FFIEC BCM检查手册v2019中文简译(三)

第三部分 From APPENDIX A 检查程序 To APPENDIX D 参考资料 (因中英文对照翻译版约7.8万字，内容较多，故将其分为三部分发布)

写在前面 ：金融业是业务连续性管理监管要求和实践水平最高的行业之一，FFIEC业务连续性管理检查分册是美国联邦金融机构检查委员会(FFIEC)为协助检查人员评估金融机构和服务提供商的业务连续性管理提供的指导。2019年11月，FFIEC发布了该检查分册的第3个版本，“反映了客户和行业对运营韧性期望的变化”。本中文简译稿是为了方便关注金融行业业务连续性管理的朋友们了解、学习国外行业监管要求和最佳实践，由多名专业人员组成的公益翻译团队共同翻译完成。2020年底前，我在公众号和朋友圈征集公益翻译人员，很快由陈燕、陈阳、董晓礼、傅盛、康馨月、米顺强、刘松林、刘宇、马骏、卜善梅、盛琳、孙书强、燕波涛、袁洪波、翟红波、翟晓羽、张锋等专业人员组成了翻译团队，在2021年3月完成翻译初稿。

以下是公益翻译团队成员 (排名不分前后，按姓氏拼音排序)： 陈燕(深圳，cheny105@163.com) 陈阳(中国银行欧洲信息中心，chenyang@bankofchina.com) 董晓礼(上海，db2forz@qq.com) 傅盛(广州赛宝认证中心，sanarcher@qq.com) 康馨月(天津外国语大学，2368074522@qq.com) 米顺强(北京) 刘松林(渤海银行，lslinbest@163.com) 刘宇(北京，13316880733@189.cn) 马骏(大连，patrick.ma2018@outlook.com) 卜意淳(和君咨询，653809172@qq.com) 盛琳(杭州，linmuxuanzi@163.com) 孙书强(中科博安，HSDJL2@126.com) 燕波涛(华北科技学院，18618264196@qq.com) 袁洪波(环球影城，yuanhongbobo@126.com) 翟红波(北京，25354646@qq.com) 翟晓羽(北京，zxy0264@126.com) 张锋(北京，zhangfeng76@wo.cn) 王曙(新常安科技，kevinwang@vip.sina.com)

感谢公益翻译团队的各位专业人员在疫情期间抽出个人休息时间进行翻译工作。以下译文由我负责最终统一审校定稿，如译文中有任何不准确或理解错误的地方，都是由于我的原因造成，与诸位翻译人员无关。如对译文有意见或修改建议，请给我留言。

王曙(kevinwang) 2021.06.10

---

附录A：检查程序Examination Procedures

检查目的Examination Objective

这些检查程序(也称为工作计划)旨在帮助检查人员在整个企业范围内或跨特定业务线确定业务连续性流程的质量和有效性。此外，这些程序还可以帮助检查人员评价业务连续性测试是否能够证明实体有能力实现其业务连续性目标，包括管理层在中断(从小规模中断到大规模灾难)后恢复、重续和保持运营的能力。检查人员不受此处所述检查程序的限制，且可根据实体业务的规模、复杂程度和性质选择仅使用工作计划的某些部分。根据检查目标，可以选择一条业务线抽样实体的连续性规划或测试流程是如何单独工作的，或针对特定业务功能或流程进行。 These examination procedures (also known as the work program) are intended to assist examiners in determining the quality and effectiveness of the business continuity process on an enterprise-wide basis or across a particular line of business. Additionally, these procedures assist examiners in evaluating whether business continuity testing demonstrates the entity’s ability to meet its business continuity objectives including management’s ability to recover, resume, and maintain operations after disruptions, ranging from minor outages to full-scale disasters. Examiners are not limited by the examination procedures presented here and may choose to use only certain components of the work program based on the size, complexity, and nature of the entity’s business. Depending on the examination objectives, a line of business can be selected to sample how the entity’s continuity planning or testing processes work individually or for a particular business function or process.

目标1：确定适当的检查范围和目标。 Objective 1: Determine the appropriate scope and objectives for the examination.

1. 审查过去的报告中未解决的事项或以前的问题，考虑以下： a. 监管检查报告； b. 内部和外部审计报告； c. 独立风险管理报告； d. 业务连续性测试； e. 有关第三方服务提供商的法规、审计和业务连续性报告。

2. Review past reports for outstanding issues or previous problems. Consider the following: a. Regulatory reports of examination. b. Internal and external audit reports. c. Reports by independent risk management. d. Business continuity tests. e. Regulatory, audit, and business continuity reports on third-party service providers.

3. 审查管理层对上次检查期间或之后发现的问题的回应，考虑以下： a. 纠正措施的充分性和时间安排； b. 解决根本原因而不是症状； c. 未纠正问题的状态； d. 重新测试以验证纠正措施。

4. Review management’s response to issues identified during or subsequent to the last examination. Consider the following: a. Adequacy and timing of corrective action. b. Resolution of root causes rather than symptoms. c. Status of uncorrected issues. d. Retesting to validate corrective action.

5. 面谈管理层并审查对预审信息请求的回复，以确定可能影响业务韧性的技术基础设施或新产品和服务的变化，考虑以下： a. 交付给内部或外部用户的产品或服务； b. 网络拓扑或图表，包括对配置或组件以及所有内外部连接的更改； c. 软硬件清单； d. 关键人员的损失、增加或职责变更； e. 第三方服务提供商和软件供应商列表； f. 内部业务流程的变更； g. 基于行业变化或威胁情报的变化。

6. Interview management and review responses to pre-examination information requests to identify changes to technology infrastructure or new products and services that could affect business resilience. Consider the following: a. Products or services delivered to either internal or external users. b. Network topology or diagram including changes to configuration or components and all internal and external connections. c. Hardware and software inventories. d. Loss, addition, or change in duties of key personnel. e. Third-party service providers and software vendor listings. f. Changes to internal business processes. g. Changes based on industry changes or threat intelligence.

7. 审查新发现的运营连续性的威胁和漏洞，考虑以下： a. 技术和安全漏洞； b. 内部发现的威胁； c. 外部发现的威胁(如信息共享组织和政府机构发布的网络安全警报、大流行警报或突发事件预警等)。

8. Review newly identified threats and vulnerabilities to the continuity of operations. Consider the following: a. Technology and security vulnerabilities. b. Internally identified threats. c. Externally identified threats (e.g., cybersecurity alerts, pandemic alerts, or emergency warnings published by information-sharing organizations and government agencies).

目标2：确定董事会和高级管理层是否通过明确的职责、问责制和足够的资源来支持该项目，从而促进对业务连续性的有效治理。(II.A，“ 董事会和高级管理层职责 ”) Objective 2: Determine whether the board and senior management promote effective governance of business continuity through defined responsibilities, accountability, and adequate resources to support the program. (II.A, “ Board and Senior Management Responsibilities ”)

1. 确定业务连续性政策和关键业务流程是否是： a. 最新的并反映当前的商业环境； b. 在整个实体内有效沟通； c. 在不良事件期间可用； d. 得到安全维护。

2. Determine whether business continuity policies and critical business procedures are: a. Up-to-date and reflective of the current business environment. b. Communicated effectively throughout the entity. c. Available during adverse events. d. Securely maintained.

3. 确定董事会和高级管理层在监督业务连续性时是否发挥领导作用，包括： a. 评价连续性风险； b. 设定短期和长期连续性目标； c. 采取适当的政策和程序； d. 评价连续性绩效； e. 根据测试结果和实际事件调整项目和运营。

4. Determine whether the board and senior management provide leadership when overseeing business continuity, including: a. Evaluating continuity risk. b. Setting short- and long-term continuity objectives. c. Adopting appropriate policies and procedures. d. Evaluating continuity performance. e. Adjusting programs and operations in response to test results and actual events.

5. 确定管理层是否通过以下方式增强韧性： a. 评估连续性风险； b. 韧性规划； c. 测试业务连续性计划； d. 结合测试和事件的经验教训； e. 考虑业务功能以及现有运营和新产品及服务的设计中的韧性。

6. Determine whether management strengthens resilience through the following: a. Assessing continuity risk. b. Resilience planning. c. Testing business continuity plans. d. Incorporating lessons learned from testing and events. e. Considering resilience in business functions and the design of existing operations and new products and services.

7. 确定董事会监督是否包括以下内容： a. 分配业务连续性职责和问责； b. 为业务连续性分配资源(如人员、时间、预算和培训等)； c. 使BCM与业务战略和风险偏好保持一致； d. 了解业务连续性风险并采用适当的政策和计划来管理事件； e. 了解业务连续性运营结果和绩效； f. 向负责业务连续性流程的管理层提出可信的挑战(如董事会会议记录提供了积极讨论的证据)； g. 如果不符合采取纠正措施的及时性，制定管理干预规定。

8. Determine whether board oversight includes the following: a. Assigning business continuity responsibility and accountability. b. Allocating resources to business continuity (e.g., personnel, time, budget, and training). c. Aligning BCM with business strategy and risk appetite. d. Understanding business continuity risks and adopting appropriate policies and plans to manage events. e. Understanding business continuity operating results and performance. f. Providing a credible challenge to management responsible for the business continuity process (e.g., the board minutes provide evidence of active discussions). g. Establishing a provision for management intervention if timeliness for corrective action is not met.

9. 确定对业务连续性的管理监督是否包括以下内容： a. 定义业务连续性角色、职责和继任计划； b. 分配有识之才和充足的财务资源； c. 验证人员了解其业务连续性角色； d. 建立可衡量目标，根据这些目标评估业务连续性绩效； e. 设计和实施业务连续性演练策略； f. 确认演练、测试和培训全面且与演练策略一致； g. 解决演练、测试和培训中发现的弱点； h. 定期开会讨论方针变更，测试计划和培训； i. 评估和更新业务连续性策略和计划，以反映当前的业务状况和运营环境，以便持续改进； j. 在整个企业的业务单元之间协调计划； k. 与外部实体协调计划和响应。

10. Determine whether management oversight of business continuity includes the following: a. Defining business continuity roles, responsibilities, and succession plans. b. Allocating knowledgeable personnel and sufficient financial resources. c. Validating that personnel understand their business continuity roles. d. Establishing measurable goals against which business continuity performance is assessed. e. Designing and implementing a business continuity exercise strategy. f. Confirming that exercises, tests, and training are comprehensive and consistent with the exercise strategy. g. Resolving weaknesses identified in exercises, tests, and training. h. Meeting regularly to discuss policy changes, testing plans, and training. i. Assessing and updating business continuity strategies and plans to reflect the current business conditions and operating environment for continuous improvement. j. Aligning plans between business units across the enterprise. k. Coordinating plans and responses with external entities.

目标3：确定董事会和高级管理层是否参与审计或其他独立审查职能，以审查和验证BCM项目的设计和运行有效性。(II.B，“ 审计 ”) Objective 3: Determine whether the board and senior management engage audit or other independent review functions to review and validate the design and operating effectiveness of the BCM program. (II.B, “ Audit ”)

1. 确定董事会和高级管理层是否参与了审计(或独立审查)以验证业务连续性项目的设计有效性以及控制措施是否有效运行。

2. Determine whether the board and senior management have engaged audit (or an independent review) to validate the design effectiveness of the business continuity program and whether controls are operating effectively.

3. 确定审计是否向董事会报告，并对管理层管理和控制连续性和韧性相关风险的能力进行评估。

4. Determine whether audit reports to the board and provides an assessment of management’s ability to manage and control risks related to continuity and resilience.

5. 确定审计是否酌情利用来自第三方服务提供商的SOC报告和其他外部工件。

6. Determine whether audit leverages SOC reports and other external artifacts from third-party service providers, as appropriate.

7. 确定董事会或管理层是否验证审计师有资格进行审查，并且独立于业务连续性或相关职能。

8. Determine whether the board or management validates that the auditor is qualified to carry out the review and is independent of the business continuity or related functions.

9. 评价业务连续性的审计覆盖范围，无论是通过常规控制审计、业务条线审计，还是作为独立的业务连续性审计。审计范围宜包括以下内容： a. BIA和业务连续性风险评估的合理性和全面性； b. 连续性和韧性控制的可靠性、充分性和有效性； c. 风险缓释工作的有效性； d. 测试计划是否达到其宣称的基于合理假设的目标； e. 审计演练和测试的监控、审查测试计划和结果，并核实是否发现问题并适当升级； f. 业务连续性项目有效性的评估。

10. Evaluate the audit coverage of business continuity, whether through a general controls audit, during audits of business lines, or as a stand-alone business continuity audit. Audit coverage should include the following: a. The reasonableness and comprehensiveness of the BIA and business continuity risk assessment(s). b. The reliability, adequacy, and effectiveness of continuity and resilience controls. c. The effectiveness of risk mitigation efforts. d. Whether test plans achieve their stated objectives based on reasonable assumptions. e. Audit monitoring of exercises and tests, reviewing test plans and results, and verifying that any issues are identified and appropriately escalated. f. Assessment of the business continuity program effectiveness.

目标4：确定管理层是否制定了一个合适且可重复的BIA流程，以识别所有业务功能，按重要性顺序排定优先级，分析相关的相互依赖关系，并评估中断的影响。（III.A，“业务影响分析”） Objective 4: Determine whether management developed an appropriate and repeatable BIA process that identifies all business functions and prioritizes them in order of criticality, analyzes related interdependencies, and assesses a disruption’s impact. (III.A, “Business Impact Analysis”)

1. 确定管理层清点业务功能的流程。管理层可使用以下工件来识别功能： a. 组织结构图； b. 工作流程图(也称为流程图)； c. 访谈笔记； d. 网络图/拓扑图； e. 数据流图。

2. Determine the process through which management inventories business functions. Management may use the following artifacts to identify the functions: a. Organizational charts. b. Work flows (also called process maps). c. Interview notes. d. Network diagrams/topologies. e. Data flow diagrams.

3. 确定管理层是否清点了业务功能所依赖的关键资产和基础设施，包括单点故障的识别。关键资产和基础设施可包括： a. 人员； b. 硬件； c. 软件； d. 现金储备； e. 支持性活动(如技术支持、发工资、签合同等)； f. 支持软件(如电子邮件、办公生产力套件等)； g. 网络连接； h. 通讯线路； i. 设施； j. 公用事业； k. 第三方服务提供商提供的基础设施和服务。

4. Determine whether management inventoried the critical assets and infrastructure upon which business functions depend, including the identification of single points of failure. Critical assets and infrastructure may include the following: a. People. b. Hardware. c. Software. d. Cash reserves. e. Supporting activities (e.g., technology support, payroll, contracting). f. Supporting software (e.g., email, office productivity suites). g. Network connectivity. h. Communication lines. i. Facilities. j. Utilities. k. Infrastructure and services provided by third-party service providers.

5. 确定相互依赖关系分析是否包括以下内容： a. 内部系统和业务功能，包括服务、生产流程、硬件、软件、以及应用程序编程接口、数据和重要记录； b. 第三方服务提供商，主要供应商，以及业务合作伙伴； c. 通信单点故障； d. 电力单点故障。

6. Determine whether the interdependency analysis includes the following: a. Internal systems and business functions, including services, production processes, hardware, software, and application programming interfaces, data, and vital records. b. Third-party service providers, key suppliers, and business partners. c. Telecommunications single points of failure. d. Power single points of failure.

7. 审查BIA以确定业务功能的优先顺序是否合理。考虑管理层的以下能力： a. 确定中断对运营和财务的影响； b. 汇总损失影响，并确定一个等级来表示影响的严重性； c. 将BIA和风险评估结果与优先级进行核对，并记录核对是否充分。

8. Review the BIA to determine whether the prioritization of business functions is reasonable. Consider management’s ability to do the following: a. Determine the operational and financial impacts of a disruption. b. Aggregate loss impacts and determine a rating scale to indicate impact severity. c. Reconcile BIA and risk assessment results with prioritization and document whether the reconcilement is adequate.

9. 确定BIA是否产生足够的信息来估计以下内容： a. 恢复点目标(RPO)； b. 恢复时间目标(RTO)； c. 最大可忍受中断时间(MTD)。

10. Determine whether the BIA produces sufficient information to estimate the following: a. Recovery point objectives (RPO). b. Recovery time objectives (RTO). c. Maximum tolerable downtime (MTD).

目标5：确定管理层是否进行了足以评价潜在中断和事件的可能性和影响的风险评估。(III.B，“ 风险评估 ”) Objective 5: Determine whether management conducts a risk assessment sufficient to evaluate the likelihood and impact of potential disruptions and events. (III.B, “ Risk Assessment ”)

1. 审查风险评估，以确定管理层是否已识别出对实体的连续性和韧性的所有合理可预见的危害和威胁。风险的示例包括： a. 自然的： 洪水，地震，飓风，龙卷风和其他天气事件； b. 技术的： 技术：恶意软件，网络攻击以及硬件和软件故障； 运营：关键基础设施中断(如交通和供水系统等)； c. 敌对或人为的： 人员：罢工，大流行和恶意内部人员； 社会：恐怖主义，破坏公物，抢劫，暴乱和抗议； d. 组合： 设施：火灾，停电和无法进入； 地理相关：靠近危险品运输的铁路或公路，靠近机场，交通困难和其它问题； 第三方：服务集中在数量有限的第三方服务提供商。
2. Review risk assessment(s) to determine whether management has identified all reasonably foreseeable hazards and threats to the continuity and resilience of the entity. Examples of risks can include: a. Natural:

• Flood, earthquake, hurricane, tornado, and other weather events. b. Technological:
• Technological: Malware, cyberattack, and hardware and software failure.
• Operational: Critical infrastructure disruption (e.g., transportation and water systems). c. Adversarial or human-caused: *　Personnel: Strike, pandemic, and malicious insider. *　Social: Terrorism, vandalism, looting, riots, and protests. d. Combination: *　Facility: Fire, power outage, and loss of access. *　Geographic-related: Proximity to railroad or highways used for transport of hazardous materials, proximity to airports, traffic difficulties, and other issues. *　Third-party: Services concentrated in a limited number of third-party service providers.

2. 确定管理层是否识别BCM风险，并协调整个实体的风险识别工作，以识别系统性威胁。 a. 确定管理层是否识别并清点以下内容： 内部和外部资产； 威胁和危险的类型； 现有控制措施； b. 核实风险评估包括网络安全风险的识别和信息安全风险评估的结果； c. 评估管理层是否从外部来源获得有关危险和威胁的信息； d. 确定管理层是否在风险识别工作中考虑威胁情报。

3. Determine whether management identifies BCM risks and coordinates risk identification efforts throughout the entity to identify systemic threats. a. Determine whether management identifies and inventories the following: *　Internal and external assets. *　Types of threats and hazards. *　Existing controls. b. Verify that the risk assessment includes the identification of cybersecurity risks and results of information security risk assessments. c. Assess whether management obtains information about hazards and threats from external sources. d. Determine whether management considers threat intelligence in risk identification efforts.

4. 查明管理层是否识别了实体与其第三方服务提供商之间的互连点，以及其第三方服务提供商与其它实体(即供应链)之间的互连点。

5. Ascertain whether management identifies interconnectivity points between the entity and its third-party service providers, as well as interconnectivity between other entities and their third-party service providers (i.e., supply chain).

6. 确定风险评估是否包括潜在破坏性事件(包括最坏情况)的影响和可能性。

7. Determine whether the risk assessment includes the impact and likelihood of potential disruptive events, including worst-case scenarios.

8. 确定管理层是否识别并分析实体风险敞口与风险偏好之间的差距，并记录为缓解残留风险而实施的任何控制措施。

9. Determine whether management identifies and analyzes gaps between the entity’s risk exposure and the risk appetite, and documents any controls implemented to mitigate the residual risk.

目标6：确定实体的风险管理策略是否旨在实现韧性。(IV.A，“韧性”) Objective 6: Determine whether the entity’s risk management strategies are designed to achieve resilience. (IV.A, “ Resilience ”)

1. 核实管理层已评价策略和资源需求，并分配适当的资源以实现韧性： a. 执行功能的适当的人员和技能集； b. 确定和实施解决方案的时间； c. 达成韧性目标的预算。

2. Verify that management has evaluated strategies and resource needs and allocates appropriate resources to achieve resilience: a. Appropriate personnel and skillsets to carry out the functions. b. Time to identify and implement solutions. c. Budget to accomplish resilience goals and objectives.

3. 确定管理层是否实施了以下物理韧性措施： a. 在分支机构和数据中心之间建立冗余通信； b. 确定多个电力源； c. 在地理上使关键实体位置多样化。

4. Determine whether management has implemented physical resilience measures that: a. Establish redundant communications between branches and data centers. b. Identify multiple power sources. c. Geographically diversify key entity locations.

5. 确定管理层是否实施了以下数据和网络韧性措施以： a. 维护备份、复制和生产环境的机密性、完整性和可用性； b. 为数据备份的每次迭代实施适当的备份、足够的文档和保存期； c. 随着技术和威胁的变化，定期重新评估备份和恢复策略； d. 维护软件、配置设置和相关文档的可访问的场外存储库； e. 建立恢复关键网络和系统的程序，包括： 备份类型(物理的或虚拟的)； 备份级别(全备分，增量备份或差异备份)； 更新和保存周期频率； 软件和硬件兼容性审查； 数据传输控制。 数据存储库维护。 f. 保护离线数据备份不受破坏性恶意软件的破坏，这些恶意软件可能会损坏数据的生产和在线备份版本。

6. Determine whether management has implemented data and cyber resilience measures that: a. Maintain confidentiality, integrity, and availability for backup, replication, and production environments. b. Implement appropriate backups and sufficient documentation and retention periods for each iteration of data backup. c. Periodically reassess backup and recovery strategies as technology and threats change. d. Maintain an accessible, off-site repository of software, configuration settings, and related documentation. e. Establish procedures to recover critical networks and systems, including:

• Backup types (physical or virtual).
• Backup levels (full, incremental, or differential).
• Update and retention cycle frequencies.
• Software and hardware compatibility reviews.
• Data transmission controls.
• Data repository maintenance. f. Protect offline data backups from destructive malware that may corrupt production and online backup versions of data.

4. 确定管理层是否酌情记录并实施了以下人员韧性措施： a. 运行业务连续性相关的关键功能所需的人员配置和技能； b. 无家可归员工及其其家庭的住宿安排； c. 无家可归员工的基本必需品和服务，包括水、食物、衣服、育儿和交通； d. 现场医疗支持和移动指挥中心； e. 如果员工在备选地理位置工作，则保护通信选项； f. 指定的应急人员，包括关键业务流程级别的员工(即确保所有关键业务运营正常运行所必需的人员)。

5. Determine whether management documented and implemented, as appropriate, the following resilience measures for personnel: ａ. Staffing and skills needed to operate critical functions related to business continuity. b. Lodging arrangements for displaced employees and their families. c. Basic necessities and services for displaced employees, including water, food, clothing, childcare, and transportation. d. On-site medical support and mobile command centers. e. Secure telecommunication options if employees work from an alternate location. f. Designated emergency personnel, including critical business process-level employees (i.e., those necessary to ensure all critical business operations function appropriately).

6. 确定管理层是否酌情记录并实施了针对第三方服务提供商的以下韧性措施： a. 考虑威胁实体第三方服务提供商的运营韧性和生存能力的破坏性事件； b. 评估实体承担或转移失败运营的即时或短期空间、系统和人员容量； c. 评估关键第三方服务提供商对多个事件情景的敏感度； d. 审查第三方服务提供商的韧性能力，包括可用的测试和SOC报告； e. 核实第三方服务提供商的SLA与实体的恢复目标保持一致； f. 为支持关键运营的第三方服务提供商的韧性制定计划。

7. Determine whether management documented and implemented, as appropriate, the following resilience measures for third-party service providers: a. Considered disruptive events that threaten the operational resilience and viability of the entity’s third-party service provider. b. Assessed the entity’s immediate or short-term space, systems, and personnel capacity to assume or transfer failed operations. c. Assessed critical third-party service providers’ susceptibility to multiple event scenarios. d. Reviewed third-party service provider’s resilience capabilities, including available test and SOC reports. e. Verified that SLAs with third-party service providers align with the entity’s recovery objectives. f. Established plans for the resilience of third-party service providers supporting critical operations.

8. 确定管理层是否酌情记录和实施了以下针对通信的韧性措施： a. 识别并缓解整个实体基础设施中的单点故障； b. 与主要的第三方服务提供商一起制定和维护一个计划，以解决通信线路中断； c. 通过允许任何一方将其连接切换到备选通信路径的合同安排，与实体的每个第三方服务提供商建立冗余通信链路； d. 审查实体第三方服务提供商的计划，并确定关键服务是否可以在实体可接受的时间范围内恢复； e. 制定与实体规模、复杂程度和风险状况相称的指导方针，使连接多样化，以降低通信故障的风险； f. 为应对确定单点故障，评估可链接通信服务提供商和实体之间距离的通信技术； g. 监控与通信提供商的关系以管理风险； h. 评价通信和韧性需求以确保分支机构通信； i. 调查通信提供商使用的物理路径，并核实已正确实施了系统冗余。

9. Determine whether management documented and implemented, as appropriate, the following resilience measures for telecommunications: a. Identifying and mitigating single points of failure across the entity’s infrastructure. b. Developing and maintaining a plan to address an outage in the telecommunications lines with its primary third-party service providers. c. Establishing redundant telecommunications links with each of the entity’s third-party service providers through a contractual arrangement that allows either party to switch its connection to an alternate communication path. d. Reviewing the entity’s third-party service providers’ plans and determining whether critical services can be restored within time frames acceptable to the entity. e. Developing guidelines, commensurate with the entity’s size, complexity, and risk profile, to diversify connections to mitigate the risk of a telecommunications failure. f. Assessing the communications technology that bridges the transmission distance between the telecommunications service provider and the entity for single points of failure. g. Monitoring relationships with telecommunications providers to manage risks. h. Evaluating communications and resilience needs to ensure branch communications. i. Inquiring about the physical paths used by telecommunications providers and verifying that system redundancies have been properly implemented.

10. 确定管理层是否将以下事项视为企业电力韧性策略的一部分： a. 备选能源(如发电机和多电网等)； b. 燃料需求，包括现有燃料和与供应商签订的事件期间交付合同； c. 发电机的持续维护； d. 发电机测试。

11. Determine whether management considers the following as part of the entity’s power resilience strategies: a. Alternate energy sources (e.g., generators and multiple power grids). b. Fuel requirements, both for fuel on-hand and contracts with suppliers for deliveries during events. c. Continued maintenance of generators. d. Testing of generators.

12. 核实BCM活动与实体的变更管理流程相一致。

13. Verify that BCM activities align with the entity’s change management process.

目标7：确定实体的BCM是否包含沟通协议。(IV.B，“沟通”) Objective 7: Determine whether the entity’s BCM includes communication protocols. (IV.B, “ Communications ”)

确定管理层是否考虑、计划并准备多种机制，以便在保持适当控制以保护客户信息的同时，与人员和其他相关方进行沟通。其他相关方可包括： a. 监管机构(联邦和州)； b. 紧急响应人员； c. 执法部门； d. 金融行业同业公会； e. 信息共享实体(如FS-ISAC)。

1. Determine whether management considers, plans for, and prepares multiple mechanisms to communicate with personnel and other stakeholders while maintaining appropriate controls to safeguard customer information. Other stakeholders could include: a. Regulatory agencies (federal and state). b. Emergency responders. c. Law enforcement. d. Financial sector trade associations. e. Information-sharing entities (e.g., FS-ISAC).

目标8：评估实体企业级BCP的适当性。(V，“业务连续性计划”) Objective 8: Assess the appropriateness of the entity’s enterprise-wide BCP. (V, “Business Continuity Plan”)

1. 核实管理层是否实施了反映实体风险环境的全面BCP。BCP宜概述以下内容： a. 实体人员和第三方服务提供商的角色、责任以及必需技能； b. 各种可预见中断的解决方案，包括来自网络威胁的； c. 升级阈值； d. 立即采取措施保护人员和客户，并最大程度地减少损害； e. 恢复功能、服务和流程的优先顺序和程序； f. 关键信息保护(如物理的、电子的、混合以及使用场外存储)； g. 恢复地理位置人员的后勤安排(如住房、交通或食物等)； h. 网络设备，连通性和通信需求，包括实体拥有的和人员的移动设备； i. 备选站点的人员，包括对永久安置在备选设施的人员的安排； j. 测试的范围和频度； k. 重续业务流程的正常状态。

2. Verify that management implemented a comprehensive BCP that is reflective of the entity’s risk environment. The BCP should outline the following: a. Roles, responsibilities, and required skills for entity personnel and third-party service providers. b. Solutions to various types of foreseeable disruptions, including those emanating from cyber threats. c. Escalation thresholds. d. Immediate steps to protect personnel and customers and minimize damage. e. Prioritization and procedures to recover functions, services, and processes. f. Critical information protection (e.g., physical, electronic, hybrid, and use of off-site storage). g. Logistical arrangements (e.g., housing, transportation, or food) for personnel at the recovery locations. h. Network equipment, connectivity, and communication needs, including entity-owned and personal mobile devices. i. Personnel at alternate sites, including arrangements for those permanently located at the alternate facility. j. Scope and frequency of testing. k. Resumption of a normalized state for business processes.

3. 如果管理层外包BCP编制，请核实管理层保持BCP的监督和所有权。 a. 确定管理层是否核实第三方服务提供商的资格和专业知识； b. 核实实体管理层是否与第三方服务提供商合作，设计可执行的可行策略。 c. 核实计划反映了实体当前产品、业务流程和第三方服务提供商； d. 确定角色和职责是否反映实体当前的组织结构。

4. If management outsources the BCP’s development, verify that management maintains oversight and ownership of the BCP. a. Determine whether management verified the third-party service provider’s qualifications and expertise. b. Verify that entity management worked with the third-party service provider to design executable and viable strategies. c. Verify that the plan reflects the entity’s current products, business processes, and third-party service providers. d. Determine whether roles and responsibilities reflect the entity’s current organizational structure.

5. 确定BCP是否包括详细说明合理可预见事件类型的事件管理程序，这些程序包括阈值指标和响应方式。 a. 核实程序说明如何向管理层报告事件以及需要通知的情况； b. 确定管理层(个人或团队)是否实施了与内部和外部相关方沟通的程序； c. 核实事件管理流程包括适合事件的事件响应程序。

6. Determine whether the BCP includes event management procedures that detail reasonably foreseeable event types, and those procedures include threshold metrics and response methods. a. Verify that procedures explain how to report an event to management and the situations that warrant notification. b. Determine whether management (either an individual or team) has implemented procedures to communicate with both internal and external stakeholders. c. Verify that event management processes include event response procedures that are appropriate to the event.

7. 评估管理层的运营连续性和系统恢复的协议。核实程序是否清晰、简洁、易用，以及可以在紧急情况下实施。核实BCP包括以下程序： a. 关键功能的手工步骤(如适用)； b. 备选身份验证方法； c. 欺诈识别和可疑活动报告； d. 其它适用的程序，示例可包括： 在停机期间处理客户服务请求； 跟踪日常交易； 核对总帐账户； 记录运营任务； 系统恢复后过账条目； 维护备份记录以提供客户帐户信息(帐号，客户名称，地址，帐户状态以及帐户余额)。

8. Assess management’s protocols for operations continuity and system recovery. Verify that procedures are clear, concise, accessible, and can be implemented in an emergency. Verify the BCP includes procedures for the following: a. Manual steps for critical functions, as applicable. b. Alternate identity verification methods. c. Fraud identification and suspicious activity reporting. d. Other procedures as applicable. Examples may include:

• Addressing customer service requests during downtime.
• Tracking daily transactions.
• Reconciling general ledger accounts.
• Documenting operational tasks.
• Posting entries after system recovery.
• Maintaining backup records to provide customer account information (account numbers, customer names, addresses, account status, and account balances).

5. 核实BCP列表核心运营、设施、基础设施系统、供应商、公用事业、相互依赖的业务合作伙伴以及和关键人员的备选方案。 a. 核实BCP包括短期、中期和长期情景的站点迁移； b. 确定管理是否考虑可扩展性； c. 核实恢复备选方案能够容纳影响关键运营的服务和处理能力，包括： 核心处理； 支票影像； 商业现金管理； 邮寄、传真和打印； 客户识别； 数据中心活动。
6. Verify that the BCP lists alternatives for core operations, facilities, infrastructure systems, suppliers, utilities, interdependent business partners, and key personnel. a. Verify that the BCP includes site relocation for short-, medium-, and long-term scenarios. b. Determine whether management considers scalability. c. Verify that recovery alternatives can accommodate the services and processing capabilities affecting critical operations, including:

• Core processing.
• Check processing and imaging.
• Commercial cash management.
• Mailing, faxing, and printing.
• Customer identification.
• Data center activities.

6. 核实BCP包括协调第一响应者以及地方和州政府机构的程序(适用时)。

7. Verify that the BCP includes procedures for coordination with the first responders and local and state government agencies, when appropriate.

8. 核实BCP包括建立人员和客户可在适当情况下开展业务的备选物理位置的程序。

9. Verify that the BCP includes procedures to establish an alternate physical location(s) where personnel and customers can go to conduct business, if appropriate.

10. 确定BCP是否处理支付系统故障(如ATMs、资金转账、电子银行、远程存款，移动能力等)事件的备选安排。 a. 确定当支付系统中断时，BCP是否处理检索和传输交易的流程(如向代理银行打电话或传真电报或自动清算所请求的手动程序；基于Web系统的缓解策略；或用于执行交易的第三方软件等)； b. 确定管理层是否核实恢复站点包含冗余电子支付系统和设备(如令牌和路由器等)以供激活，以及是否维护文档以在系统恢复时及时过账条目； c. 确定是否使用即时发卡，并实施了卡公司安全程序以限制潜在欺诈。

11. Determine whether the BCP addresses alternate arrangements in the event payment systems fail (e.g., ATMs, funds transfers, electronic banking, remote deposit capture, mobile capabilities). a. Determine whether the BCP addresses processes for retrieving and transmitting transactions when payment systems are disrupted (e.g., manual procedures for calling in or faxing wire or automated clearing house requests to correspondent banks; mitigating strategies for web-based systems; or third-party software used to perform transactions). b. Determine whether management verifies that redundant electronic payment systems and equipment (e.g., tokens and routers) are included at recovery sites for activation and that documentation is maintained for timely posting of entries when systems are recovered. c. Determine whether instant issue cards are utilized and card company security procedures are implemented to limit potential fraud.

12. 核实BCP处理实体的现金管理要求。程序可包括： a. 预先建立现金交割协议； b. ATM不可用时增加分支机构流量的计划； c. 实体经营现金需求计划； d. 临时采购授权准则； e. 人员费用报销选项； f. 更高限额的信用卡或单独的支票帐户及在紧急情况下签署支票的指定人员。

13. Verify that the BCP addresses the entity’s cash management requirements. Procedures may include: a. Pre-established cash delivery arrangements. b. Plans for increases in branch traffic when ATMs are unavailable. c. Plans for the entity’s operational cash needs. d. Temporary purchase authority guidelines. e. Expense reimbursement options for personnel. f. Higher-limit credit cards or separate checking accounts with designated individuals who can sign checks in emergency situations.

14. 确定管理层是否建立了事件响应流程。作为事件管理规划的一部分，确定管理层是否执行以下： a. 使事件响应程序与其他相关流程(如网络安全、网络运行以及物理安全等)一致; b. 在制定业务连续性策略期间考虑事件响应程序； c. 利用例行流程(如漏洞管理和网络监控等)预测潜在事件，包括网络事件。

15. Determine whether management established an incident response process. As part of incident management planning, determine whether management does the following: a. Aligns incident response procedures with other related processes (e.g., cybersecurity, network operations, and physical security). b. Considers incident response procedures during the development of the business continuity strategy. c. Leverages routine processes (e.g., vulnerability management and network monitoring) to anticipate potential incidents, including cyber incidents.

16. 核实管理层是否为数据中心、网络、服务器、存储、服务监控、用户支持以及相关软件制定了协调的灾难恢复策略。核实这些程序处理以下事项： a. 安全控制和协议，包括物理的和逻辑的； b. 恢复积压活动或丢失交易的程序，以确定如何在预期的恢复时间范围内使事务记录成为最新的； c. 当主设施不可用时访问关键信息存储库的说明。

17. Verify that management developed a coordinated disaster recovery strategy for data centers, networks, servers, storage, service monitoring, user support, and related software. Verify that procedures address the following: a. Security controls and protocols, including physical and logical. b. Procedures for restoring backlogged activity or lost transactions to identify how transaction records will be brought current within expected recovery time frames. c. Instructions to access the repository of critical information when the primary facility is unavailable.

18. 核实管理层是否从适用部门指定关键人员在危机或突发情况下采取行动。关键人员可包括： a. 起领导作用的高级管理人员； b. 负责安全和物理安保的设施管理人员； c. 负责人事和差旅的人力资源人员； d. 管理沟通的媒体关系人员； e. 负责资金支出、财务决策(包括意外费用)的财务和会计人员； f. 负责法律法规问题的法律和合规人员； g. 包括信息安全以及针对特定战术响应行动的的IT人员。

19. Verify whether management designates key personnel from applicable departments to act during a crisis or emergency situation. Key personnel may include: a. Senior management for leadership. b. Facilities management for safety and physical security. c. Human resources for personnel issues and travel. d. Media relations for managing communications. e. Finance and accounting for funds disbursement and financial decisions, including unanticipated expenses. f. Legal and compliance for legal and regulatory concerns. g. IT, including information security, and operations for specific tactical responses.

20. 确定管理层是否建立了危机或应急管理流程。核实BCP是否处理以下事项： a. 与监管机构、地方和州官员、执法部门以及第一响应者的协调； b. 不限于单个事件、设施或地理区域的中断； c. 通信和电子消息同时中断，包括实体和第三方服务提供商之间的； d. 危机或应急管理沟通协议，包括酌情指定发言人与新闻媒体进行沟通。

21. Determine whether management established a crisis or emergency management process. Verify whether the BCP addresses the following: a. Coordination with regulatory agencies, local and state officials, law enforcement, and first responders. b. Disruptions not confined to a single event, facility, or geographic area. c. Simultaneous disruptions of telecommunications and electronic messaging, including between the entity and third-party service providers. d. Crisis or emergency management communication protocols, including the designation of a spokesperson(s) to communicate with the news media, as appropriate.

目标9：确定BCM项目是否包括培训和意识，以教育相关方实体的连续性目标和BCM目标。(六，“ 培训 ”) Objective 9: Determine whether the BCM program includes training and awareness to educate stakeholders about the entity’s continuity objectives and BCM goals. (VI, “ Training ”)

1. 核实培训项目与实体的BCM策略一致。确定管理层是否执行以下： a. 为BCM清点当前的技能集，确定并解决任何培训缺口； b. 建立支持BCM项的目的和目标，作为实体绩效管理流程的一部分； c. 实施培训项目，教育相关者BCM的目标。要素可包括： 演练； 当前的风险； 未来的风险； 最近的故障； 新项目/技术； 组织变更； 先前(演练)的经验教训。
2. Verify that the training program aligns with the entity’s BCM strategy. Determine whether management does the following: a. Inventories the current skillsets for BCM and identifies and addresses any training gaps. b. Establishes goals and objectives for supporting the BCM program as part of the entity’s performance management process. c. Implements a training program to educate stakeholders about the BCM goals and objectives. Elements may include:

• Exercises.
• Current risks.
• Future risks.
• Recent failures.
• New programs/technologies.
• Organizational changes.
• Previous (exercise) lessons learned.

2. 评估管理层是否根据受众的需求裁剪对目标受众的培训。目标受众可包括： a. 董事会成员； b. 高级管理层； c. 业务流程负责人； d. 前线人员； e. 合同人员(如适用)。

3. Assess whether management tailors training to the target audience, based on the audience’s needs. The target audience could include: a. Board members. b. Senior management. c. Business process owners. d. Frontline personnel. e. Contract personnel, as applicable.

4. 验证管理层将重要的业务连续性概念、相互依赖关系，中断的影响和运营韧性纳入培训项目。

5. Validate that management incorporates significant business continuity concepts, interdependencies, disruption impacts, and operations resilience into the training program.

6. 核实BCM培训项目(包括董事会培训)在发生重大变化时更新。

7. Verify that the BCM training program, including board training, is updated as significant changes occur.

目标10：确定演练和测试项目是否足以让管理层评估实体实现其连续性目标的能力。(VII“演 练和 测试”) Objective 10: Determine whether the exercise and testing program is sufficient to allow management to assess the entity’s ability to meet its continuity objectives. (VII, “ Exercises and Tests”)

1. 确定管理层是否实施了全面的演练和测试项目、目标和计划，以验证实体恢复关键业务功能的能力。

2. Determine whether management implemented a comprehensive exercise and testing program, objectives, and plans to validate the entity’s ability to restore critical business functions.

3. 验证该项目适合实体的风险状况。评估实体汇总的演练和测试时间表是否反映了演练和测试目标以及整个演练和测试域。

4. Verify that the program is appropriate for the entity’s risk profile. Assess whether the entity’s consolidated exercise and test schedule is reflective of exercise and test objectives and the overall exercise and test universe.

5. 确定管理层是否根据既定的时间框架涵盖演练和测试域中的所有功能(如每年或每三年覆盖所有流程)。

6. Determine whether management covers all of the functions in the exercise and test universe according to its established timeframes (e.g., all processes are covered annually or every three years).

7. 确定管理层是否已指定有权控制演练或测试的人员，并确认是否达到演练和测试里程碑。

8. Determine whether management has designated personnel with the authority to control the exercise or test and confirm exercise and test milestones are met.

9. 核实业务条线管理层保留测试其特定业务流程的所有权，并与参与企业级BCM流程和支持领域的人员进行协调。

10. Verify that business line management retains ownership for testing its specific business processes and coordinates with personnel involved in the enterprise-wide BCM process and support areas.

11. 核实演练和测试在适当的时间间隔，或者在重大变化影响实体的运营环境时进行。

12. Verify that exercises and tests occur at appropriate intervals, or when significant changes affect the entity’s operating environment.

13. 核实管理层已制定足够健壮的流程，以确认实体业务连续性项目的有效性。因此，演练项目宜包含： a. 包括演练和测试规划的策略和期望的方针； b. 实施的角色和职责； c. 足够的人员以执行演练或测试，提供监督，并记录结果； d. 保护生产数据的预防措施，例如在测试环境执行测试前进行备份，或在非高峰时段进行测试； e. 紧急停止以及结束演练和测试的规定； f. 核实连续性和韧性流程假设以及在不利运行条件下处理足够工作量的能力； g. 与业务流程重要性相称的活动； h. 与其在关键金融市场中重要性相称的实体的流程； i. 将演练和测试结果与BCP进行比较，以确定演练或测试流程与恢复指导方针之间的差距，在适当时修订； j. 独立审查业务连续性项目、演练和测试(内部和外部)。

14. Verify that management developed a process that is sufficiently robust to confirm the effectiveness of the entity’s business continuity program. Therefore, the exercise program should incorporate the following: a. A policy that includes strategies and expectations for exercise and test planning. b. Roles and responsibilities for implementation. c. Sufficient personnel to perform the exercise or test, provide oversight, and document the results. d. Precautions to safeguard production data, such as performing a backup before performing a test in a test environment, or testing during non-peak hours. e. Provisions for emergency stops and concluding exercises and tests. f. Verification of continuity and resilience process assumptions and the ability to process a sufficient volume of work during adverse operating conditions. g. Activities commensurate with the importance of the business process. h. Entity’s processes commensurate with their significance to critical financial markets. i. Comparison of exercise and test results against the BCP to identify gaps between the exercise or test process and recovery guidelines, with revisions incorporated where appropriate. j. Independent review of business continuity program and exercises and tests (internal and external).

15. 确定演练和测试方针是否适当以及包括以下： a. 关键角色和职责； b. 最低频度，范围和报告； c. 文档期望； d. 纠正在演练或测试期间发现缺陷的流程； e. 实体和第三方服务提供商之间的通信和连通性； f. 与关键的第三方服务提供商合作，确认实体人员了解与所有相关恢复流程的集成。

16. Determine whether the exercise and test policy is appropriate and includes the following: a. Key roles and responsibilities. b. Minimum frequency, scope, and reporting. c. Documentation expectations. d. Processes for correcting deficiencies identified during exercises or tests. e. Communication and connectivity between the entity and third-party service providers. f. Participation with critical third-party service providers to confirm that entity personnel understand integration with all related recovery processes.

17. 确定演练和测试策略是否允许管理层证明实体使用备选设施支持连通性、功能、容积和容量的能力。策略可包括以下： a. 对各个业务条线的期望以及演练和测试方法和情景的使用； b. 内外部依赖关系，包括外包给国内外第三方服务提供商的活动； c. 一个多年计划，执行特定深度和广度的演练和测试，随着时间的推移，这些演练和测试使用不同的方法和情景； d. 测试内部和外部恢复依赖关系的期望； e. 用于制定测试策略的假设、方法和演练； f. 交易处理和功能测试，以评估基础设施、容量以及数据完整性的可恢复性。

18. Determine whether the exercise and test strategies allow management to demonstrate the entity’s ability to support connectivity, functionality, volume, and capacity using alternate facilities. Strategies may include the following: a. Expectations for individual business lines and use of exercise and testing methodologies and scenarios. b. Internal and external dependencies, including activities outsourced to domestic and foreign-based third-party service providers. c. Multi-year plan(s) to execute the specific depth and breadth of exercises and tests, which use different methodologies and scenarios over time. d. Expectations for testing internal and external recovery dependencies. e. Assumptions, methodologies, and exercises used to develop the test strategies. f. Transaction processing and functional testing to assess the recoverability of infrastructure, capacity, and data integrity.

19. 核实演练和测试目标包括韧性、系统监控以及业务流程和关键系统组件的恢复。

20. Verify that exercise and test objectives include resilience, system monitoring, and the recovery of business processes and critical system components.

21. 核实演练和相关测试达成以下目标： a. 建立信心，确保韧性和恢复策略满足业务需求； b. 证明可以商定的恢复目标(RTO，RPO和MTD)和客户SLA内恢复关键服务； c. 确定发生事故时可以在恢复地理位置恢复关键服务； d. 使人员熟悉恢复流程； e. 核实人员得到充分培训，并熟知恢复计划和程序； f. 确认演练和测试计划与BCP和实体基础设施相容； g. 找出业务连续性程序与目标之间的任何缺口。

22. Verify that exercises and associated tests accomplish the following objectives: a. Build confidence that resilience and recovery strategies meet business requirements. b. Demonstrate that critical services can be recovered within agreed upon recovery objectives (RTOs, RPOs, and MTDs) and customer SLAs. c. Establish that critical services can be restored in the event of an incident at the recovery location. d. Familiarize staff with recovery processes. e. Verify that personnel are adequately trained and knowledgeable of recovery plans and procedures. f. Confirm that exercise and test plans remain compatible with the BCP and the entity’s infrastructure. g. Identify any gaps between business continuity procedures and objectives.

23. 确定管理层是否建立了与恢复目标的性质、规模和复杂程度相称的演练和测试计划，以解决演练或测试的目标和期望，并概述可能存在的情景和任何假设或约束。核实演练和测试计划是否包括以下： a. 确定参与者、支持人员和观察员的角色和责任； b. 评估目标是否达成的指标； c. 涵盖所有目标的演练和测试汇总时间表； d. 目标和方法的具体描述； e. 所有测试参与者(包括支持人员)的角色和责任； f. 确定决策者和继任计划； g. 可以使用的演练和测试地理位置； h. 升级程序以及针对模拟情景进行调整的能力； i. 联络信息。

24. Determine whether management established exercise and test plans, commensurate with the nature, scale, and complexity of the recovery objectives that address the objectives and expectations of the exercise or test and outline the scenario and any assumptions or constraints that may exist. Verify whether exercise and test plans include the following: a. Identification of roles and responsibilities for participants, support personnel, and observers. b. Metrics to assess whether objectives are met. c. A consolidated exercise and test schedule that encompasses all objectives. d. Specific descriptions of objectives and methods. e. Roles and responsibilities for all test participants, including support personnel. f. Identification of decision makers and succession plans. g. Exercise and test locations to be utilized. h. Escalation procedures and the ability to adjust for simulated scenarios. i. Contact information.

25. 确定管理层是否制定了合理可预见的威胁情景，以模拟业务功能中断以及满足业务需求和客户期望的能力。管理层宜： a. 确定并记录开发每个情景时使用的假设； b. 开发包括可能影响第三方服务提供商的威胁的情景，包括与适用相关方的沟通流程； c. 开发不仅证明故障切换到备选站点还要验证恢复目标的演练； d. 创建仅包含可用于数据和系统恢复的情景。

26. Determine whether management developed reasonably foreseeable threat scenarios that simulate disruptions in business functions and the ability to meet both business requirements and customer expectations. Management should: a. Identify and document assumptions used in developing each scenario. b. Develop scenarios that include threats that could affect third-party service providers, including communication processes with applicable stakeholders. c. Develop exercises that demonstrate not only the ability to failover to an alternate site but also validate recovery objectives. d. Create scenarios that include only the data and systems that would be available for recovery.

27. 核实演练和测试脚本记录了执行演练或测试的程序，其中可包括： a. 审查的应用程序、业务流程、系统或设施； b. 员工或外部方执行的连续步骤； c. 指导手工操作的程序； d. 详细的完工时间表； e. 参与者记录结果、量化指标和任何事项的方法。

28. Verify that exercise and test scripts document the procedures for executing the exercise or test, which may include: a. Applications, business processes, systems, or facilities reviewed. b. Sequential steps for employees or external parties to perform. c. Procedures to guide manual work-around processes. d. A detailed schedule for completion. e. Methods for participants to record results, quantifiable metrics, and any issues.

29. 评估演练和测试方法是否与实体的规模和复杂程度以及功能对实体的重要性相称。核实演练和测试的设计旨在以下： a. 验证人员知识和技能，包括备份责任； b. 从备选站点运营并履行职责(如每天、每季度、每年等)； c. 处理交易并评估系统功能； d. 测试完整和增量备份的可行性； e. 测试网络连通性和相互依赖关系，包括那些与关键的第三方服务提供商的。

30. Assess whether exercise and test methods are commensurate with the size and complexity of the entity and the criticality of the function to the entity. Verify that exercises and tests are designed to do following: a. Validate personnel knowledge and skills, including backup responsibilities. b. Operate and perform duties (e.g., daily, quarterly, annually) from an alternate site. c. Process transactions and assess system functionality. d. Test the viability of both full and incremental backups. e. Test network connectivity and interdependencies, including those with critical third-party service providers.

31. 如果管理层进行全面演练，核实演练是否包括以下(如适用)： a. 让所有所有业务单元人员参与并与内外部管理响应团队互动； b. 验证危机/应急管理流程按设计运行； c. 核实人员的知识和技能； d. 验证管理层的响应和决策能力； e. 证明参与者与决策者间的协同； f. 验证沟通协议； g. 在备选地理位置或设施进行活动； h. 使用备份媒介或备选方法处理数据； i. 完成实际交易量或例证性子集。 j. 在足够长的时间进行恢复演练，以使问题像在危机中一样展现。

32. If management performs full-scale exercises, verify whether the exercise includes the following, where appropriate: a. Engaging personnel from all business units to participate and interact with internal and external management response teams. b. Validating that the crisis/emergency management process is operating as designed. c. Verifying personnel knowledge and skills. d. Validating management response and decision-making capability. e. Demonstrating coordination among participants and decision makers. f. Validating communication protocols. g. Conducting activities at alternate locations or facilities. h. Processing data using backup media or alternative methods. i. Completing actual transactional volumes or an illustrative subset. j. Performing recovery exercises over a sufficient length of time to allow issues to unfold as they would in a crisis.

33. 如果管理层进行有限规模演练，核实该演练包括以下(如适用)： a. 实施适合该情景的计划； b. 核实人员的知识和技能； c. 验证管理层的响应和决策能力； d. 执行现场协调和决策角色； e. 核实参与者是否可以连接到备选系统； f. 在替选地理位置或设施进行活动； g. 测试通信和远程访问能力(如切换到备选设备或远程办公等)。

34. If management performs limited-scale exercises, verify whether the exercise includes the following, where appropriate: a. Implementing a plan appropriate to the scenario. b. Verifying personnel knowledge and skills. c. Validating management response and decision-making capability. d. Executing on-the-scene coordination and decision-making roles. e. Verifying whether participants can connect to alternate system(s). f. Conducting activities at alternate locations or facilities. g. Testing communication and remote access capability (e.g., switching to alternate equipment or telecommuting).

35. 如果管理层进行桌面演练，确定目标计划和程序是否合理，人员是否了解其职责，不同的部门或或业务单元的计划是否相容。(就其本身而言，桌面演练可能不足以验证恢复功能，因为其仅限于对策略和流程进行基于讨论的分析)。桌面演练可包括以下： a. 让负责实施BCP的运营和支持人员参与进来； b. 练习和验证特定的功能响应能力； c. 证明知识、技能、团队互动和决策能力； d. 通过模拟响应，评价关键步骤、发现困难并解决问题进行角色扮演。 e. 澄清关键计划要素，以及演练期间注意到的问题； f. 创建纠正问题的行动计划。

36. If management performs tabletop exercises, determine whether targeted plans and procedures are reasonable, personnel understand their responsibilities, and different departmental or business unit plans are compatible with each other. (By themselves, tabletop exercises are likely insufficient to validate recovery capabilities because they are limited to a discussion-based analysis of policies and procedures.) Tabletop exercises may include the following: a. Engaging operational and support personnel who are responsible for implementing the BCP. b. Practicing and validating specific functional response capabilities. c. Demonstrating knowledge and skills, as well as team interaction and decision-making capabilities. d. Role playing with simulated responses, evaluating critical steps, recognizing difficulties, and resolving problems. e. Clarifying critical plan elements, as well as problems noted during exercises. f. Creating action plans to correct issues.

37. 核实管理层清楚定义了成功测试的特征，其中可包括： a. 验证RPO，RTO和MTD； b. 证明峰值量下的可恢复性； c. 确认系统能够支持关键业务流程(如转移到备选站点、增加工作量、手工解决方法和沟通等)； d. 集成支持关键业务活动的技术，包括数据复制、恢复和场外存储； e. 测试备份数据以评估完整性和可用性； f. 核证设施控制(如环境，备份电力和物理安全等)； g. 核实工作空间恢复(如网络连接和通信等)； h. 确保人员熟悉并能够履行其职责。

38. Verify that management clearly defines the characteristics of a successful test, which may include the following: a. Validating RPOs, RTOs, and MTDs. b. Demonstrating recoverability at peak volumes. c. Confirming that systems can support critical business processes (e.g., transfer to alternate sites, increased workloads, manual workarounds, and communication). d. Integrating technologies that support critical business activities, including data replication, recovery, and off-site storage. e. Testing backup data to assess integrity and availability. f. Certifying facility controls (e.g., environmental, backup power, and physical security). g. Verifying workspace restoration (e.g., network connectivity and communications). h. Ensuring that personnel are familiar with and are able to execute their responsibilities.

39. 确定管理实体与第三方服务提供商关系的合同中是否描述了与第三方进行测试或参与演练和测试的权利。

40. Determine whether the right to perform testing or participate in exercises and tests with third parties is described in the contract governing the entity’s relationship with the third-party service provider.

41. 根据第三方服务提供商的风险优先级和向实体提供的服务的重要程度，确定实体的企业演练和测试项目是否包含与第三方服务提供商的演练和测试。评估以下： a. 根据重要程度、风险和测试范围对第三方服务提供商进行排名的流程； b. 协调演练和测试，合理验证实体和第三方服务提供商在中断后恢复、还原、重续和维持符合业务和合同要求的运营的能力； c. 关键服务提供商的演练和测试包括合理可预见重大破坏性事件的证据； d. 实体无法直接参与的演练和测试的范围、执行和结果的文件。

42. Determine whether exercises and tests with third-party service providers are included in the entity’s enterprise exercise and test program based on the risk prioritization of the third-party service provider and the criticality of the services provided to the entity. Assess the following: a. The process to rank third-party service providers based on criticality, risk, and testing scope. b. Coordinated exercises and tests that reasonably validate the abilities of both the entity and the third-party service provider to recover, restore, resume, and maintain operations after disruptions consistent with business and contractual requirements. c. Evidence that exercises and tests of critical service providers include reasonably foreseeable significant disruptive events. d. Documentation of the scope, execution, and results of exercises and tests in which the entity is unable to directly participate.

43. 确定实体是否以合理的时间间隔参与其关键第三方服务提供商的演练和测试项目。评估演练和测试的执行情况，以及它们是否包括以下内容： a. 端到端，以及(适当时)全面演练； b. 交易处理和功能测试； c. 网络连通和相互依赖关系，包括与关键第四方的关系； d. 实体与其第三方服务提供商的主要和备选地理位置和系统之间的双向操作； e. 供应链注意事项。

44. Determine whether the entity participates in its critical third-party service providers’ exercise and test program(s) at reasonable intervals. Assess the execution of the exercises and tests and whether they included the following: a. End-to-end and, when appropriate, full-scale exercises. b. Transaction processing and functional testing. c. Network connectivity and interdependencies to include those with critical fourth parties. d. Bidirectional operations between the entity’s and its third-party service provider’s primary and alternate locations and systems. e. Supply chain considerations.

45. 确定关键第三方服务提供商的测试情景是否考虑以下： a. 服务提供商的停工或中断； b. 实体的停工或中断； c. 事件响应计划； d. 危机管理计划； e. 与第三方服务提供商和其它相关方的沟通流程； f. 网络事件； g. 返回正常运营。

46. Determine whether testing scenarios with critical third-party service providers consider the following: a. An outage or disruption of the service provider. b. An outage or disruption at the entity. c. Incident response plans. d. Crisis management plans. e. Communication processes with third-party service providers and other stakeholders. f. Cyber events. h. Returning to normal operations.

47. 确定测试是否验证核心或重要机构的备份安排，以确认以下： a. 备份站点能够长时间支持典型的支付和结算量； b. 备份站点完全独立于支持主站点的关键基础设施组件； c. 中断时，经过培训的员工在备份站点； d. 备份站点员工独立于中断时位于主站点的人员； e. 备用站点人员能够在BCM流程和适用行业标准规定的时间范围内恢复未结交易的清算和结算。

48. Determine whether the tests validate the core or significant firm’s backup arrangements to confirm the following: a. Backup sites are able to support typical payment and settlement volumes for an extended period. b. Backup sites are fully independent of the critical infrastructure components that support the primary sites. c. Trained employees are located at the backup sites at the time of disruption. d. Backup site employees are independent of the staff located at the primary site at the time of disruption. e. Backup site employees are able to recover clearing and settlement of open transactions within the time frames addressed in the BCM processes and applicable industry standards.

49. 确定演练和测试假设是否适合核心和重要机构，并考虑以下： a. 主数据中心和运营设施在未通知的情况下完全无法运行； b. 数据中心和运营设施的主站点的人员是否长时间不可用； c. 其他组织是否也受到影响，造成的影响有可能从一个组织蔓延到整个金融服务行业； d. 基础设施(如电力、通信，交通等)受到破坏； e. 数据恢复或重建是否能够在BCM流程和适用行业标准规定的时间范围内完成，以重新启动支付和结算功能； f. 在所有未决交易结束之前，连续性安排是否继续运作。

50. Determine whether the exercise and test assumptions are appropriate for core and significant firms and consider the following: a. Primary data centers and operations facilities that are completely inoperable without notice. b. Whether personnel at primary sites, who are located at both data centers and operations facilities, are unavailable for an extended period. c. Whether other organizations are also affected, causing effects that have the potential to cascade from one organization across to the entire financial services sector. d. Infrastructure (e.g., power, telecommunications, transportation) that is disrupted. e. Whether data recovery or reconstruction to restart payment and settlement functions can be completed within the time frames defined by the BCM process and applicable industry standards. f. Whether continuity arrangements continue to operate until all pending transactions are closed.

51. 确定核心机构的测试策略是否包括测试清算和结算交易的重要机构在合理时间范围内从地理分散的备份站点恢复关键清算和结算活动的能力的计划。

52. Determine whether the core firm’s testing strategy includes plans to test the ability of significant firms that clear or settle transactions to recover critical clearing and settlement activities from geographically dispersed backup sites within a reasonable time frame.

53. 确定重要机构是否有解决关键相互依赖关系的外部演练和测试策略，如与第三方市场提供商和关键客户的演练和测试，并确定以下： a. 外部演练和测试策略是否包括重要机构的备份站点到核心机构的备份站点； b. 重要机构是否参与行业(如美国财政部的汉密尔顿系列和FS-ISAC的CAPS演练等)或由核心机构、市场或行业协会发起的跨市场测试。测试宜包括核实备选站点的连接，并在可行的范围内包括交易、结算和支付流程。

54. Determine whether the significant firm has an external exercise and test strategy that addresses key interdependencies, such as exercises and tests with third-party market providers and key customers, and determine the following: a. Whether external exercise and test strategies include the significant firm’s backup sites to the core firm’s backup sites. b. Whether the significant firm participates in industry (e.g., U.S. Department of the Treasury’s Hamilton Series and FS-ISAC’s CAPS exercises) or cross-market tests sponsored by core firms, markets, or trade associations. Tests should incorporate verifying the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.

55. 确定演练和测试项目是否足以证明实体满足其连续性目标的能力，以及结果是否表明人员准备好实现实体的恢复和重续目标。确定管理层是否完成以下： a. 协调其演练和测试项目的执行，以充分执行其业务连续性规划流程； b. 分析和比较结果和宣称的目标； c. 向相关提出问题，并分配解决责任； d. 将无法及时解决的问题升级到适当级别的管理层； e. 通过最终解决方案确定优先顺序并跟踪问题； f. 分析结果和问题，以确定问题是否可以追溯到共同的来源； g. 记录未来演练和测试的建议。

56. Determine whether the exercise and test program is sufficient to demonstrate the entity’s ability to meet its continuity objectives and whether the results demonstrate the readiness of personnel to achieve the entity’s recovery and resumption objectives. Determine whether management accomplishes the following: a. Coordinate the execution of its exercise and test program to fully exercise its business continuity planning process. b. Analyze and compare results against stated objectives. c. Raise issues with appropriate personnel and assign responsibility for resolution. d. Escalate issues that cannot be resolved in a timely manner to the appropriate level of management. e. Prioritize and track issues through final resolution. f. Analyze results and issues to determine whether problems can be traced to a common source. g. Document recommendations for future exercise and tests.

57. 核实已实施纠正措施，并及时进行重新测试，以解决在满足实体目标方面的不足。

58. Verify that corrective actions have been implemented and that retesting occurs in a timely fashion to address deficiencies in meeting the entity’s objectives.

59. 核实测试结果用于更新业务连续性流程，增强未来测试以及评价是否宜调整风险缓释策略。

60. Verify that test results are used to update the business continuity processes, enhance future testing, and evaluate whether risk mitigation strategies should be adjusted.

目标11：确定管理层是否持续测量进度，评估BCM的有效性，并利用这些信息改进BCM流程。（VIII，“ 维护和改进 ”） Objective 11: Determine whether management continuously measures the progress and assesses the effectiveness of BCM and uses the information to improve the BCM process. (VIII, “ Maintenance and Improvement ”)

1. 确定管理层是否审查和更新业务连续性项目以反映当前环境。促使维护和改进BCM的触发因素可包括： a. 企业战略的变化； b. 新的或重新配置的产品、服务或基础设施； c. 第三方服务提供商提供的产品和服务的变化； d. 第三方服务提供商BCM流程中发现的缺陷； e. 新的立法法规要求或韧性实践； f. 运营指标分析结果(如关键风险指标、关键绩效指标等)； g. 可识别潜在连续性事件、危机或事故的早期预警指标(如风暴的频率和严重程度、网络攻击活动加剧或客户服务电话增加)； h. 预算与实际BCM支出之间的差异； i. 演练、测试和经验教训的结果； j. 威胁态势的变化(如新能力、威胁行为者的意图等)； k. 建议(如来自审计、漏洞评估和渗透测试，包括涉及使用高级网络安全分析和评估)的建议)。

2. Determine whether management reviews and updates the business continuity program to reflect the current environment. Triggers that prompt maintenance and improvement of the BCM may include the following: a. Changes in enterprise strategies. b. New or reconfigured products, services, or infrastructure. c. Changes in products and services offered by third-party service providers. d. Deficiencies identified in third-party service provider BCM processes. e. New legislation, regulatory requirements, or resilience practices. f. Results of operational metric analysis (e.g., key risk indications, key performance indicators). g. Early warning indicators that may identify potential continuity events, crises, or incidents (e.g., frequency and severity of storms, heightened cyber attack activity, or increases in customer service calls). h. Variances between budgeted and actual BCM expenses. i. Results from exercises and tests and lessons learned. j. Changes in the threat landscape (e.g., new capabilities, intent of threat actors). k. Recommendations (e.g., from audits, vulnerability assessments, and penetration tests, including those involving the use of advanced cybersecurity analysis and assessments).

3. 确定管理层是否记录、分析和审查从不良事件中吸取的经验教训。纳入经验教训的成文程序可包括： a. 发现故障； b. 确定原因； c. 评估潜在解决方案； d. 实施适当的纠正措施； e. 记录和评审所采取的纠正措施。

4. Determine whether management has documented, analyzed, and reviewed lessons learned from adverse events. Documented procedures for incorporating lessons learned may include: a. Identifying the failure(s). b. Determining the cause(s). c. Evaluating potential solutions. d. Implementing corrective actions as appropriate. e. Recording and reviewing corrective actions taken.

5. 核实管理层在更新BCP、演习和测试项目时记录、跟踪并解决所有变更。此外，核实管理层为BCM文档维护适当的版本控制。

6. Verify that management documents, tracks, and resolves any changes when updating the BCP and the exercise and testing program(s). Furthermore, verify that management maintains appropriate version control of key BCM documents.

7. 确定在无法访问主存储库时，管理层是否保留相关BCM文档的备份副本。

8. Determine whether management maintains backup copies of relevant BCM documentation in the event that the primary repository becomes inaccessible.

目标12：确定董事会是否已建立对BCM报告的期望。(IX，“ 董事会报告 ”) Objective 12: Determine whether the board has established expectations for BCM reporting. (IX, “ Board Reporting ”)

1. 审查董事会会议记录，以确定管理层是否定期向董事会报告BCM的状态。 a. 确定报告是否包括书面的BCM展示，包括BIA、风险评估、BCP、演练和测试结果以及已确定的问题； b. 确定管理层是否根据人员、角色和职责以及业务运营的变化定期向董事会提供策略更新； c. 核实管理层记录选择恢复备选方案的原因(如成本和服务水平等)，以及根据实体的风险状况和复杂程度它们为什么适合； d. 适当时，评估董事会是否对管理层提出了可信的挑战。
2. Review board minutes to determine whether management periodically reports to the board on the status of BCM. a. Determine whether reports include a written BCM presentation, including the BIA, risk assessment, BCP, exercise and test results, and identified issues. b. Determine whether management provides the board with regular strategy updates based on changes in personnel, roles and responsibilities, and business operations. c. Verify that management documents the reasons (e.g., cost and service level) for choosing recovery alternatives and why they are appropriate based on the entity’s risk profile and complexity. d. Assess whether the board provides a credible challenge to management, when appropriate.

目标13：讨论纠正措施并沟通发现。 Objective 13: Discuss corrective action and communicate findings.

1. 与检查负责人一起审查以下方面的初步结论： a. 明显违反法律法规； b. 应列入检查报告的重大问题； c. 拟定的信息技术统一评级体系(URSIT)管理部分评级，以及检查人员结论对综合或其他URSIT部分评级的潜在影响； d. 检查人员结论对实体风险评估的潜在影响。

2. Review preliminary conclusions with the examiner-in-charge regarding the following: a. Apparent violations of laws and regulations. b. Significant issues warranting inclusion in the report of examination. c. Proposed Uniform Rating System for IT (URSIT) management component rating and the potential impact of the examiner’s conclusions on composite or other URSIT component ratings. d. Potential impact of the examiner’s conclusions on the entity’s risk assessment(s).

3. 与管理层讨论发现，并针对重大缺陷获得建议的纠正措施。

4. Discuss findings with management and obtain proposed corrective action for significant deficiencies.

5. 将结论记录在一份备忘录中，交给检查负责人，为检查报告的所有相关部分提供准备好报告的意见，并为未来的检查人员提供明确的指导。

6. Document conclusions in a memorandum to the examiner-in-charge that provides report-ready comments for all relevant sections of the report of examination and clarifying guidance to future examiners.

7. 整理工作底稿，明确支持对检查目标的重大发现。

8. Organize work papers to show clear support for significant findings by examination objective.

附录B：术语表Glossary

本术语表的目的是定义FFIEC IT系列检查手册中使用的技术术语，这些术语是在FFIEC成员拥在监督权的实体的监督活动中使用的。FFIEC成员努力使术语表中的术语与适当的权威标准保持一致，包括作为网络安全定义主要来源的的NIST计算机安全资源中心词汇表(NIST术语表)。FFIEC成员采用以下流程来选择、修改或开发定义。 The purpose of the glossary is to define technical terms used in the FFIEC IT Examination Handbook booklets in the context of supervisory activities for the entities over which FFIEC members have supervisory authority. The FFIEC members strive to align terminology in the glossary with appropriate authoritative standards, including the NIST Computer Security Resource Center Glossary (NIST Glossary) as the primary source for cyber-related definitions, as appropriate. FFIEC members employed the following process to select, modify, or develop definitions.

当存在NIST定义时： 如果NIST有一个已定义的术语，并且没有必要对该定义进行修改，则FFIEC成员将NIST定义纳入本术语表。当同一术语有多个NIST定义可用时，FFIEC成员选择一个术语用于监管目的。 如果NIST有一个已定义的术语，但出于监管目的该定义需要进行进一步明确，以帮助识别安全性、稳健性、以及IT相关的企业风险，则FFIEC成员同时收录NIST定义和FFIEC改编的定义。这种性质的定义在本术语表的来源一栏中标记为“FFIEC为监督目的改编”。 When a NIST definition existed: If NIST had a defined term and modifications to the definition were unnecessary, the FFIEC members included the NIST definition in this glossary. When multiple NIST definitions were available for the same term, the FFIEC members selected a definition for supervisory purposes. If NIST had a defined term, but the definition needed additional clarity for supervisory purposes to assist with the identification of safety and soundness and enterprise risks related to IT, the FFIEC members included both the NIST definition and the FFIEC-adapted definition. Definitions of this nature are labeled “FFIEC Adapted for Supervisory Purposes” in this glossary’s source column.

当不存在NIST定义或该定义不适合监管目的时： 如果NIST没有已定义的术语，但是有合适的权威第三方来源(如国际标准化组织(ISO)术语表等)，则FFIEC成员收录该权威定义。 如果NIST没有已定义的术语，也没有合适的权威第三方来源，则FFIEC成员会为监管目的开发一个定义。这种性质的定义在本词汇表的来源一栏中标记为“FFIEC为监控目的开发”。 When a NIST definition did not exist or the definition was not appropriate for supervisory purposes: If NIST did not have a defined term, but there was an appropriate authoritative third-party source (e.g., the International Organization for Standardization (ISO) Glossary), the FFIEC members included that authoritative definition. If NIST did not have a defined term and there was not an appropriate authoritative third-party source, the FFIEC members developed a definition for supervisory purposes. Definitions of this nature are labeled “FFIEC Developed for Supervisory Purposes” in this glossary’s source column.

注意：由于IT不断演变的特性及相关风险，FFIEC成员可以更新定义，以与其它政府机构和金融服务行业保持一致。 Note: Due to the constantly evolving nature of IT and its associated risks, the FFIEC members may update definitions to maintain alignment with other government agencies and the financial services industry.

术语 Term 定义 Definition 来源 Source A 应用程序编程接口(API) Application programming interface (API) 一种系统访问点或库函数，具有明确定义的语法，可从应用程序或用户代码访问以提供明确定义的功能。 A system access point or library function that has a well-defined syntax and is accessible from application programs or user code to provide well-defined functionality. NIST术语表 NIST Glossary 允许两个或更多程序相互通信的软件代码。 Software code that allows two or more programs to communicate with each other. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 异步复制 Asynchronous replication 数据首先以被写入主存储区(存储)，然后按预定义的时间间隔拷贝到辅助存储区(正向)，用于较小带宽连接和较长距离可能会发生延迟的情形。 Data is first written to the primary storage area (store) and then copied to the secondary storage area (forward) at predefined intervals, which is useful over smaller bandwidth connections and longer distances where latency could occur. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes B 业务连续性 Business continuity 组织在中断后以可接受的预定义水平持续交付产品或服务的能力。 The capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruption. ISO 22300：2018 业务连续性管理 Business continuity management (BCM) 管理层监督和实施韧性、连续性和响应能力以保护员工、客户以及产品和服务的流程。 The process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes 业务连续性计划 Business continuity plan (BCP) 描述在重大中断期间和之后如何维持组织的任务/业务流程的预先确定的一系列指令或程序的文档。 The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption. NIST术语表 NIST Glossary 在中断事件中维持或重续业务的综合书面计划。 A comprehensive written plan(s) to maintain or resume business in the event of a disruption. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 业务影响分析 Business impact analysis (BIA) 对信息系统的需求、功能和相互依赖关系的分析，用于描述在重大中断事件中系统应急需求和优先顺序。 An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. NIST术语表 NIST Glossary 管理层对实体的需求、功能和相互依赖关系的分析，用于描述中断事件中的应急需求和优先顺序。 Management’s analysis of an entity’s requirements, functions, and interdependencies used to characterize contingency needs and priorities in the event of a disruption. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes C 冷站 Cold site 具有计算机设施必需的电气和物理部件但没有准备好的计算机设备的备份设施。在用户必须从其主计算位置移至备选站点的事件中，该站点已准备好接收必要的替换计算机设备。 A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event that the user has to move from their main computing location to an alternate site. NIST术语表 NIST Glossary 应急计划 Contingency plan 为确保关键资源可用性并促进突发情况下的运营连续性而维护的灾备响应、备份操作和灾后恢复计划。 A plan that is maintained for disaster response, backup operations, and post-disaster recovery to ensure the availability of critical resources and to facilitate the continuity of operations in an emergency situation. NIST术语表 NIST Glossary 危机 Crisis 威胁组织的战略目标，声誉或生存能力的异常和不稳定情况。 Abnormal and unstable situation that threatens the organization’s strategic objectives, reputation or viability. 国际 业务持续协会/灾难恢复杂志术语表 Business Continuity Institute Disaster Recovery Journal Glossary 危机管理 Crisis management 在意外的重大中断、事故或紧急情况中管理实体的准备、缓解响应、连续性或恢复的流程。 The process of managing an entity’s preparedness, mitigation response, continuity, or recovery in the event of an unexpected significant disruption, incident, or emergency. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes 关键金融市场 Critical financial markets 运作对经济至关重要的金融市场。关键金融市场为金融机构提供了调整其自身及其客户现金和证券头寸的手段，以管理其流动性、市场和其他风险。关键金融市场还为美国企业和消费者提供广泛的金融服务支持，并支持货币政策的实施。关键金融市场的例子包括联邦基金、外汇交易、商业票据；美国政府和机构证券；以及公司债务和权益证券。 Financial markets whose operations are critical to the economy. Critical financial markets provide the means for financial institutions to adjust their cash and securities positions and those of their customers in order to manage liquidity, market, and other risks to their organizations. Critical financial markets also provide support for the provision of a wide range of financial services to businesses and consumers in the United States and support the implementation of monetary policy. Examples of critical financial markets include federal funds, foreign exchange, and commercial paper; U.S. government and agency securities; and corporate debt and equity securities. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes D 数据 Data 信息存储或传输的一种表示形式。 A representation of information as stored or transmitted. NIST术语表 NIST Glossary 信息处理、存储(静止)或传输(中转)的物理或数字表示形式。 A physical or digital representation of information processed, stored (at rest), or transmitted (in transit). FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 数据中心 Data center 容纳虚拟和/或物理信息技术基础设施(如计算机、服务器、以及联网络系统和组件)的设施，旨在存储、处理和服务大量数据以支持实体的战略和业务目标。数据中心可以是包含计算机、服务器、联网系统和组件的专用设施、区域或房间，可以是私有的或共享的(如共址设施等)。 A facility that houses virtual and/or physical information technology infrastructure(s) (e.g., computer, server, and networking systems and components) designed to store, process, and serve large amounts of data in support of an entity’s strategic and business objectives. A data center may be a dedicated facility or an area or room, that contains computer, server and networking systems and components, and may be private or shared (e.g., a co-location facility). FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes 数据镜像 Data mirroring 实时或准实时地将数据从主位置数据库复制到次要位置数据库的行动。 The act of copying data from a database at a primary location to a database at a secondary location in or near real time. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes 数据复制 Data replication 一种数据拷贝流程，通常目的是在不同位置维护相同的数据集。 The process of copying data, usually with the objective of maintaining identical sets of data in separate locations. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes 数据同步 Data synchronization 对相互依赖的数据文件进行同步比较和核对，以确保文件包含相同的信息。 The simultaneous comparison and reconciliation of interdependent data files, to ensure that the files contain the same information. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes 数据库 Database 信息或数据的存储库，可以是也可以不是传统的关系数据库系统。 A repository of information or data, which may or may not be a traditional relational database system. NIST术语表 NIST Glossary 信息或数据的存储库，被组织起来供行访问、管理和更新。 A repository of information or data organized to be accessed, managed, and updated. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 灾难 Disaster 发生广泛的人员、财产、经济或环境损失，超出了受影响组织、社区或社会使用其自身资源进行响应和恢复的能力的情况。 Situation where widespread human, material, economic, or environmental losses have occurred, which exceeded the ability of the affected organization, community, or society to respond and recover using its own resources. ISO 22300：2018 灾难恢复 Disaster recovery 与准备技术基础设施、系统和应用程度恢复和连续性相关的过程、政策和程序，这些在灾难或停机后对组织至关重要。灾难恢复侧重于支持业务功能的信息或技术系统，而业务连续性涉及在破坏性事件中对保持业务功能所有方面的规划。灾难恢复是业务连续性的子集。 The process, policies, and procedures related to preparing for recovery or continuation of technology infrastructure, systems, and applications, which are vital to an organization after a disaster or outage. Disaster recovery focuses on the information or technology systems that support business functions, as opposed to business continuity, which involves planning for keeping all aspects of a business functioning in the midst of disruptive events. Disaster recovery is a subset of business continuity. 国际 业务持续协会/灾难恢复杂志术语表 Business Continuity Institute Disaster Recovery Journal Glossary 中断 Disruption 导致通用系统或主要应用程序无法运行达到不可接受时长的意外事件(如小规模或长时间停电，长期不可用的网络，或设备或设施损坏或破坏)。 An unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction). NIST术语表 NIST Glossary 导致运营降级或故障达到不可接受时长的预期或计划外事件。 An anticipated or unplanned event that causes operations to degrade or fail for an unacceptable length of time. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes E 应急管理 Emergency management 请参阅危机管理。 See crisis management. 应急响应 Emergency response 只要发生紧急情况，为应对灾难预警或警报而采取的行动，以尽量减少或控制最终的负面影响，以及在灾难影响发生后立即采取的拯救和保护生命并提供基本服务的行动。 Actions taken in response to a disaster warning or alert to minimize or contain the eventual negative effects, and those taken to save and preserve lives and provide basic services in the immediate aftermath of a disaster impact, for as long as an emergency situation prevails. 国际 业务持续协会/灾难恢复杂志术语表 Business Continuity Institute Disaster Recovery Journal Glossary 事件 Event 特定情况的发生或变化。 Occurrence or change of a particular set of circumstances. NIST术语表 NIST Glossary 可能影响运营的情况的发生或变化。事件可以是物理的、网络的，或两者的组合。 An occurrence or change in circumstances that may affect operations. An event can be physical, cyber, or a combination of both FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes 演练 Exercise 为验证IT计划的一个或多个方面的可行性而设计的紧急情况的模拟。 A simulation of an emergency designed to validate the viability of one or more aspects of an IT plan. NIST术语表 NIST Glossary 为练习或测试程序而完成的任务或活动。有许多不同类型的演练，取决于预期的目的和目标。演练可涉及在模拟环境中执行任务，可以是桌面的或实战的。 A task or activity done to practice or test a procedure. There are many different types of exercises, depending on the intended goals and objectives. An exercise may involve performing duties in a simulated environment and can be discussion-based or simulation-based. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes F 故障切换 Failover 在先前活动的系统发生故障或异常停止时，自动切换到冗余或待机信息系统的能力(通常无需人工干预或预警)。 The capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system. NIST术语表 NIST Glossary 全面演练 Full-scale exercise 同时充分利用可用资源(如硬件、软件、人员、通信、公用事业以及来自备选站点的处理)的模拟。 A simulation involving a full use of available resources (e.g., hardware, software, personnel, communications, utilities, and processing from an alternate site) at the same time. FFIEC为监督目的开发 功能测试 Functionality testing 核实某些功能的执行是否正常进行的测试。 Testing that verifies that an implementation of some function operates correctly. NIST术语表 NIST Glossary H 高可用性 High availability 确保设备或组件在中断期间的可用性的一种故障切换特性。 A failover feature to ensure availability during device or component interruptions. NIST术语表 NIST Glossary 系统能够连续运行理想的长时间，并在设备或组件中断期间保持最短停机时间的能力。可用性可用相对于“100％正常运行时间”或“永不失败”来衡量。 Ability of a system to be continuously operational for a desirably long length of time and to maintain a minimum amount of downtime during device or component interruptions. Availability can be measured relative to “100% uptime” or “never failing.” FFIEC为监督目的改编 FFIEC Developed for Supervisory Purposes 热站 Hot site 配备硬件和软件、可完全可运行的场外数据处理设施，在信息系统中断事件中使用。 A fully operational off-site data processing facility equipped with hardware and software, to be used in the event of an information system disruption. NIST术语表 NIST Glossary I 事件/事故 Incident 发生实际或可能危害系统或系统处理、存储或传输信息的机密性、完整性或可用性，或发生构成违反或即将违反安全政策、安全程序或可接受使用政策。 An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. NIST术语表 NIST Glossary 事件管理 Incident management 识别、分析和纠正运营中断并防止未来再次发生的流程。事件管理的目标是限制中断并尽快恢复运营。 The process of identifying, analyzing, and correcting disruptions to operations and preventing future recurrences. The goal of incident management is to limit the disruption and restore operations as quickly as possible. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes 事件响应 Incident response 组织对灾难或其它可能严重影响组织及其人员或生产能力的重大事件的响应。事件响应可包括设施的疏散，启动灾难恢复计划，执行损害评估以及使组织达到更稳定状态所需的任何其它措施。 The response of an organization to a disaster or other significant event that may significantly impact the organization, its people, or its ability to function productively. An incident response may include evacuation of a facility, initiating a disaster recovery plan, performing damage assessment, and any other measures necessary to bring an organization to a more stable status. 国际 业务持续协会/灾难恢复杂志术语表 Business Continuity Institute Disaster Recovery Journal Glossary 基础设施 Infrastructure 组织运营所需的设施、设备和服务体系。 System of facilities, equipment, and services needed for the operation of an organization. ISO 22300：2018 集成演练 Integrated exercise 用于测试包含多个组件或模块(包括外部依赖关系)的业务条线或主要功能的连续性计划的有效性的模拟。 A simulation to test the effectiveness of the continuity plans for a business line or major function that incorporates more than one component or module, including external dependencies. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes 相互依赖关系 Interdependencies 当两个或多个部门、流程、功能或第三方提供商交互以成功完成任务、业务功能或流程时。 When two or more departments, processes, functions, or third-party providers interact to successfully complete a task, business function, or process. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes L 最后一英里 Last mile 连接通信服务提供商和实体之间传输距离的通信技术。 Communications technology that bridges the transmission distance between the telecommunication service provider and the entity. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes 延迟 Latency 处理语音分组的时间延时。 Time delay in processing voice packets. NIST术语表 NIST Glossary 处理语音和数据分组的时间延时。 Time delay in processing voice and data packets. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 有限规模演练 Limited-scale exercise 涉及适用资源(人员和系统)以恢复目标业务流程的一种模拟。 A simulation involving applicable resources (personnel and systems) to recover targeted business processes. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes M 最大可容许中断时间 Maximum tolerable downtime (MTD) 不会对组织的使命/任务造成重大损害的任务/业务流程中断的时间量 The amount of time mission/business process can be disrupted without causing significant harm to the organization’s mission. NIST术语表 NIST Glossary 系统所有者或授权官员愿意接受业务流程中断的总时间，包括所有影响因素。 The total amount of time the system owner or authorizing official is willing to accept for a business process disruption, including all impact considerations. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes N 网络主干 Network backbone 连接一个或多个网段并为设备之间的数据交换提供通路的网络的主要通信通道。主干可跨越任何地理区域。 The main communication channel of a network that interconnects one or more network segments and provides a path for the exchange of data between devices. A backbone can span any geographic area. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes O 运营韧性 Operational resilience 系统抵抗、吸收、恢复或适应运营期间可能导致伤害、破坏或丧失执行任务相关功能的不利事件的能力。 The ability of systems to resist, absorb, and recover from or adapt to an adverse occurrence during operation that may cause harm, destruction, or loss of ability to perform mission-related functions. NIST术语表 NIST Glossary 实体的人员、系统、通信网络、活动或流程抵抗、吸收、恢复或适应可能导致伤害、破坏或丧失执行任务相关功能的事件的能力。 The ability of an entity’s personnel, systems, telecommunications networks, activities, or processes to resist, absorb, and recover from or adapt to an incident that may cause harm, destruction, or loss of ability to perform mission-related functions. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 停工 Outage 可导致实体在一段时间内不能提供服务的系统、基础架构、支持服务或基本业务功能的中断。停工损失的时间量可能导致停机。反之，停机可造成停工。 The interruption of systems, infrastructure, support services, or essential business functions, which may result in the entity’s inability to provide services for some period of time. The amount of time lost from an outage may result in downtime. Conversely, downtime may cause an outage. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes 外包 Outsourcing 通过与第三方达成正式协议来执行可能在内部进行的服务、功能或支持的做法。 The practice of contracting through a formal agreement with a third-party(ies) to perform services, functions, or support that might otherwise be conducted in-house. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes R 互惠协议 Reciprocal agreement 允许两个组织相互备份的协议。 An agreement that allows two organizations to back up each other. NIST词汇表 NIST Glossary 允许具有兼容系统和功能的两个实体(或两个内部业务群体)相互在对方地理位置恢复的协议。 An agreement that allows two entities (or two internal business groups) with compatible systems and functionality that allows each one to recover at the other’s location. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 恢复点目标 Recovery point objective (RPO) 停工后必须恢复数据的时间点。 The point in time to which data must be recovered after an outage. NIST术语表 NIST Glossary 将活动使用的数据还原到可以重续业务功能的数据的时间点。RPO是从中断点向后表示的时间点，可以用时间增量(如分钟、小时或天等)说明。 The point in time to which data used by an activity is restored to enable the resumption of business functions. The RPO is expressed backward in time from the point of disruption and can be specified in increments of time (e.g., minutes, hours, or days). FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 恢复时间目标 Recovery time objective (RTO) 在对组织的任务或任务/业务流程造成负面影响之前，信息系统的组件可能处于恢复阶段的总时间。 The overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business processes. NIST术语表 NIST Glossary 远程访问 Remote access 通过外部、非组织控制的网络(如Internet等)通信的用户或(信息系统)对组织信息系统的访问。 Access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). NIST术语表 NIST Glossary 韧性 Resilience 为不断变化的条件做好准备和适应，以及承受和迅速从中断中恢复的能力。韧性包括抵抗蓄意攻击、事故或自然发生的威胁或事件并从中恢复的能力。 The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. NIST术语表 NIST Glossary S 情景 Scenario 对假设事件的顺序叙述性描述，为演练提供催化剂，旨在引入激发响应从而展示演练目标的情况。 A sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives. NIST术语表 NIST Glossary 服务水平协议 Service level agreement 定义服务提供商的具体职责并设定客户期望。 Defines the specific responsibilities of the service provider and sets the customer expectations. NIST术语表 NIST Glossary 双方之间的正式协议，记录以下内容：双方对要交付的产品或服务、优先事项、责任，担保和保证的共识。此外，协议描述了当事方交付和响应的性质、质量、安全、可用性、范围和及时性、最终用户问题的联系点以及监测和批准的流程有效性指标，并可能包括其它可测量目标。该协议宜不仅涵盖预期的日常情况，而且还宜涵盖意外或不利事件，因为对服务的需要可能有所不同。 A formal agreement between two parties that records: a common understanding about products or services to be delivered, priorities, responsibilities, guarantees, and warranties between the parties. In addition, the agreement describes the nature, quality, security, availability, scope, and timeliness of delivery and response of the parties, the point(s) of contact for end-user problems, and the metrics by which the effectiveness of the process is monitored and approved, and may include other measurable objectives. The agreement should cover not only expected day-to-day situations, but also unexpected or adverse events, as the need for the service may vary. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 供应链风险管理 Supply chain risk management 实施流程、工具或技术，以最大程度减少攻击的负面影响，对手能够利用安装前插入的植入物或其他漏洞，在生命周期中的任何时候渗透数据或操纵信息技术硬件、软件、操作系统、外围设备(信息技术产品)或服务进行攻击。 The implementation of processes, tools, or techniques to minimize the adverse impact of attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle. NIST术语表 NIST Glossary 实施流程、工具或技术以最大程度地减少对手可以利用安装前插入的漏洞进行攻击的负面影响。这样做是为了在供应链的任何时候(如初始生产、包装、处理、存储、运输、任务运行和处置)渗透数据或操纵信息技术硬件、软件、操作系统、外围设备(信息技术产品)或服务。 The implementation of processes, tools, or techniques to minimize the adverse impact of attacks that allow the adversary to exploit vulnerabilities inserted prior to installation. This is done in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal). FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 同步复制 Synchronous replication 同时将数据写入主辅助存储区，以确保数据的多个副本是最新且相同的。此方法用于不接受延迟、只能容忍很少或不能有数据损失的关键业务功能。 Data is written to both primary and secondary storage areas at the same time to ensure that multiple copies of the data are current and identical. This method is used for critical business functions where latency is unacceptable, and little or no data loss can be tolerated. FFIEC为监督目的开发 FFIEC Developed for Supervisory Purposes T 桌面演练 Tabletop exercise 在特定IT计划中有角色和职责的人员在教室环境或分组开会，通过讨论他们在紧急情况中的角色以及对特定紧急情况的响应来验证计划内容的基于讨论的演练。主持人通过给出情景并基于情景提问来启动讨论。 A discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario. NIST术语表 NIST Glossary 人员在教室环境或分组开会，通过讨论他们的角色和职责来验证业务连续性计划的组成要素的基于讨论的演练。主持人通过给出情景并基于情景提问来启动讨论。 A discussion-based exercise where personnel meet in a classroom setting or in breakout groups to validate a component(s) of the business continuity plan(s) by discussing their roles and responsibilities. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 测试 Test 使用量化指标来验证系统或系统组件在IT计划指定的运行环境中的可操作性的评价工具。 An evaluation tool that uses quantifiable metrics to validate the operability of a system or system component in an operational environment specified in an IT plan. NIST术语表 NIST Glossary 一种旨在核实运行环境中系统韧性的质量、性能或可靠性的演练。 A type of exercise intended to verify the quality, performance, or reliability of system resilience in an operational environment. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes 威胁情报 Threat intelligence 为决策流程提供必要上下文汇总、转换、分析、解释或丰富威胁信息。 Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes. NIST术语表 NIST Glossary 触发事件 Trigger 导致系统启动响应的事件。注意：也称为起动事件。 An event that causes the system to initiate a response. Note: Also known as a triggering event. NIST术语表 NIST Glossary 提示管理层或自动化系统响应的事件。也称为起动事件。 An event that prompts a response from management or an automated system. Also known as a triggering event. FFIEC为监督目的改编 FFIEC Adapted for Supervisory Purposes W 温站 Warm site 部分配备信息系统和通信设备以在发生重大中断事件中支持迁移运营的环境条件良好的工作空间。 An environmentally conditioned work space that is partially equipped with information systems and telecommunications equipment to support relocated operations in the event of a significant disruption. NIST术语表 NIST Glossary

附录C：缩写

ATM 自动取款机 automated teller machine BCM 业务连续性管理 business continuity management BCP 业务连续性计划 business continuity plan BIA 业务影响分析 business impact analysis CA Letter 消费者事务函 Consumer Affairs Letter CAPS 对支付系统的网络攻击 Cyber-Attack Against Payment Systems CDC 疾病预防与控制中心 Centers for Disease Control and Prevention CFPB 消费者金融保护局 Consumer Financial Protection Bureau CFR 美国联邦法规 Code of Federal Regulations COSO 美国反虚假财务报告委员会下属的发起人委员会 Committee of Sponsoring Organizations of the Treadway Commission DDoS 分布式拒绝服务 distributed denial of service DHS 美国国土安全部 U.S. Department of Homeland Security DRaaS 灾难恢复即服务 disaster recovery as a service ERM 企业风险管理/全面风险管理 enterprise risk management FBIIC 金融和银行信息基础设施委员会 Financial and Banking Information Infrastructure Committee FDIC 联邦存款保险公司 Federal Deposit Insurance Corporation FFIEC 联邦金融机构检查委员会 Federal Financial Institutions Examination Council FIL 金融机构函 Financial Institution Letter FRB 美国联邦储备委员会 Board of Governors of the Federal Reserve System FS-ISAC 金融服务信息共享与分析中心 Financial Services Information Sharing and Analysis Center FSARC 金融系统分析与应变中心 Financial Systemic Analysis & Resilience Center FSSCC 金融服务部门协调理事会 Financial Services Sector Coordinating Council GETS 政府紧急通信服务 Government Emergency Telecommunications Service IIA 内部审计师协会 Institute of Internal Auditors ISO 国际标准化组织 International Organization for Standards IT 信息技术 information technology IT Handbook FFIEC信息技术检查手册 FFIEC Information Technology Examination Handbook MTD 最大可容忍中断时间 maximum tolerable downtime NCUA 国家信用社管理局 National Credit Union Administration NIST 国家标准和技术研究所 National Institute of Standards and Technology OCC 货币监理署 Office of the Comptroller of the Currency ODNI 国家情报总监办公室 Office of the Director of National Intelligence RPO 恢复点目标 recovery point objective RTO 恢复时间目标 recovery time objective SLA 服务水平协议 service-level agreement SLC 国家联络委员会 State Liaison Committee SOC 系统和组织控制 systems and organization control SR Letter 监管函 Supervision and Regulation Letter SSAE 鉴证业务准则公告 Statement on Standards for Attestation Engagement TSP 通信服务优先级 Telecommunications Service Priority URSIT 信息技术统一评级系统 Uniform Rating System for Information Technology USC 美国法典 United States Code WPS 无线优先服务项目 Wireless Priority Service Program

附录D：参考资料References

法律 Laws 资源标题 类型 日期 12 U.S.C. 95(b) / 1463(a) / 3102(b), “Comptroller Authority to Declare a Legal Holiday” Law 12 U.S.C. 1464, “Home Owners’ Loan Act” Law 12 U.S.C. 1831r-1, “Notice of Branch Closure” Law 12 U.S.C. 1861–1867, “Bank Service Company Act” Law 12 U.S.C. 1882, “Bank Protection Act” Law 12 U.S.C. 3352, “Emergency Exceptions for Disaster Areas” Law 15 U.S.C. 6801 and 6805(b), “Gramm–Leach–Bliley Act” Law 18 U.S.C. 1030, “Fraud and Related Activity in Connection With Computers” Law

消费者金融保护局Consumer Financial Protection Bureau 资源标题 类型 日期 CFPB Statement on Supervisory Practices Regarding Financial Institutions and Consumers Affected by a Major Disaster or Emergency (September 2018) Guidance 2018年9月 CFPB Compliance Bulletin and Policy Guidance; 2016-02, Service Providers (October 2016) Guidance 2016年十月

美国联邦储备 银行 Federal Reserve 资源标题 类型 日期 12 CFR 208, Appendix D-1, “Interagency Guidelines Establishing Standards for Safety and Soundness” Regulation 12 CFR 208, Appendix D-2, “Interagency Guidelines Establishing Information Security Standards (State Member Banks)” Regulation 12 CFR 225, Appendix F, “Interagency Guidelines Establishing Information Security Standards” Regulation SR Letter 20-3 / CA 20-2, “Interagency Statement on Pandemic Planning” (March 10, 2020) Guidance 2020年3月10日 SR Letter 16-11, “Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $50 Billion” (June 2016) Guidance 2016年六月 SR Letter 15-10 / CA Letter 15-8, “Expansion of the Federal Reserve’s Emergency Communications System” (October 2015) Guidance 2015年10月 SR Letter 15-9, “FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors” (July 2, 2015) Guidance 2015年7月2日 SR Letter 13-19 / CA Letter 13-21, “Guidance on Managing Outsourcing Risk” (April 2013) Guidance 2013年12月 SR Letter 13-16, “End of Microsoft Support for Windows XP Operating System” (October 2013) Guidance 2013年10月 SR Letter 13-6 / CA Letter 13-3, “Supervisory Practices Regarding Banking Organizations and Their Borrowers and Other Customers Affected by a Major Disaster or Emergency” (March 2013) Guidance 2013年3月 SR Letter 12-14, “Revised Guidance on Supervision of Technology Service Providers” (October 2012) Guidance 2012年10月 SR Letter 10-13, “Interagency Supervisory Guidance for Institutions Affected by the Deepwater Horizon Oil Spill” (October 2010) Guidance 2010年10月 SR Letter 06-3, “Interagency Supervisory Guidance for Institutions Affected by Hurricane Katrina” (February 3, 2006) Guidance 2006年2月3日 SR Letter 05-24, “Interagency Questions and Answers for Financial Institutions in Response to Hurricanes Katrina and Rita” (December 2, 2005) Guidance 2005年12月2日 SR Letter 05-17, “Katrina Related Marketing Practices Invoking the Name of the Federal Reserve” (September 22, 2005) Guidance 2005年9月22日 SR Letter 05-16, “Supervisory Practices Regarding Banking Organizations and Consumers Affected by Hurricane Katrina” (September 15, 2005) Guidance 2005年9月15日 SR Letter 03-9, “Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System” (May 28, 2003) Guidance 2003年5月28日

联邦存款保险公司Federal Deposit Insurance Corporation 资源标题 类型 日期 12 CFR 304.3(d), “Notification of Performance of Bank Services, Form FDIC 6120/06” Regulation 12 CFR 364, Appendix A “Interagency Guidelines Establishing Standards for Safety and Soundness” Regulation 12 CFR 364, Appendix B “Interagency Guidelines Establishing Information Security Standards” Regulation 12 CFR 364, Supplement A to Appendix B “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” Regulation FIL-25-2020 “Identification of Essential Critical Infrastructure Workers During the COVID-19 Response Efforts” (March 26,2020) Guidance 2020年3月26日 FIL-14-2020 “Interagency Statement on Pandemic Planning” (March 6, 2020) Guidance 2020年3月6日 FIL-19-2019, “Technology Service Provider Contracts” (April 2, 2019) Guidance 2019年4月2日 FIL-63-2018, “Cybersecurity Preparedness Resource” (October 19, 2018) Guidance 2018年10月19日 FIL-62-2017, “Major Disaster Examiner Guidance” (December 15, 2017) Guidance 2017年12月15日 FIL-68-2016, “FFIEC Cybersecurity Assessment Tool: Frequently Asked Questions” (October 18, 2016) Guidance 2016年10月18日 FIL-43-2016, “Information Technology Risk Examination (InTREx) Program” (June 30, 2016) Guidance 2016年6月30日 FIL-37-2016, “FFIEC Joint Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks” (June 7, 2016) Guidance 2016年6月7日 FIL-55-2015, “Cybersecurity Awareness Resources” (November 23, 2015) Guidance 2015年11月23日 FIL-28-2015, “Cybersecurity Assessment Tool” (July 2, 2015) Guidance 2015年7月2日 FIL-13-2015, “FFIEC Joint Statements on Destructive Malware and Compromised Credentials” (March 30, 2015) Guidance 2015年3月30日 FIL-13-2014, “Technology Outsourcing: Informational Tools for Community Bankers” (April 7, 2014) Guidance 2014年4月7日 FIL-11-2014, “Distributed Denial of Service (DDoS) Attacks” (April 2, 2014) Guidance 2014年4月2日 FIL-44-2008, “Third-Party Risk: Guidance for Managing Third-Party Risk” (June 6, 2008) Guidance 2008年6月6日 FIL-6-2008, “Interagency Statement on Pandemic Planning: Guidance for Minimizing a Pandemic’s Potential Adverse Effects” (February 6, 2008) Guidance 2008年2月6日 FIL-49-2006, “Lessons Learned from Hurricane Katrina: Preparing Your Institution for a Catastrophic Event” (June 15, 2006) Guidance 2006年6月15日 FIL-27-2005, “Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” (April 1, 2005) Guidance 2005年4月1日 FIL-84-2002, “Financial and Banking Information Infrastructure Committee’s Interim Policy on the Sponsorship of Private Sector Financial Institutions in the GETS Card Program” (August 6, 2002) Guidance 2002年8月6日 FIL-50-2001, “Bank Technology Bulletin on Outsourcing” (June 4, 2001) Guidance 2001年6月4日）

国家信用社管理局National Credit Union Administration 资源标题 类型 日期 12 CFR 748,“Security Program, Report of Suspected Crimes, Suspicious Transactions, Catastrophic Acts and Bank Secrecy Act Compliance” Regulation 12 CFR 748, Appendix A, “Guidelines for Safeguarding Member Information” Regulation 12 CFR 749,“Guidelines for Safeguarding Member Information”, Records Preservation Program and Appendices - Record Retention Guidelines; Catastrophic Act Preparedness Guidelines” Regulation 12 CFR 749, Appendix A, “Record Preservation Program and Record Retention” Regulation 12 CFR 749, Appendix B, “Catastrophic Act Preparedness Guidelines” Regulation NCUA Letter to Credit Unions 20-CU-03, ” Identification of Essential Critical Infrastructure Workers” (March 2020) Guidance 2020年3月 NCUA Letter to Credit Unions 20-CU-02, ” NCUA Actions Related to COVID-19 ” (March 2020) Guidance 2020年3月 NCUA Letter to Credit Unions 10-CU-10, ” 2010 Hurricane Season and Ongoing Disaster, Emergency, and Pandemic Preparedness and Planning ” (June 2010) Guidance 2010年6月 NCUA Letter to Credit Unions 09-CU-13, ” Hurricane Preparedness and Pandemic Planning ” (June 2009) Guidance 2009年6月 NCUA Letter to Credit Unions 08-CU-01, “Guidance on Pandemic” (January 2008) Guidance 2008年1月 NCUA Letter to Credit Unions 07-CU-13, “Evaluating Third-Party Relationships” (December 2007) Guidance 2007年12月 NCUA Letters to Credit Unions (06-CU-11), ” Interagency Guidance Lessons Learned By Institutions Affected By Hurricane Katrina ” (June 2006) Guidance 2006年6月 NCUA Risk Alert 06-Risk-01, “Disaster Planning and Response” (April 2006) Guidance 2006年4月 NCUA Letter to Credit Unions 06-CU-06, “Influenza Pandemic Preparedness” (March 2006) Guidance 2006年3月 NCUA Letter to Credit Unions 02-CU-17, “e-Commerce Guide for Credit Unions” (December 2002) Guidance 2002年12月 NCUA Letter to Credit Unions 01-CU-21, “Disaster Recovery and Business Resumption Contingency Plans” (December 2001) Guidance 2001年12月 NCUA Letter to Credit Unions 01-CU-20, “Due Diligence Over Third-Party Service Providers” (November 2001) Guidance 2001年11月

货币监理署Office of the Comptroller of the Currency 资源标题 类型 日期 12 CFR 5.30, “Establishment, Acquisition, and Relocation of a Branch of a National Bank” Regulation 12 CFR 5.31, “Establishment, Acquisition, and Relocation of a Branch and Establishment of an Agency Office of a Federal Savings Association” Regulation 12 CFR 30, Appendix A, “Interagency Guidelines Establishing Standards for Safety and Soundness” Regulation 12 CFR 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards” Regulation 12 CFR 30, Appendix D, “OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches” Regulation 12 CFR 30, Appendix E, “OCC Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches” Regulation OCC Bulletin 2020-23, “Essential Critical Infrastructure Workers in the Financial Services Sector” Guidance 2020年3月25日 OCC Bulletin 2020-13, “Pandemic Planning: Updated FFIEC Guidance” Guidance 2020年3月6日 OCC Bulletin 2019-13, “Recovery Planning” Guidance 2019 OCC Bulletin 2019-8, “Loans in Areas Having Special Flood Hazards – Private Flood Insurance: Final Rule” Guidance 2019 OCC Bulletin 2018-47, “Recovery Planning Guideline: Final Revised Guidelines” Guidance 2018 OCC Bulletin 2018-14, “Installment Lending: Core Lending Principles for Short-Term, Small-Dollar Installment Lending” Guidance 2018 OCC Bulletin 2018-8, “Cyber Insurance: FFIEC Joint Statement on Cyber Insurance and Its Potential Role in Risk Management Programs” Guidance 2018 OCC Bulletin 2017-61, “Major Disasters: Interagency Examiner Guidance for Institutions Affected by Major Disasters” Guidance 2017 OCC Bulletin 2017-54, “Branches and Relocations: Revised Comptroller’s Licensing Manual Booklet” Guidance 2017 OCC Bulletin 2017-35, “Flood Disaster Protection Act: Revised Comptroller’s Handbook Booklet” Guidance 2017 OCC Bulletin 2017-24, “Branch Closings: Revised Comptroller’s Licensing Manual Booklet” Guidance 2017 OCC Bulletin 2017-21, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29” Guidance 2017 OCC Bulletin 2017-7, “Third-Party Relationships: Supplemental Examination Procedures” Guidance 2017 OCC Bulletin 2016-34, “Cybersecurity: Frequently Asked Questions on the FFIEC Cybersecurity Assessment Tool” Guidance 2016 OCC Bulletin 2016-30, “Enforceable Guidelines for Recovery Planning: Final Guidelines” Guidance 2016 OCC Bulletin 2015-31, “Cybersecurity: FFIEC Cybersecurity Assessment Tool” Guidance 2015 OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” Guidance 2013 OCC Bulletin 2012-28, “Supervisory Guidance on Natural Disasters and Other Emergency Conditions” Guidance 2012 OCC Bulletin 2006-26, “Disaster Planning: Hurricane Katrina – Lessons Learned” Guidance 2006 OCC Bulletin 2006-12, “Influenza Pandemic Preparedness: Interagency Advisory” Guidance 2006 OCC Bulletin 2006-6, “Community Reinvestment Act: Hurricanes Katrina and Rita” Guidance 2006 OCC Bulletin 2003-14, “Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System” Guidance 2003 OCC Bulletin 2003-13, “Telecommunications Service Priority (TSP) Program: Policy on Sponsorship of TSP for Private Sector Entities” Guidance 2003 OCC Bulletin 2002-33, “Government Emergency Telecommunications Service (GETS): FBIIC Policy on Sponsorship of GETS Cards for Private Sector Entities” Guidance 2002 OCC Bulletin 2002-16, “Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance” Guidance 2002 OCC Bulletin 1998-3, “Technology Risk Management: Guidance for Bankers and Examiners” Guidance 1998

其他参考Other References 资源标题 类型 日期 U.S. Department of Health & Human Services, Centers for Disease Control and Prevention, Pandemic Influenza (January 2019) 2019年1月 Communications, Security, Reliability, and Interoperability Council, Infrastructure Sharing During Emergencies (December 2014) 2014年12月 National Infrastructure Protection Plan, NIPP 2013: Partnering for Critical Infrastructure and Resilience (November 2013) 2013年11月 NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems (May 2010) 2010年5月 BITS Financial Services Roundtable, BITS Framework for Managing Technology Risk for Service Provider Relationships (May 2008) 2008年5月 Basel Committee on Banking Supervision, The Joint Forum: High-level Principles for Business Continuity (August 2006) 2006年8月 U.S. Department of Homeland Security, Pandemic Influenza Preparedness, Response, and Recovery Guide for Critical Infrastructure and Key Resources (September 2006) 2006年9月 Department of Health and Human Services, Centers for Disease Control and Prevention Business Pandemic Influenza Planning Checklist (December 2005) 2005年12月 Homeland Security Council National Strategy for Pandemic Influenza (November 2005) 2005年11月 Federal Reserve Bank of New York, Best Practices to Assure Telecommunications Continuity for Financial Institutions and the Payment and Settlement Utilities: Report by the Assuring Telecommunications Continuity Task Force (September 2004) 2004年9月 The President’s National Security Telecommunications Advisory Committee, Financial Services Task Report (April 2004) 2004年4月

---

本公众号 (ID: bcmplus) 专注于业务连续性管理知识的传播和普及，关注应急、连续性和危机管理的朋友可关注本公众号。

由于公众号注册时正处于腾讯政策调整，未能开通留言功能，希望交流和讨论业务连续性管理问题，或获取相关资料的朋友，可长按以下二维码加入知识星球留言和讨论(公众号1月只能发4次文章，也会有一些小观点直接在知识星球而不在公众号发布)。

---

原文发表于公众号”业务连续性+” | 原文链接