Business Continuity and Disaster Recovery is a fundamental part of First Data business operations. Our Business Continuity and Disaster Recovery programs allow First Data to provide continued service to our customers and clients and to respond effectively to an disruptive event which may impact the firm, or interrupt normal operations.
The Enterprise Business Continuity Program is comprised of firm-wide Crisis Management, Business Resumption and Disaster Recovery programs, and provides for the company’s need to recover its business processes and the supporting technology in a timely manner during disruption. This is accomplished by following pre-defined management approved policies, strategies, and procedures. The program allows for the restoration of both technology and business process capabilities within predetermined timeframes. The recovery strategies focus on plans and procedures for those processes deemed critical to the financial and operational health of First Data and its clients.
First Data has a dedicated group of business continuity professionals who are responsible for maintaining the program.
Oversight & Governance
Policies and Standards exist for Disaster Recovery, Business Resumption and Crisis Management. These policies provide rules for each of the three disciplines.
Enterprise Business Continuity is managed by a firm-wide Business Continuity Steering Committee with representation from all major business units at First Data.
The Business Continuity program is subject to internal audit reviews and regulated by Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Federal Reserve Board and other local country regulators.
Incident and Crisis Management
First Data has a structured Incident and Crisis Management program that is embedded with the firm’s Joint Security Operations Center (JSOC). This program provides 24 / 7 active monitoring to identify global developments that have the potential to adversely impact First Data’s interests including assets, personnel and operations.
The Incident and Crisis Management program focuses on early threat detection and mitigation strategies as well as robust scenario-based training with key stakeholders to ensure readiness throughout the firm. Incident and Crisis Management Plans are strategically developed and enhanced based on training results and evolution of the environment in which the business unit operates. The plan is established at the corporate level, reports directly to the First Data Management Committee, and includes details of the roles and responsibilities of Senior Management in the event of an incident. Incident and Crisis Management Plans are designed to anticipate and respond to events including technology issues; cyber events; facilities failures; environmental or human caused disasters; geo-political disruptions and high level absenteeism.
Business Resumption Planning
The objectives of business resumption planning include minimizing loss to First Data and its clients, continuing to serve our customers, ensuring the safety of employees, and minimizing negative impacts of events. 5 Each First Data business unit is responsible to complete a Business Impact Analysis (BIA) to determine the criticality of the business on an annual basis. The BIA provides a Recovery Time Objective (RTO) for each function.
Each business unit is also responsible to develop and maintain resumption plans on an annual basis. The plans can be used independently or together if the incident affects multiple business units. The plans include key elements including life safety, key resources, equipment, applications, recovery strategies including recovery site information and recovery tasks. All plans address high-absenteeism including pandemic and severe weather events.
Business Resumption plans are required to be tested at least annually to ensure an effective program. The firm has a varied testing program including the testing of recovery solutions such as working from another location (move and resume), work from home, and work load transfer. Our test types include tabletop walkthroughs, simulation exercises and full disaster recovery tests. Post exercise reports are created for each event. All testing issues, as well as Business Impact Analysis and Business Resumption Plan compliance are tracked and metrics are provided to senior management.
Disaster Recovery focuses on restoring the firm’s critical systems and applications used by our internal businesses and external clients. Application recovery is prioritized based on the Recovery Time Objective identified in the Business Impact Analysis and First Data maintains a Disaster Recovery plan for all critical systems and applications. The plans provide a step by step procedure to recover the system or application. These plans span all key personnel, components and applications that are necessary to minimize the impact to vital business processes following a data center outage. The Data Center disaster recovery plans are intended to document the recovery of critical components, data processing systems, and networks. They follow a process which covers immediate response through fall back to a production site.
The Disaster Recovery team manages and coordinates recovery activities and rigorous exercises to demonstrate the firm’s ability to recover. All critical systems and applications are tested on an annual basis. Post-mortem reports are generated and reviewed with all exercise participants and all risks identified are recorded in the firm’s risk management tool and tracked through resolution.
Monthly dashboards are used to track all Disaster recovery requirements, including the maintenance of our plans and testing of our systems and applications. The dashboard is socialized to First Data’s senior management and provides a snapshot on the health of the Disaster Recovery Program The information contained herein is the confidential information of the First Data Corporation. This document should not be copied or otherwise redistributed without the express written consent of First Data.