My web

Technology and Business Continuity and Disaster Recovery

A set of policies and procedures should be in place for systematically managing an organization’s sensitive data. Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery. An information technology disaster recovery plan should be developed in conjunction with the business continuity plan. Having a comprehensive business continuity management system is imperative to developing cyber resilience.

Introduction

Servicers must ensure the appropriate measures are implemented to ensure the security, integrity, and confidentiality of information. Protocols and procedures must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy. The servicer should adopt industry standard practices including, but not limited to, instituting appropriate disaster recovery and back-up procedures, using encryption for data in transit, virus checking and prevention programs, and procedures to prevent disclosure of data and other materials to unintended third parties. Acceptable methods are employed for business continuity and disaster recovery planning, using a risk-based analysis to prepare for and maintain the continuity of business activities.

Business Continuity and Disaster Recovery

CSF: 6.5.1.1 Business Continuity

Business continuity plans allow for core operations to continue to function with no or minimal impact in the event of a disruption to normal business activities. Planning should account for key business functions and include regular testing performed to proactively mitigate the risk associated with the various types of disruptions that may range in severity.

 

Technology and Business Continuity and Disaster Recovery: Business Continuity and Disaster Recovery: Business Continuity

Evidence

Policies, Procedures, and Documents describing the process for:

  • Evidence of business continuity requirements
  • Description of the process for updating and testing the business continuity plans
  • Documentation of the most recent tests of the plan including date and lessons learned
  • Cyber security incident response strategy

 

CSF: 6.5.1.2 Disaster Recovery

Disaster recovery plans should be developed in conjunction with a Business Continuity plan to ensure critical business operations can be maintained or quickly resume following a disaster.

 

Technology and Business Continuity and Disaster Recovery: Business Continuity and Disaster Recovery: Disaster Recovery

Evidence

Policies, Procedures, and Documents describing the process for:

  • Evidence of disaster recovery requirements
  • Description of the process for updating and testing the disaster recovery plans
  • Documentation of the most recent tests of the plan including date and lessons learned

 

CSF: 6.5.2.1 Information Security

Information security is the protection of the servicers' information from deliberate or accidental actions leading to damage to the servicer and its owners or users and is aimed at risk prevention. Cyber security is all about protecting data in its electronic form. A holistic information security governance process bridges the gap between business and information security, so the teams can efficiently work together.

 

Technology and Business Continuity and Disaster Recovery: Technology: Information Security

Assessment Area Evidence

Policies, Procedures, and Documents describing the process for:

  • User access roles and restrictions
  • Ensuring sensitive and confidential data is not compromised
  • Data accuracy
  • Physical security
  • Network security
  • Cyber security

 

CSF: 6.5.2.2 Systems

Information and technology governance evaluates the impact IT has on the processes and abilities of an organization to achieve its goals and objectives. IT governance audits are conducted to assess the effectiveness of system applications and general controls including the selection and monitoring of the technology services provided by third parties.

 

Technology and Business Continuity and Disaster Recovery: Technology: Systems

Assessment Area Evidence

Policies, Procedures, and Documents describing the process for:

  • System development and maintenance
  • Technology third party vendors
  • Notification to Fannie Mae of intent to change critical third-party technology providers, if applicable

Evaluations and Recommendations

Business continuity plans should include plans for:

  • Timely recovery of critical data.
  • Resources to access key systems.
  • Communications to internal and external parties for any temporary changes to business.
  • All applications that are dependent upon technology, such as the organization’s website, social media accounts, and shared and restricted network drives.

Informational technology audits address the following control objectives:

  • Business continuity.
  • System security and access controls.
  • Compliance.
  • Data Integrity.

Cyber risk management framework that covers internal and external risks and dependencies:

  • Testing and measuring cyber security protection, detection, and response.
  • Sufficient oversight of third-party vendor data security protocols.