Finding #19

Description *

Priority (1-4) Category 1 Category 2

Formatted Text *

Lack of Bank Involvement in Annual DR Testing

Severity Level: Priority 2
Category: Compliance / Business Contiunity

Description:
The bank conducts integrity tests and participates in ASI DR tests but lacks full involvement in server DR testing, missing opportunities to validate RTO, RPO, and procedures.

Impact:

Unvalidated recovery processes may fail during real incidents.
Non-compliance with DR testing standards.
Outdated recovery scripts increase recovery time.

FFIEC Reference:

FFIEC IT Examination Handbook (November 2016):

"Institutions must test DR plans annually with stakeholder involvement." (p. 55)
"Validated RTO/RPO ensures operational resilience." (p. 57)

Recommendations:

Involve Bank Staff: Include bank personnel in annual server DR tests.
Evolve Test Scripts: Update scripts based on test outcomes.
Validate RTO/RPO: Measure and refine recovery metrics.
Document Procedures: Maintain current DR documentation.

<h2 style="margin: 0in; font-size: 14pt; font-family: Arial, sans-serif; color: rgb(89, 89, 89); letter-spacing: 0.25pt;">Lack of Bank Involvement in Annual DR Testing </h2>Severity Level: Priority 2 Category: Compliance / Business Contiunity Description: The bank conducts integrity tests and participates in ASI DR tests but lacks full involvement in server DR testing, missing opportunities to validate RTO, RPO, and procedures. Impact:<o:p></o:p><ul type="disc" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Unvalidated recovery processes may fail during real incidents.<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Non-compliance with DR testing standards.<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Outdated recovery scripts increase recovery time. <o:p></o:p></li></ul>FFIEC Reference:<o:p></o:p><ul type="disc" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">FFIEC IT Examination Handbook (November 2016):<o:p></o:p></li><ul type="circle" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">"Institutions must test DR plans annually with stakeholder involvement." (p. 55)<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">"Validated RTO/RPO ensures operational resilience." (p. 57) <o:p></o:p></li></ul></ul>Recommendations:<o:p></o:p><ul type="disc" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Involve Bank Staff: Include bank personnel in annual server DR tests.<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Evolve Test Scripts: Update scripts based on test outcomes.<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Validate RTO/RPO: Measure and refine recovery metrics.<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Document Procedures: Maintain current DR documentation.<o:p></o:p></li></ul>

Back to list