The FFIEC IT Examination Handbook – Business Continuity Management booklet (Nov 2019) page 45 attached to this reply provides the following guidance regarding Business Continuity Testing collaboration with Third Party Technology Service Providers:
'Third-party service providers deliver critical services to many entities and should be included in the enterprise-wide exercise and testing program. The extent of inclusion in the entity's program should be based on the criticality of the third-party service provider and the business function. Management should obtain assurance that third-party service providers are resilient and have adequate infrastructure and personnel to restore critical services consistent with business and contractual requirements. The right to perform or participate in testing with third-party service providers should be included in the contract governing the entity's relationship with the third party.
Management should actively participate in the entity's third-party service providers' testing programs and should verify that testing strategies include likely significant disruptive events. Third-party service providers should be transparent about testing parameters and results because not all clients can participate in every testing activity (e.g., when there is a large client volume) and some exercises and tests may not be relevant to the services provided to a specific customer. Management should request and receive test results and reports, remediation action plans and status reports upon their completion, and related analysis or modeling. Management should track and resolve any issues identified during the exercise in a timely manner, according to the severity of the issues. Any test results that affect the entity should be presented to its board. In most instances, equating one entity's recovery experience with another's does not guarantee similar results; therefore, management should perform its own analysis. Refer to the IT Handbook's "Outsourcing Technology Services" booklet for additional information.'
From my experience in reviewing the BC/DR practices in place in thousands of organizations, many organizations (especially larger ones) will not allow clients to participate in testing due to the volume of clients they have being prohibitive to allowing all to participate. As outlined in the excerpt above, it is important to identify your options for participating while drawing up the contract with the service provider.
This response is geared towards a financial institution, but even if your organization is not an FI, BCDR best practices are driven and influenced heavily by the regulations in the financial industry, so this advice can be extrapolated to other industries not regulated by the FFIEC.
Thanks for participating in the community, and please let me know if there is any further information I can provide to help you hone your business continuity practices.
Original Message:
Sent: 01-05-2021 11:05 AM
From: Anonymous Member
Subject: Business Continuity Testing
This message was posted by a user wishing to remain anonymous
I am looking for best practices when it comes to business continuity testing. We do collect the due diligence documentation with policies & test results or executive summaries.
Do any users ask Mission Critical or High Risk vendors if the FI can participate in their annual testing? Is that done during due diligence or is it a separate process between business continuity managers & vendor owners? I am collaborating with our BC administrator and want to research best practices.
Thank you