IT Examiner School

Examiner: Although your main applications are serviced by Fiserv under contract, do you have a formal agreement for an alternate wire transfer location? NA Fossil: CEO Bose has made a “verbal” agreement with the Bankers Bank. Wire transfers I think can also be done through our correspondent bank via phone as we don’t have that many per day.

Examiner: I did not see that implied or stated in any documents. NA Fossil: I believe the CEO was working on getting it formalized.

Examiner: I did not see where your disaster recovery plan specifically stated in what order processes/programs are to be brought back up. Is this listed everywhere? NA Fossil: Not yet. The Plan just states the time frames for “most critical,” “critical,” and “important” applications. The person we hire will be required to address this within the plans.

Examiner: So, do you maintain offsite backups of critical information? NA Fossil: Yes, the bank stores this information at an FI Branch as well as the Cloud.

Examiner: Ok, provide me more information about offsite backups stored at a Cloud backup provider. NA Fossil: Yes, we use U-Store Cloud, Inc. for all critical/important bank and customer data. The data is the same as what is stored in the Branch. Examiner: A few questions. Did you sign a contract with this entity, do they provide you with a recovery time that meets your FI’s DR/BCP requirements, and have you tested with them? NA Fossil: Yes, we signed a five year agreement with them three months ago and it does provide for RTOs that meet our recovery objectives. As for testing, we did a very limited network test shortly after signing the contract that did meet our objectives. We are planning a more extensive test later this year once we onboard the additional staff. Examiner: In the pre-exam phase, you mentioned no formal backup testing procedures since you are serviced by Fiserv. Any thought to testing network backup, wire transfers, ACH, or item processing? NA Fossil: Those are simple processes to bring back up and so we have not specifically included those. We focused more on our core application.

Examiner: And how do you access the core application or wires? NA Fossil: Through a log on. Oh, I see what you are saying.

Examiner: So is it fair to say these things have never been tested? NA Fossil: Well not exactly. One of my domain controllers crashed and I had to recreate that last year. Doesn’t that count? Examiner: Well not exactly. There are many other devices on your network that are essential to it being productive and secure. You cannot just create a network in a degraded mode and pace security aside in the meantime.