IT Examiner School - Oct 2023

Internal Use Only

Conduct Risk Monitoring Test the plans to ensure they are viable. Tests should: • Be commensurate with system complexity and criticality. • Involve audit/independent review personnel. • Include appropriate Licensee personnel to ensure they are familiar with the disaster recovery procedures. • Be conducted at least annually or more often if significant changes occur. • Be reported to the Board & Senior Management. • Be sufficiently documented.

17

17

Internal Use Only

Exercises and tests help management validate continuity and resilience of technology components, including systems, networks, applications, and data, that support critical business functions.

Testing Strategies

Staffing – Demonstrate staff’s ability to support business processes, communication, and reconciliation of transactions. Technology – Data, systems, applications, network, and telecommunications necessary for supporting business activities.

Testing Strategies

Facilities – Environmental controls, workspace recovery, and physical security.

18

18