LiveSite Disaster Recovery Testing Methodology
The “LiveSite” Disaster Recovery Test methodology allows your institution to restore critical technology, communications, and financial applications and exercise critical functions as a “proof of concept” that business resumption objectives can be achieved in the event of a disaster.
| Excerpts from the FFIEC Testing Policy Guidance March 2008 Business Continuity Planning Booklet | Description of Recovery Solutions Compliance with FFIEC Testing Requirements. |
|---|---|
| “Establish a testing cycle that increases in scope and complexity over time” | Annual test for term of the Enrollment Agreement. Annual planning discussions to ensure changes at the Institution are incorporated in the test plan. |
| “Develop enterprise wide test” | All critical applications (multiple) departments tested during each annual test. |
| “Involve essential employees in the test process” | Sufficient space and systems to support multiple employees to test simultaneously in the LiveSite Disaster Recovery Test Center. |
| “Incorporate unplanned events, such as loss of key individuals” | Assistance in planning for alternate officer/employee testing using the Institution’s procedures (e.g., Pandemic event). |
| “Incorporate unplanned events via system testing” | Remote access testing (e.g., Pandemic event). |
| “Serviced institutions should test communication and connectivity with service provider’s systems” | Satellite Internet and encrypted networks to Core service provider systems. |
| “In-house institutions should address the active involvement of personnel when systems and data files are tested. Sending back-up tapes to a back-up service provider is not sufficient” | Restoration of the Institution’s in-house applications and data in the LiveSite Disaster Recovery Test Center. |
| “Testing should include enterprise strategies including facilities” | Testing is conducted in an actual Mobile Institution Facility where employees can experience how they would actually conduct business within the facility in the event of an actual disaster. |
| “Testing strategies should include the testing scope and objectives” | Multiple meetings with the Institution prior to the test to define and document scope. Recovery Solutions provides sample Test Scripts and has employees with Financial Institution expertise who will assist the Institution in developing a comprehensive enterprise-wide test plan. |
| “Involve a sufficient volume of all types of critical transactions to ensure adequate capacity in the recovery facility" | Transactions performed are timed and documented in the Recovery Solutions Test Report as evidence of sufficient response times. Multiple Bank employees may test simultaneously. Production transaction batches can be processed to confirm adequate system and communications network capacity. |
| “Validation of the RTOs and RPOs within the Institution’s Business Impact Analysis” | Recovery Solutions Test Report includes elapsed times associated with restoring systems and data for testing. Recovery Solutions formal Test Report includes completion time of functional validation so that the Institution can compare combined restoration and validation times against their internal RTOs and RPOs. |
| “Uncover inadequacies so that testing procedures can be revised” | Issues/Action Plans are documented in the Recovery Solutions Test Report. These action plans are reviewed with the Institution when planning for future testing. |
| “Identify quantifiable measurements of each test objective” | Recovery Solutions provides sample Test Scripts and has employees with Financial Institution expertise who will assist the Institution in developing a customized test plan. The Recovery Solutions Test Report includes completed test scenarios, documenting expected and actual test results, as well as any gaps identified. |
| “Provide participants with relevant information including: Roles and Responsibilities, Description of Test Objectives, Test Location Escalation Conditions and Contacts" | Recovery Solutions Test Script Samples include: pre-test conference calls, scope documents, mutually agreed upon test scenarios, and test Preparation Checklist. |
| “Test results should be evaluated and reviewed by a qualified independent party” | Recovery Solutions Test Report includes: Management summary of objectives and results, detailed transaction processing, information RTO and RPO measurements. Gap Analysis/Issues which lists Action Plan for next test preparation and communication logs. Technical network communication information, officer/employee participant information, facility configuration, information (emulates Institution production environment), Information security controls and procedures. |
