright 2019 - Agility Recovery, All Rights Reserved.4
Banks: Maintaining Operations Before, During, and After an IncidentThe following list of disaster recoveryresponsibilities will get you started in identifyingwho should be involved:ENSURING OFFICE & PERSONNELSAFETY AND SECURITYResponsibilities may include evaluatingbuilding integrity and safety, facilitatingcleanup, or stocking and carrying the“go bags.”DATA ACCESS AND INTEGRITYResponsibilities may include maintainingconnectivity to your core processor andensuring local server/cybersecurityprotection or activating redundantdata center.CRISIS COMMUNICATIONSResponsibilities may include initiating anemployee call chain or alert notificationprotocol, or communicating withstakeholders (e.g., leadership, partners,suppliers, members, and the media).When assembling your team, it’s important to includemembers from all departments of the organization.Downtime after a disaster affects departments invarious ways. Involving all teams allows for equalconsideration of priorities and critical tasks, as well asprotects any significant inter-dependencies.The first step is to invite every department head to aninitial meeting. At this discovery session, make a listof all the responsibilities needed to maintain criticalbusiness functions (activities that are vital to yourorganization’s survival) during a disaster. Do not attemptto incorporate all departmental functions, only thosemost significant to the tasks necessary following amajor event.Once you have established all the responsibilitiesrequired, assign each task to one or more employeesto create redundancy. For some technical tasks, suchas restoring access to data, responsibilities will closelymatch a person’s current title and job descriptionwithin the company. Other functions, such as beingpart of a call chain, can be assigned to a variety of staffmembers. Take the time to cross-train any personnelyou may rely on for alternative responsibilities in a crisis.FINANCIAL OVERSIGHTResponsibilities may include calculatinghow much cash will be needed forincreased transactions as well asincidentals like supplies, food/water,transportation, repairs, temporary lodgingand replacement assets.The only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover—all in one.Copyright 2019 - Agility Recovery, All Rights Reserved.5
Banks: Maintaining Operations Before, During, and After an Incident3. Create Your DisasterRecovery PlanOnce every responsibility is outlined, write a step-bystep disaster recovery plan. Your plan should spell outwho is in charge of different recovery processes, firstactions to consider, and how to quickly evaluate andescalate needs.Begin by considering the most important functionswithin your organization, and develop plans andstrategies for protecting each from the top risks posedto your organization. Discuss how to prevent failurein each area, or if that is not possible, what it wouldtake to bring each service or area back online quicklyand efficiently.A Good Disaster Recovery Plan Will:1. Establish who will be on the recovery team as wellas detailed descriptions of their responsibilities.Include at least two ways of contacting eachmember of the team.2. Demonstrate information on all exits and alternativeways of evacuating your building, procedures forsheltering-in-place, and the location of go-bags withdescription.3. Determine how your organization’s critical functionswill continue to operate immediately after anincident. This may include functioning with reducedstaff, replacing compromised systems, offeringpartial services, relocating staff and operations,communication protocols, and mitigation orrecovery procedures.4. Establish how actual recovery logistics will proceedin terms of precisely outlining and adhering totimelines, decision points and verified procedures.5. Detail the required resources needed for mitigationand recovery. You’ll want to consider what resourcesare required for restoration of basic services such as: Office Space Power Applications Data Unique assets IT network& hardware Employees/staff/partners/suppliers Communications(telephone, internet,fax, etc.) Other: Restroomfacilities, HVAC,food/water, etc.6. Outline the Emergency Plan procedure. Who hasthe ability to declare the disaster or put the planinto action?The only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover—all in one.Copyright 2019 - Agility Recovery, All Rights Reserved.6
Banks: Maintaining Operations Before, During, and After an Incident4. Test, Fine-tune, and Retest YourDisaster Recovery PlanTesting your disaster recovery plan is not only anessential part of planning, but a step that could meanthe difference between giving in to a crisis and survivingone. Testing or exercising your plan should be a gradualand continual process.A Good Test Will1. Use realistic scenarios based on identified risks toyour organization2. Meet compliance or regulatory requirements3. Increase employee, management, and communityconfidence in the plan This includes setting realistic expectations forresponse team members4. Expose holes, gaps, misperceptions, or otherpotential failures of the plan5. Be conducted both with and without notice Announced drills are learning exercises that allowemployees to walk through actions they are trainedand expected to take during an emergency Unannounced drills provide the most accurateindication of what will occur during actual crisisconditions (when performed safely!)6. Improve your overall readiness and reducerecovery timeThe only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover—all in one.Copyright 2019 - Agility Recovery, All Rights Reserved.7
Banks: Maintaining Operations Before, During, and After an IncidentHold regular walk-throughs of building emergencyexits, and conduct drills for both shelter-in-place andworkplace violence scenarios, as well as buildingevacuations. More elaborate and comprehensivetesting can be facilitated in one of three places: at yourfacility, at your off-site backup center, or at a disasterrecovery-partner testing site. You can choose to doa table-top meeting-style run through or a full-scalehands-on test, using canned or live data and a varietyof scenarios.Business continuity planning is an ongoing process,and testing is a critical step in continually assessingand improving the strategy as your organization growsand evolves. Your testing process should run in acontinual loop:When you’re running a test, make sure to take notesduring the exercise. What was the task or issue? Whenwas it started/identified? Was it resolved? How? Whatproblems arose? Review the findings with participantsand then update and distribute your written plan,making sure to write down notes for considerationon your next test.Remember: A successfultest is not necessarily onethat runs flawlessly, butan exercise that allowsyou to identify failuresand therefore improveyour plan and increaseyour ability to servemembers after a disaster.We recommend that you do a full-scale testannually for a wide range of critical functions,including access to electricity, water, gas, facilities,staffing, technology, telecommunications andmore, not only to survive, but to thrive in anyunexpected situation.The only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover—all in one.Copyright 2019 - Agility Recovery, All Rights Reserved.8
Banks: Maintaining Operations Before, During, and After an Incident5. 10 Ways a Disaster RecoverySolutions Provider Can HelpYou With TestingDetermine priorities and objectives and buildoutcomesSimulate real-time business transactionsResolve discrepanciesConduct a server rebuild and restorationTest all aspects of your recovery operationTest network connections, & buildredundancy in your systemsEvaluate how much generator poweris neededPractice reconnecting to your coreDetermine realistic recovery timeframesTest a mobile office setupThe only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover—all in one.Copyright 2019 - Agility Recovery, All Rights Reserved.9
Banks: Maintaining Operations Before, During, and After an Incident6. What is a Go-Bag?A go-bag is an emergency kit that is ready to be usedat all times. Your emergency kit should containeverything your organization needs in the eventof evacuation. When disaster strikes, time is of theessence. An office emergency kit is unique and includesa few key items not in a personal emergency kit. Storethe following items in one or more central locations ina waterproof container.Employee Health and Safety ItemsItems for Protecting Continuityof Critical FunctionsFirst Aid Supplies/KitPlan to regularly restock andensure proper quantities of firstaid suppliesAED(Automated External Defibrillators)Important Documentsand Records Documents: recovery plan,damage assessment forms, criticalprocess flow documents, serverrecovery scripting, phone redirectscripting, data backup procedure Records: insurance policies,employee rosters and contactinformation, contracts, vendor/partner contact information, fixedasset inventoryEmergency SuppliesFood, water, flashlights, tools,battery powered radio, mobileand solar chargers, petty cash,building keysLogin and PasswordCredentialsOffice SuppliesThe only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover—all in one.Copyright 2019 - Agility Recovery, All Rights Reserved.10
Banks: Maintaining Operations Before, During, and After an Incident7. Regulatory Compliance andDisaster RecoveryBanks are required by FFIEC to have disaster recovery plans in place before they can be approved. They require a riskassessment to identify and quantify threats to information assets and to ensure that the solutions institutions have inplace to mitigate risks are viable.One of the questions asked during an audit could be the date of your most recent risk assessment. There is also anentire section focused on your disaster recovery program that asks the following questions:Do you have an organization-wide disaster recovery and business continuity program?Are disaster recovery and business continuity plans based upon a business impact analysis?If yes, do the plans identify recovery and processing priorities?Is disaster recovery and business continuity included in your risk assessment?Do you have formal agreements for an alternate processing site and equipment should the needarise to relocate operations?Do business continuity plans address procedures and priorities for returning to permanent andnormal operations?Do you maintain offsite backups of critical information? If yes, is the process formallydocumented and audited?Do you have procedures for testing backup media at an offsite location?Have disaster recovery/business continuity plans been tested? If yes, please identifythe system(s) tested, the corresponding test date, and the date reported to the Board.The only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover—all in one.Copyright 2019 - Agility Recovery, All Rights Reserved.11
Banks: Maintaining Operations Before, During, and After an Incident8. Lessons From Major Hurricanes:How to Protect Yourself from theNext Weather DisasterEvery Storm is DifferentDon’t just learn the lesson of what happened. Think ahead. Every weather patternis unique; don’t assume you will have the same experience every time.Proper Business Continuity Planning Saves Jobs and theLocal Tax BaseThe most successful way to prevent a lengthy business disruption is to plan for it.Thorough planning will ensure that your team always has a blueprint for recoverythat will work in a real-life situation.Think, Work, and Act Like a TeamEmployers should encourage employees to have their own family emergency plansand to strengthen their homes to withstand disasters as well as possible. Sinceemployees are the first line of defense in a disaster, employers should offer adviceand try to help their employees in any way they can.Make Communication Your Number One PriorityDisaster recovery requires everyone to work together, meaning thatcommunication is integral to disaster recovery success. Communication keepseveryone in contact during business recovery, and allows companies to locate allemployees in a crisis situation.Test and RetestWhat sounds good on paper might not always work in a real situation. Did it takelonger to get down a certain hallway than you had planned? Did your redundant serverautomatically protect your data when your primary server went off? Did the securitycameras stay on when the electricity went out? These are the types of things that canonly be determined by doing.The only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover—all in one.Copyright 2019 - Agility Recovery, All Rights Reserved.12
Banks: Maintaining Operations Before, During, and After an Incident9. Testing and Preparednessare the Keys to SurvivalWe work in a world today where automation and connectivity are crucialto smooth business operations. Many information technology systemsare virtual and many applications and databases are in the cloud. Theseare competitive strengths when they’re working, but when electricity andtelecommunications are down, all these systems come to a halt.Testing of information technology recovery and restoration is all themore vital in today’s digital world. Having regular back-ups, redundantinfrastructure, and a disaster recovery partner who can relocate youroperations to a fully stocked mobile branch, or other temporary space,are all competitive advantages in a crisis situation.As the most recent hurricanes showed us, lack of access to financialinstitutions makes it difficult for people to recover from crises in a timelyfashion. Following these events, people were hurt, hungry, and hadnowhere to go. As a bank, you should ensure that situations such as thesedon’t happen again to the communities you serve.No matter what the situation, disasters don’t have to shut down yourbank. Proper planning and testing mean your organization will haveminimal, if any, downtime during a crisis. Take steps today and put yourtesting procedures in motion.We are the leading provider of business continuity and disaster recovery solutions.After a business interruption, we deliver the resources that make recovery andresilience simple. Our customers have guaranteed access to temporary power,1601 Wewatta Street, Suite 300, Denver, CO 80202furnished mobile office space, communications equipment, and technology, aswell as planning and testing resources. In the wake of the unexpected, we ience simple by providing the expertise and resources your organizationneeds to recover quickly. Whether you’re a seasoned continuity professional orcreating your company’s emergency plan for the first time, we’re ready to supportCopyright 2019 - Agility RecoveryAll Rights Reservedyou and your team.
2. Assemble a Disaster Recovery Team 4 3. Create Your Disaster Recovery Plan 6 4. Test, Fine-tune, and Retest Your Disaster Recovery Plan 7 5. 10 Ways a Disaster Recovery Solutions Provider Can 9 Help You With Testing 6. What is a Go-Bag? 10 7. Regulatory Compliance and Disaster Recovery 11 8. Lessons From Major Hurricanes: How to Protect .
