By: Daniel Lindley (Network+, CISA)
Publication: The Kansas Banker, March/April 2019
For many financial institutions, Business Continuity Plan (BCP) tests are easy to identify and trivial to document as senior management is familiar with the concept and the tests occur on a fairly frequent basis, either because they are scheduled in advance or because Internet/phone/power outages happen to every business at some point. When it comes to the Incident Response Plan (IRP) tests, however, the situation is not so clear. Whether this is because the FFIEC actually includes Incident Response Testing as part of the Business Continuity Planning Booklet or because, like things that happen in Vegas, incidents aren't spoken of after they occur. Additionally, it may depend on who you ask and if there's any resulting reputational damage, just to make things even muddier.