Wireless Banking Vendor Due Diligence Checklist.xls by yan198555

VIEWS: 32 PAGES: 10

									Wireless Banking Vendor Due Diligence Kit

    Alternative Vendors: This tab lists top wireless banking providers. Note: This list may not be all-inclusive, and is just a s
    Threshold Analysis: A typical analysis to determine that wireless banking providers require maximum level of due diligen
    Vendor Due Diligence Checklist: This is the questionnaire you should send to all alternative providers to be used as a b

    For instructions on how to use this kit, please contact Infotex at sales@infotex.com.



    Alternative Vendors
         1     Acette Technologies - BankSmart
         2     Audech - Microfinance Application System
         3     CR2 - BankWorld Internet
         4     CSI Mobile
         5     Diebold
         6     Firethorn - Firethorn
         7     FIS Mobile (Fidelity National)
         8     goDough (Jack Henry)
         9     Intuit (Digital Insight)
        10     Masabi - Masabi Bank
        11     M-com (Fiserv)
        12     Metavante
        13     mFoundry - Spotlight Financial Platform
        14     MoadBus - MBanking
        15     Mobilearth - Mobilearth
        16     MobileShift - MShift Mobile Banking
        17     Petra Financial - Touchstone Mobile
        18     Q2 Software - Mobile Banking
        19     Rubik - Next Bank
        20     S1
        21     Technisys - Cyberbank mBanking
        22     Theme Technologies - ThemePro Mobile Banking
        23     Yodlee - Yodlee Mobile
        24     ZSL - Bank Companion
t be all-inclusive, and is just a starting point for your search and selection.
e maximum level of due diligence scutiny. One analysis should apply to all alternative providers.
 ve providers to be used as a basis for your interview to determine risk associated with each alternative provider.
Threshold Analysis ver 3.15.11

Vendor Name: Typical Wireless Banking Provider

Threshold Questions:
   Will the vendor host (possess) NPI owned by the institution?                                                     Yes
   Will the vendor have access to Critical or Confidential Information?                                             Yes
   Will the vendor require expenditures in excess of [$50,000]?                                                     Yes
   Will the actions of the vendor affect financial statements (publicly held financial institution only)?           No



                                                                                                                      0 = N/A or No Risk
                                                                                                                         1 = Low Risk
                                                                                                                       2 = Medium Risk
                                            Question or Concern                                                          3 = High Risk
                                                                                                                                                   Explanation / Exception
                                                                                                                       4 = Critical Risk
                                                                                                                      (Unless Otherwise
                                                                                                                             Noted)

Risks Pertaining to Nature of Data Access
Does the vendor host (possess, take off-site) Nonpublic Customer Financial Information in aggregate?                          4
    "No" = 0     "Yes" = 4
Does vendor host (possess, take off-site) Nonpublic Customer Financial Information in smaller quantities                      4
over the course of one year?
    "No" = 0 "< 50" = 2 "< 500" = 3 "Over 500" = 4
Does vendor access confidential information or create reports that would be considered confidential?                          4
    "No" = 0     "Yes" = 4
Does the vendor have physical access to data or has the ability to access data if security controls were                      4
broken?
    "No" = 0     "Yes" = 4
If access is legitimately granted to the vendor, what is the sensitivity of data that the vendor has granted                  4
access to?
    "Public" = 1 "Internal" = 2 "Confidential" = 3 "Critical or NPI" = 4
What is the volume of transactions?                                                                                           2            Low at first, but hopefully it will be high
    "Individual" (non-aggregated) = 1 "Low" = 2 "Medium" = 3 "High" = 4                                                                    after the adoption is complete.
What is the likelihood of a vendor breaching data?                                                                            2
    "Low" = 2 "Medium" = 3 "High" = 4                                                                                                      We are hoping this would be low
    (Note: If you do not know a vendor that has access to data, consider likelihood to be high for now.)                                   because we're assuming that the vendor
                                                                                                                                           we choose will have a solid Information
                                                                                                                                           Security Program in place.
What is the likelihood that a compromise of information would result in a "severe" impact to the                              4
organization?
   "No" = 1 "Low" = 2 "Medium" = 3 "High" = 4

Risks Pertaining to the Vendor Industry
What is the strength of financial condition of a typical vendor in this industry?                                             3            We can't be sure until after we get
   "Strong" = 1 "Not Sure" = 3 "Weak" = 4                                                                                                  Financial Statements, unless we go with
                                                                                                                                           our existing on-line provider.
What is the level of turnover of management and employees?                                                                    3            We can't be sure until after we get
  "Low" = 1 "Not Sure" = 3 "High" = 4                                                                                                      Financial Statements, unless we go with
                                                                                                                                           our existing on-line provider.

Risk Pertaining to Criticality of Function
What is the criticality of the service to be performed by this vendor?                                                        4            Until full deployed, if our Wireless
   "Low" = 1 "Medium" = 2 "Critical" = 4                                                                                                   Banking goes down, it will not affect that
                                                                                                                                           many people. However, once it's up
                                                                                                                                           and running fully, and is fully adopted
                                                                                                                                           by our customer base, it will be a
                                                                                                                                           Critical platform.
Is it easy to find another vendor if this one fails?                                                                          4            It might be easy to find another vendor,
    "Yes" = 1 "No" = 4 Use your judgment for "In Between"                                                                                  but it won't be that easy to switch
                                                                                                                                           providers.
How much time would it take to replace this vendor, in terms of when the service would need to be                             4
performed again?
   "Need to make arrangements prior to termination" = 4
   "It would be close, but if we focused on finding a new vendor in a hurry we would be okay" = 3
   "No problem" = 1

Risks Pertaining to the Technology Used
Consider the complexity of the technology used by the vendor.                                                                 4
    "High-tech and hard to understand" = 4
    "Been doing this forever" = 1
    Use your judgment for "In Between"
Is the technology accessed via the Internet or in some remote fashion?                                                        4
    "No" = 1 "Yes" = 4 Use your judgment for "In Between"

                                                                                    Total Inherent Risk:                     54

If Total Inherent Risk is above 40, then the vendor should be considered "Critical Risk."
If Total Inherent Risk is between 25 and 39, then the vendor should be considered "GLBA Risk."
If it is close, the Information Security Officer should determine which checklist to use based on his/her own judgment.

                                                                                                   Check One:
                                                                                        Use "Critical" Checklist:             x
                                                                                         Use "GLBA" Checklist:
                                                                                     No Need for Due Diligence:


The Vendor Owner should sign this documented after completion.

Signed:                                                                                                             Date:

The Information Security Officer should sign and file this document.

Signed:                                                                                                             Date:
                                                                          WIRELESS BANKING PRE-CONTRACT VENDOR DUE DILIGENCE CHECKLIST

Bank Name                                                                                              Date of Assessment:
Vendor Owner:
Name of Vendor:                                                                                        Type of Business:

                                                                                                                                                                                                     Response Is -




                                                                                                                                                                                     cause problem
                                                                                                                                                                                     Likelihood to




                                                                                                                                                                                                                     Risk Level
                                                                                                                                                                                                                        (1 - 13)
                                                                                                                                                                                        (1 - 8)




                                                                                                                                                                                                          (1 - 5)
                                                                                                                                                                           Yes or                                                     Not




                                                                                                                                                                                                       Severity
                                                                                                                                                                                                       Impact
                                                                                                                                                                         Complete?                                                 Applicable:
Item                                                                                                                                                                       Enter                                                     Enter
  #     Category       Issue                                           Action                                       Finding / Response / Notes                    Cost       1                                                          1
          Risk
       Management
  1       Risk    Service / Vendor           Was a threshold analysis performed in connection with                                                                                                                      0
       Management       Risk                 the vendor relationship?
                    Assessment
  2       Risk    Service / Vendor           If yes, what was the ranking?                             Critical (a 54, the highest we have)                                                                             0
       Management       Risk                 (Critical, High, Medium, Low)
                    Assessment
  3       Risk      Application             Beyond the SOC or SAS70 acquired on Vendor's               Consider making a new item for each platform, but                                                                0
       Management     Security              organization (see below), what type of application         before to check not just iOS or Android testing, but
                                            testing is performed on each platform                      testing of all platforms being offered.
  4        Risk               Application   Can vendor sign an affidavit swearing that the OWASP       If no formal audit reports address application security,                                                         0
        Management              Security    Top Ten Vulnerabilities are being tested?                  vendor should at least attest to a framework that
                                            (www.owasp.org)                                            testing is being performed against.
  5        Risk               Application   Does application store NPI data on the smartphone                                                                                                                           0
        Management              Security    and, if so, is it encrypted?
  6        Risk               Application   Does application store user name and/or password on                                                                                                                         0
        Management              Security    smartphone and, if so, is it encrypted?
  7        Risk               Application   Does application give the user the ability to opt out to   If so, can we lock the app down to require credentials?                                                          0
        Management              Security    memorized credentials?
  8        Risk                 Quality of  Have we investigated other installations of the                                                                                                                             0
        Management            Application   Vendor's app and checked out the reviews in the
                                            application market?
  9        Risk               Posture on    When questioned about compliance concerns, security                                                                                                                         0
        Management             "Collateral  controls, customer awareness training, helpdesk
                              Processes"    training, application reviews, etc. does the Vendor
                                            seem to have a "partner posture" and offer guidance,
                                            or does Vendor leave this to the bank?
 10        Risk              Operations and Did the Vendor supply a SAS 70 or SSAE 16 report?                                                                                                                           0
        Management              Controls    (Note: If the vendor does not host non-public
                                            information, this is not required.)
       SAS70 or SOC
       (SSAE 16 / AT
           101)
 11    SAS70 or SOC             Audit Risk   Is it a Type II report?                                                                                                                                                    0
       (SSAE 16 / AT
           101)                              Note: Type II includes a report on the effectiveness of
                                             the stated controls (the controls are tested).
 12    SAS70 or SOC             Audit Risk   Was it performed by a licensed CPA firm?                                                                                                                                   0
       (SSAE 16 / AT
           101)
 13    SAS70 or SOC             Audit Risk   Is the date of the SAS70 or SOC within the last year?                                                                                                                      0
       (SSAE 16 / AT
           101)
 14    SAS70 or SOC           User Control Was the User Control Considerations reviewed and                                                                                                                             0
       (SSAE 16 / AT         Considerations considered?
           101)
                                             Note: Enlist the assistance of your Information
                                             Security Officer.
       Copyright 2011 Infotex, Inc.                                                                               Vendor Due Diligence Kit                                                                              Page 4 of 10
                                                                                                                                                                                                 Response Is -




                                                                                                                                                                                 cause problem
                                                                                                                                                                                 Likelihood to




                                                                                                                                                                                                                 Risk Level
                                                                                                                                                                                                                    (1 - 13)
                                                                                                                                                                                    (1 - 8)




                                                                                                                                                                                                      (1 - 5)
                                                                                                                                                                       Yes or                                                     Not




                                                                                                                                                                                                   Severity
                                                                                                                                                                                                   Impact
                                                                                                                                                                     Complete?                                                 Applicable:
Item                                                                                                                                                                   Enter                                                     Enter
  #    Category                Issue                              Action                                           Finding / Response / Notes                 Cost       1                                                          1
  15 SAS70 or SOC           User Control Have missing User Control Considerations been                                                                                                                              0
     (SSAE 16 / AT         Considerations introduced in the Risk Assessment?
         101)
                                            Note: Enlist the assistance of your Information
                                            Security Officer
16   SAS70 or SOC         Security Policies Does the audit report establish that the vendor has                                                                                                                     0
     (SSAE 16 / AT                          security policies and standards addressing how they
         101)                               protect nonpublic information?
17   SAS70 or SOC           Awareness       Does the audit report establish that the vendor has a                                                                                                                   0
     (SSAE 16 / AT            Training      program for making sure their employees understand
         101)                               vulnerabilities and risks associated with Information
                                            Security?
18   SAS70 or SOC         Authentication of Does the audit report establish that the vendor has                                                                                                                     0
     (SSAE 16 / AT         Vendor Users appropriate login and password protection policies?
         101)
19   SAS70 or SOC Vendor Remote            Does the audit report establish that the vendor utilizes                                                                                                                 0
     (SSAE 16 / AT   Access                remote access, does the vendor have a remote access
         101)                              policy or safeguards in place?
20   SAS70 or SOC    Network               Does the audit report establish that the vendor's                                                                                                                        0
     (SSAE 16 / AT  Monitoring             network is monitored by an Intrusion detection or
         101)                              prevention system (IDS / IPS)?
21   SAS70 or SOC   Anti-Virus             Does the audit report establish that the vendor utilizes                                                                                                                 0
     (SSAE 16 / AT  Protection             anti-virus Virus protection on their network?
         101)
      Functionality
22    Functionality            Channels    Does vendor offer Mobile Web (or can we keep that                                                                                                                        0
                                           going with our existing on-line provider)?
23    Functionality            Channels    Does vendor offer SMS banking?                                                                                                                                           0
24    Functionality            Channels    Does vendor offer Mobile Applications                                                                                                                                    0
25    Functionality            Platforms   Does vendor have an iPhone app?                            If not, are their plans to and when?                                                                          0
26    Functionality            Platforms   Does vendor have a Droid app?                              If not, are their plans to and when?                                                                          0
27    Functionality            Platforms   Does vendor have a RIM app?                                If not, are their plans to and when?                                                                          0
28    Functionality            Platforms   Does Vendor have a Windows Mobile App?                                                                                                                                   0
29    Functionality            Platforms   Does Vendor have apps for other platforms?                 List here                                                                                                     0
30    Functionality            Platforms   Where does Vendor see future of Wireless Banking?          Try to consider how confident you are in Vendor's                                                             0
                                                                                                      understanding of strategic risk.
31    Functionality        Basic Features Does application offer secure messaging?                                                                                                                                  0
32    Functionality        Basic Features Does application leverage GPS position (for ATM                                                                                                                           0
                                          Locations, Branch Locations, and Fraud Monitoring?)

33    Functionality        Basic Features Does the application offer standard customization           Standard customization features would include                                                                 0
                                          features?                                                   changing language, date/time format, amount format,
                                                                                                      etc. Document what might be missing or what might
                                                                                                      be additional.
34    Functionality        Basic Features Does application allow interface with SMS banking (to                                                                                                                     0
                                           adjust monitoring parameters for SMS alerts?)
35    Functionality        Wallet Features Does application include a "self-contained wallet"         If the application allows for any kind of mobile                                                              0
                                           function?                                                  payments, document that here.
36    Functionality        Wallet Features Does application include "scan and pay?"                   Not only document if the service is available, but                                                            0
                                                                                                      document if you can start-off with it turned off, and
                                                                                                      document how new user registrations are handled.
37    Functionality        Wallet Features Does application include "wave and go?"                    Not only document if the service is available, but                                                            0
                                                                                                      document if you can start-off with it turned off, and
                                                                                                      document how new user registrations are handled.
     Copyright 2011 Infotex, Inc.                                                                                Vendor Due Diligence Kit                                                                           Page 5 of 10
                                                                                                                                                                                                         Response Is -




                                                                                                                                                                                         cause problem
                                                                                                                                                                                         Likelihood to




                                                                                                                                                                                                                         Risk Level
                                                                                                                                                                                                                            (1 - 13)
                                                                                                                                                                                            (1 - 8)




                                                                                                                                                                                                              (1 - 5)
                                                                                                                                                                               Yes or                                                     Not




                                                                                                                                                                                                           Severity
                                                                                                                                                                                                           Impact
                                                                                                                                                                             Complete?                                                 Applicable:
Item                                                                                                                                                                           Enter                                                     Enter
  #      Category                Issue                               Action                                               Finding / Response / Notes                  Cost       1                                                          1
  38    Functionality        Wallet Features Does application include P2P payment capabilities?              Not only document if the service is available, but                                                             0
                                                                                                             document if you can start-off with it turned off, and
 39     Functionality           Consumer       Does application facilitate Consumer Capture                                                                                                                                 0
                                 Capture
 40     Functionality           Consumer     If the application facilitates Consumer Capture, does it                                                                                                                       0
                                 Capture     include fraud prevention capabilities such as checking
                                             MICR codes against the core database before
                                             authorizing deposits?
 41     Functionality           Features     Does Vendor have other features the bank would be               List here                                                                                                      0
                                             interested in?
 42     Functionality          Integration   Have we checked Vendor's integration claim against              If so, document any problems here (and risk related to                                                         0
                                             references?                                                     problems)
 43     Functionality          Distribution  Does Vendor facilitate all application distribution (for all                                                                                                                   0
                                             prevalent platforms?)
 44     Functionality       Fraud Monitoring Does Vendor provide assistance with integrating to our                                                                                                                         0
                                             existing fraud monitoring application?
 45     Functionality       Fraud Monitoring Does Vendor recommend a Fraud Monitoring                        If so, document costs.                                                                                         0
                                             application to work side-by-side with their application
                                             back-end?
 46     Functionality         Deployment     Does Vendor have a program for rolling out platforms                                                                                                                           0
                                             over time? (Staggered Deployment?)
 47     Functionality         Deployment     Has the vendor discussed transition requirements                                                                                                                               0
                                             (initial migration of data to vendor, implementation of
                                             communications mechanisms, staff training) to the
                                             satisfaction of the acquisition team?
 48     Functionality         Deployment     Does the cost include liberal estimates for training                                                                                                                           0
                                             requirements and compliance/security controls
                                             development?
 49     Functionality           Updates      Does quoted Vendor price include all updates to all                                                                                                                            0
                                             applications?
 50     Functionality           Updates      Does quoted Vendor price include required updates                                                                                                                              0
                                             due to compliance considerations?
 51     Functionality          Integration   Does the application (and SMS) integrate directly with                                                                                                                         0
                                             the core or does it go through some other route (like
                                             through the on-line banking system)?
 52     Functionality           Features     Does Vendor have other features the bank would be               List here                                                                                                      0
                                             interested in?
        Compliance
 53     Compliance               Contract      Has the vendor contract been reviewed by legal?                                                                                                                              0
 54     Compliance               Contract      Does the contract include provisions related to                                                                                                                              0
                                               standards and service levels (availability/performance,
                                               change management, financial reporting, quality of
                                               service, security, business continuity)?

 55     Compliance               Contract      Does the contract delineate minimum acceptable                                                                                                                               0
                                               service provider characteristics (industry experience,
                                               process controls, financial condition, reputation, legal,
                                               regulatory and compliance history)?
 56     Compliance               Contract      Does the contract spell out responsibilities for                                                                                                                             0
                                               monitoring and reporting (measurements and reporting
                                               criteria, right to audit, third-party reports, coordination
                                               of responses to security events)?



       Copyright 2011 Infotex, Inc.                                                                                      Vendor Due Diligence Kit                                                                           Page 6 of 10
                                                                                                                                                                          Response Is -




                                                                                                                                                          cause problem
                                                                                                                                                          Likelihood to




                                                                                                                                                                                          Risk Level
                                                                                                                                                                                             (1 - 13)
                                                                                                                                                             (1 - 8)




                                                                                                                                                                               (1 - 5)
                                                                                                                                                Yes or                                                     Not




                                                                                                                                                                            Severity
                                                                                                                                                                            Impact
                                                                                                                                              Complete?                                                 Applicable:
Item                                                                                                                                            Enter                                                     Enter
  #      Category                 Issue                                  Action                           Finding / Response / Notes   Cost       1                                                          1
  57    Compliance               Contract     Does the contract spell out transition requirements                                                                                            0
                                              (initial migration of data to vendor, implementation of
                                              communications mechanisms, staff training)?
 58     Compliance               Contract     Does the contract specify duration, termination, and                                                                                           0
                                              assignment?
 59     Compliance               Contract     Does the contract specify protections against liability                                                                                        0
                                              (indemnification, limitation of liability, insurance)?

 60     Compliance           Documentation Does the documentation include Request for Proposal                                                                                               0
                                           (RFP)?
 61     Compliance           Technical and Have references been contacted?                                                                                                                   0
                                Industry
                               Expertise
 62     Compliance           Technical and Were key vendor personnel evaluated?                                                                                                              0
                                Industry
                               Expertise
 63     Compliance           Technical and Have we confirmed how many financial institutions the                                                                                             0
                                Industry   vendor is already working with?
                               Expertise
 64     Compliance             Financial   Has the Vendor's financial condition / financial                                                                                                  0
                               Condition   statements been investigated?

                                              (Enlist someone knowledgeable with financial
                                              statements if need be.)
 65     Compliance               Financial    Has the time the Vendor been in business been                                                                                                  0
                                 Condition    considered?
 66     Compliance               Financial    Has it been determined if Vendor is disproportionately                                                                                         0
                                 Condition    dependent upon a single customer?

 67     Compliance           Operations and   Has the Vendor's insurance, including E&O Insurance,                                                                                           0
                               Controls       been investigated?
 68     Compliance           Operations and   If yes, has the Vendor provided a copy of the insurance                                                                                        0
                               Controls       certificate?
 69     Compliance           Operations and   Has the Vendor's oversight and controls (sufficient                                                                                            0
                               Controls       security precautions) been investigated?
 70     Compliance           Operations and   Does the Vendor have Information Security policies in                                                                                          0
                               Controls       place?
 71     Compliance           Operations and   Does the Vendor have a Business Continuity Plan?                                                                                               0
                               Controls
 72     Compliance           Operations and  Does the Vendor have controls in place related to                                                                                               0
                               Controls      Information Security Processes (e.g. data
                                             classification, risk assessments, ongoing monitoring,
                                             incident response, audits)?
 73     Compliance             Disclosures   How does the vendor provide for the delivery of                                                                                                 0
                                             disclosures in New User Registration of Mobile
                                             Applications?
 74     Compliance             Encryption    Does the application encrypt data in motion as well as                                                                                          0
                                             data at rest?
 75     Compliance          Bank Bribery Act Has "insider" provisions of the Bank Bribery Act been                                                                                           0
                                             considered?
 76     Compliance          SAS 70 or SOC Did the Vendor supply a SAS 70 or SOC report?                                                                                                      0
                                 Report      Note: if the Vendor supplied a SOC report, is it SSAE-
                              (SSAE 16 or 16 or AT 101?
                                AT 101)

       Copyright 2011 Infotex, Inc.                                                                     Vendor Due Diligence Kit                                                             Page 7 of 10
                                                                                                                                                                   Response Is -




                                                                                                                                                   cause problem
                                                                                                                                                   Likelihood to




                                                                                                                                                                                   Risk Level
                                                                                                                                                                                      (1 - 13)
                                                                                                                                                      (1 - 8)




                                                                                                                                                                        (1 - 5)
                                                                                                                                         Yes or                                                     Not




                                                                                                                                                                     Severity
                                                                                                                                                                     Impact
                                                                                                                                       Complete?                                                 Applicable:
Item                                                                                                                                     Enter                                                     Enter
  #      Category                Issue                                 Action                      Finding / Response / Notes   Cost       1                                                          1
  77    Compliance          Mobile Marketing Does the vendor comply with SMS marketing                                                                                                0
                              Association    association guidelines (eg Mobile Marketing
                                             Association). This may be necessary to ensure all
                                             wireless carriers will accept your traffic
Summary:
            Total Risk               0
  # Incomplete Issues               77
   Percent Incomplete             100.0%
 Vendor Risk Ranking                0.0
   # Complete Issues                 0
    Percent Complete               0.0%
      # Not Applicable               0




       Copyright 2011 Infotex, Inc.                                                              Vendor Due Diligence Kit                                                             Page 8 of 10
           Likelihood of                                                            Risk
Ranking                          Starting Point (not to be used literally)
            Occurrence                                                             Ranking
   1      Highly Unlikely   Is just not going to occur no matter what.                2
   2      Negligible        Unlikely to occur.                                        3
   3      Very low          Likely to occur two/three times every five years.         4
   4      Low               Likely to occur one every year or less.                   5
   5      Medium            Likely to occur once every six months or less.            6
   6      High              Likely to occur once per month or less.                   7
   7      Very high         Likely to occur multiple times per month                  8
   8      Extreme           Likely to occur multiple times per day                    9
                                                                                     10
                                                                                     11
                                                                                     12
                                                                                     13
              Impact
Ranking                          Starting Point (not to be used literally)
              Severity
   1        Insignificant   Will have almost no impact if threat is realized and
                            exploits vulnerability.
   2           Minor        Will have some minor effect on the system. It will
                            require minimal effort to repair or reconfigure the
                            system.
   3        Significant     Will result in some tangible harm, albeit negligible
                            and perhaps only noted by a few individuals or
                            agencies. May cause political embarrassment.
                            Will require some expenditure of resources to
                            repair.
   4          Serious       May cause damage to the reputation of system
                            management, and/or notable loss of confidence in
                            the system’s resources or services. It will require
                            expenditure of significant resources to repair. May
                            cause considerable system outage, and/or loss of
                            connected customers or business confidence.
                            May result in compromise or large amount of
                            information or services.

   5          Critical      May cause system extended outage or to be
                            permanently closed, causing operations to resume
                            in a Hot Site environment. May result in complete
                            compromise of Government agencies’ information
                            or services.
Interpretation
    Low
    Low
    Low
    Low          4
    Low          3
  Moderate
  Moderate
  Moderate
    High
    High
   Critical
   Critical

								
To top