Pub. 4 2015 Issue 2

The CommunityBanker 14 ith the FFIEC’s addition of Appendix J to its Business Continuity Planning (BCP) Hand- Book, many of us were left wondering if they actually meant to put the appendix in one of the handbooks related to vendor management. The four major sections of Appendix J are even titled Third-Party Management, Third-Party Capac- ity, Testing with Third-Party TSPs (Technology Service Providers), and Cyber Resilience. With the exception of Cyber Resilience, they all sound like they belong in your vendor manager’s lap, and the idea that something belongs in one person’s lap may be part of the problem. Business continuity and disaster recovery planning is an interesting animal. There are a myriad of details and expectations involved in business continuity planning. You are estimating how long a process can afford to be down, all the things required for this process to be restored, how long it takes to replace all those things required for the process to be restored, and who can be in charge of restoration even if your primary process owner is unavailable. It’s needless to say there are a lot of moving parts in this web of interdepen- dencies. Once you have worked this out for one process, you then have several other processes to work through before you have a completed plan. Because there are so many interde- pendencies, many people don’t take the time to perform a gap analysis to identify any holes in their expectations. If you want a process back up three hours after a disaster, but it requires a piece of equipment that takes a week to replace, you have a large time gap in what can happen and what you want to happen. Once these gaps are identified, you can adjust your expectations for the process, find faster ways to replace that W Marrying Vendor Management and BCP By Stephanie Chaumont, CISA, CISSP, Security+ BANK BYTES