External Supplier Control Requirements BCM

Size: px

Start display at page:

Download "External Supplier Control Requirements BCM"

Erik Daniel
8 years ago
Views:

1 External Supplier Control Requirements BCM

2 BCM Requirement Description BCM Tiers Recovery Time Objective Why this is important 1. Business Continuity Policy Supplier will have a documented Business Continuity policy in place, which is reviewed on a periodic basis, but at least annually. To enable Barclays to ascertain that there is an appropriate Business Continuity policy in place. Failure to execute the required BCM solution when required may cause operational damage, loss of revenue, legal or regulatory sanction, or reputational damage to Barclays. 2. Business Continuity Governance The Supplier will assign an accountable person for Business Continuity who will assign roles and responsibilities to the management team for the service and review these at least annually. 3. Business Impact Analysis The Supplier will conduct (at least annually) a business impact analysis. This must be reviewed and approved by the accountable person responsible for business continuity management and by the executive responsible for the services. 4. Supplier s Risk Assessment The Supplier will perform (at least annually) a risk assessment to identify the risks that could cause a business interruption and ensure that appropriate controls are implemented to manage and control such risks. 5. Business (BCP) The Supplier will have a documented Business to meet the Recovery Time Objective (RTO) specified by Barclays for the provided services. The Business must be submitted for review by Barclays on an annual basis or following any major changes/enhancements to the services. Barclays BCM Tiers : Tier 1 (RTO): 0-4 hours Tier 2 (RTO): 4-8 hours Tier 3 (RTO): 8-24 hours Tier 4 24 hours 5 days Tier 5 No planned recovery 6. Supplier Business invocation process The Supplier will review the formal Business invocation process on an annual basis to ensure that the initial responses to an incident are appropriate. To enable Barclays to ascertain that there is an appropriate Business solution in place, which can be invoked as required. Failure to do so may cause operational damage, loss of revenue, legal or regulatory sanction, or reputational damage to Barclays.

3 7. Business The Supplier will test the Business in accordance with the Tier 1 & 2 - Every 12 months Tier 3 & 4 - Every 24 months To enable Barclays to ascertain that there is an appropriate and implementable business recovery plan in place for recovery of test services tier or soon after major changes / the Supplier s service within agreed RTO. Failure to execute the enhancements / remediation have been required BCM solution when required may cause operational implemented that affect the Services. damage, loss of revenue, legal or regulatory sanction, or The Supplier will ensure that identified gaps are addressed with a remediation reputational damage to Barclays. plan (action, ownership, delivery date) and shared and agreed with Barclays. 8. Supplier IT The Supplier will have a documented IT Barclays BCM Tiers : Disaster Recovery Plan (IT DRP) Disaster Recovery Plan (IT DRP) in place, which is reviewed by the Supplier on a periodic basis or soon after major changes/enhancements have been implemented to the service. Supplier must ensure that actions highlighted from the IT Tier 1 (RTO): 0-4 hours Tier 2 (RTO): 4-8 hours Tier 3 (RTO): 8-24 hours Tier 4 24 hours 5 days Tier 5 No planned recovery DRP review are implemented in a timely manner 9. Supplier IT Disaster Recovery Supplier will test the IT DRP to confirm its ability to recover the service in the agreed Tier 1 & 2 - Every 12 months Tier 3 & 4 - Every 24 months Plan (IT DRP) test timeframes. The test is to be carried out on an annual basis or soon after major changes / enhancements /remediation have been implemented that affect the Services. The Supplier reviews the test results and ensures that suitable actions are taken to remediate the identified findings.

4 BCM Requirement Description Why this is important 10. Incident & Crisis (Crisis Team) The Supplier will have a crisis management team responsible for the implementation of a crisis management plan detailing procedures to be taken in the event of an incident or event that impacts the delivery of services to Barclays. solution in place. Failure to execute the required BCM solution when required may cause operational damage, loss of revenue, 11. Invocation of the Plan (Communication Plan/Incident Log) Supplier must notify Barclays in the event of a service interruption which requires invocation of one or many of the Business, Crisis Plan and/or IT DR Plan. Supplier must prepare an incident report which must be shared with Barclays in the event of a Service interruption. Supplier also must maintain an incident log that shall be shared with Barclays in the event of a Service disruption. The Supplier shall invoke the Plan in the following circumstances: in the event of a service interruption or if required and requested by Barclays. solution in place. Failure to execute the required BCM solution when required may cause operational damage, loss of revenue, 12. IT DRP cover for System Recovery Documentation System Recovery Documentation must be in place to support IT DR plan and to meet the Recovery Time Objective (RTO) specified by Barclays for the provided service. System Recovery Documentation must be reviewed and signed off by the Supplier system owner annually or when there is a significant change. If this principle is not implemented, Barclays cannot ascertain that there is an appropriate BCM when required may cause operational damage, loss of revenue, legal or regulatory sanction, or reputational damage to Barclays. 13. Supplier and Barclays participating in each other BCP and IT DR testing / validations. Where appropriate, and by agreement, Supplier and Barclays might participate in each other BCP and IT DR tests/validations, and also jointly test Incident and Crisis scenarios. To enable Barclays to mutually engage with the Supplier on tests for key Services and in order to meet regulatory requirements where some country specific regulators require such tests.

Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management

Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management Issued under Section 27 of the Banks and Financial Institutions Act 2000 Overview and Key Requirements Business Continuity