Marrying Vendor Management and BCP

By: (CISSP, CISA, Security+)

Publication: The Community Banker , Summer 2015

VACBSummer2015With the FFIEC’s addition of Appendix J to its Business Continuity Planning (BCP) HandBook, many of us were left wondering if they actually meant to put the appendix in one of the handbooks related to vendor management.  The four major sections of Appendix J are even titled Third-Party Management, Third-Party Capacity, Testing with Third-Party TSPs (Technology Service Providers), and Cyber Resilience.  With the exception of Cyber Resilience, they all sound like they belong in your vendor manager’s lap, and the idea that something belongs in one person’s lap may be part of the problem.

Business continuity and disaster recovery planning is an interesting animal.  There are a myriad of details and expectations involved in business continuity planning.  You are estimating how long a process can afford to be down, all the things required for this process to be restored, how long it takes to replace all those things required for the process to be restored, and who can be in charge of restoration even if your primary process owner is unavailable.  It’s needless to say there are a lot of moving parts in this web of interdependencies.  Once you have worked this out for one process, you then have several other processes to work through before you have a completed plan.  Because there are so many interdependencies, many people don’t take the time to perform a gap analysis to identify any holes in their expectations.  If you want a process back up three hours after a disaster, but it requires a piece of equipment that takes a week to replace, you have a large time gap in what can happen and what you want to happen.  Once these gaps are identified, you can adjust your expectations for the process, find faster ways to replace that piece of equipment, or find ways to perform the process manually until the equipment arrives.  These kinds of discussions need to happen well in advance of your next disaster. 

Now, enter vendor relationships.  Never before have we relied on vendors and outsourced services more.  With the expansion of technological advances comes the expansion of our reliance on companies who understand how to use those advances.  I’m sure you have all developed useful vendor management procedures to manage the risks involved with third-party relationships involving customer information and/or access to your network.  Appendix J reminds us all that while business continuity planning and vendor management are both great things to have individually, they really need to overlap more than most people think.  Are your business continuity expectations reliant on any vendor service?  Are you assuming that your vendor will be available immediately to come to your aid?  I think we assume we are going to be our vendors’ only priority should disaster strike.  It’s important to understand what kind of clientele your vendor services.  Do they have many customers in your area who could potentially need their help as much as you would during or following a disaster?  When looking at cyber attacks, have you planned for a scenario where you and your critical service provider fall victim to the same attack and are both working toward recovery simultaneously?    Are your BCP recovery procedures all involving moving to another branch or are you also preparing for the network or communications to your vendor to be down as well?  Many people are very prepared to pick up and function at a branch location, but have no manual procedures in place in the event they can’t communicate with their core or that their network files are unavailable.  Does your BCP testing involve your service providers?  Do applicable vendors have their own incident response plans, and have you seen them? Like I said earlier, these questions should be answered now while you have time to look at and upgrade your BCP or vendor management procedures instead of finding out the answers during a disaster or cyber attack.

I think the biggest thing I took away from Appendix J is the reminder that no part of our information security program should be compartmentalized.  These areas of security all depend on each other, so collaboration and review are necessary for making them useful and successful.  Happy planning!