Control requirements

Additional IBM Cloud for Financial Services specifications

Tests should be conducted in as close to an operational environment as possible. If feasible, an actual test of the components or systems used to conduct daily operations should be used.

Test documentation must ensure contingency planning metrics such as the RTO, RPO and maximum tolerable downtime (MTD) are verified during testing.

Contingency Plan test reports must be completed within 30 days after completing the Contingency Plan Test.

If lessons learned result in any necessary improvements to existing processes, ensure they are incorporated into the contingency plan no later than 30 days following all contingency events and exercises.

Critical issues discovered during contingency plan testing must be addressed within 45 calendars day.

Contingency plan tests should increase in scope over time in order to validate the operability of the plan and system components in an operational environment.

The organization must participate in customers' and other third parties' contingency plan tests as required.

NIST supplemental guidance

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.