Please read below

1. Bank Solutions does not have a current DRBCP for the data center.

· NIST SP 800-53 Rev. 4 -1 controls from all security control families

2. The Item Processing facility DRBCP have not been tested Testing helps especially revealing any discrepancies and omissions before they are used in case of accident.

· Informative References NIST SP 800-53 Rev. 4 CP-4, IR-3, PM-14.

3. Small center Item Processing facilities have yet to finish the customization exercise of their DRBCP.

· NIST SP 800-53 Rev. 4 -1 controls from all security control families / NIST SP 800-53 Rev. 4 PS-7, PM-1, PM-2

4. Recovery Time Objectives and Recovery Point Objectives for each critical business process and system were not identified in the DRBCP.

· NIST SP 800-53 Rev. 4 CP-2, CP-7, CP-12, CP13, IR-7, IR-8, IR-9, PE-17

5. All key personnel that are responsible for duties and to carry out the DRBCP do not have a copy of the information.

· SP 800-53r4 Controls PM-11, SA-14

6. Key personnel are not aware of their duties in accordance with the DRBCP

· SP 800-53r4 Controls CP-2, CP-3, IR-3, IR-8

7. The DRBCP does not address the policy, standards, or procedures for handling security incidents, escalation points of contact, and preserving forensic qualities of logical evidence

· SP 800-53r4 Controls AC-1, AT-1, AU-1

8. There are no instructions or documentation on the DRBCP for handling specific responsibilities for backup utilities since each data center is used as the other data center’s hot site.

· NIST 800-53r4 Controls CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10

9. Data backup recovery plan if inefficient due to not having a differential backup in place.

· NIST 800-53r4 controls CP-4, CP-6, CP-9

10. Off-site storage of backup tapes are improperly stored in locations where only the firm does not have direct control. Backup tapes need to be stored in approved off-site location.

·