Summer Regulatory Summit eBook

Additional Considerations

• Control (Emergency Preparedness) : o Are all Emergency Preparedness Plans (Disaster Recovery, Business Continuity, Incident Response, Pandemic) tested on a set basis (at least annually)? o Are reports and results presented to the Board of Directors? • Recommendation : o The Organization should document procedures addressing emergency preparedness testing outlining the frequency, scope, and types of emergency preparedness testing to be performed. o The Organization should perform an annual orientation or tabletop test of all Emergency Preparedness Plans annually. The Organization should follow FFIEC guidelines and include the following in its testing documentation: ƒ Roles and responsibilities for all test participants, including support personnel ƒ A consolidated exercise and test schedule that encompasses all objectives ƒ A specific description of objectives and methods ƒ Identification of decision makers and succession plans ƒ Exercise and test locations ƒ Exercise and test escalation procedures and the ability to adjust for simulated scenarios ƒ Contact information ƒ Metrics to measure the success or failure of the exercise or test o Management should review the exercise and test results, update the Plan where appropriate, and report the results to the Board or Board-designated committee.

© SBS CyberSecurity, LLC www.sbscyber.com

38