Eze Castle Integration Eze Castle Integration

Hedge IT Blog

More RFP Questions: Data Protection, Business Continuity & Incident Response

By Eze Castle Integration,
Tuesday, March 7th, 2017

Last week, we shared some important questions to include in hedge fund technology RFPs, focusing on Staffing, Client Service Model and User Support. In today’s article, let’s dive back into the RFP process, and look at some hedge fund RFP questions on Business Continuity and Disaster Recovery Plans, Backup and Retention of Information, Data Security, and Intrusion Detection and Incident Response.

Business Continuity & Disaster Recovery Plans

  • Does your company have a written policy and program in place for business continuity and disaster recovery?

  • Have your company’s policies and programs for business continuity and disaster recovery been fully implemented? If not fully implemented, please discuss those areas in detail and explain any plans to address them.

  • Hedge Fund Technology RFP Questions

    Do your business continuity and disaster recovery policies and programs include the implementation of the following actions? (Be sure to address all parts!)

    • Personnel requirements, including emergency management contacts and all operations personnel

    • The restoration of service to clients in a prioritized manner

    • Capability and support of multiple client recovery events

    • Geographically dispersed recovery locations to allow diversity of data centers, utilities, transportation, telecommunications, etc.

    • Full security controls (for operating systems, hardware, software, user access) activated at time of system recovery, same as in a normal state

    • Timely and ongoing client status reports as part of emergency response procedures

  • How often does your company test its business continuity and disaster recovery plans to ensure effectiveness?

  • Are there aspects of services that would be excluded or delayed in your recovery plans that would impact our fund? If yes, please explain.

  • Does your company use unaffiliated service providers for recovery services?

  • Are the recovery services dedicated or shared?

  • Is our fund at risk of being preempted in a disaster? If yes, please explain.

  • Did your most recent business continuity and disaster recovery test meet its stated objectives?

Backup & Retention of Information

  • Does your company have a written policy and program for backup and retention?

  • Are your backup and retention policies and programs fully implemented? If not, please discuss those areas in detail and your company’s plans to address them.

  • Do your company’s backup and retention policies and programs have processes that include these elements? (Be sure to address all parts.)

    • Implemented and sustained process-data and information archiving
    • Media obsolescence
    • Local and offsite data retention
    • Climate-controlled environment
    • Validation of receipt
    • Segregation of bank data and information

Data Security

  • Does your company have a security methodology and process for consistent planning, design and implementation for the following systems? (Be sure to address all parts.)

    • Operating systems
    • Networks
    • Databases
    • Firewalls
    • Infrastructure
    • Software
    • Purchased third-party software and hardware
    • Applications
    • Physical security
    • Environmental security
    • Communications
  • Does your company’s methodology include security design considerations? (Be sure to address all parts.)

    • Data and information confidentiality
    • Data and information ownership
    • Administrative functions and controls
    • Privacy
    • Regulatory and compliance needs
    • Monitoring, tracking and auditing security events
    • Risk assessment and mitigation
  • Have your company’s security architecture methodology and processes been fully implemented? If the policy and program are not fully implemented, please discuss those areas in detail and your company’s plans to address them.

  • Does your company have a policy and program for training employees on information security?

  • Does your company have a written policy and program for encryption?

  • Is your company’s encryption policy and program fully implemented?

Intrusion Detection & Incident Response

  • Does your company have a written policy and program for network intrusion detection and incident response?

  • Are your company’s network intrusion detection and incident response policy and program fully implemented? If the policy and program are not fully implemented, please discuss those areas in detail and your company’s plans to address them.

  • Does your company’s intrusion detection and incident response policy include a program for implemented and sustained processes? Some of these include:

    • Monitoring and analysis of security alerts
    • Remedial action of security incidents
    • A fully implemented Intrusion Detection (IDS) tool
    • Action for network attacks against vulnerable services
    • Action for malware (such as viruses, trojans and worms)
  • Does your company have 24/7 coverage of the IPS environment?

  • Does your company’s staff monitor and take action on real-time attacks?

  • Does your company conduct testing to assess the effectiveness of the implemented controls? 

hedge fund outsourcing book

Photo Credit: ShutterStock

Editor's Note: This article has been updated and was originally published by in October 2011 by Dina Ferriero (Eze Castle Integration). 

Categorized under: Hedge Fund Operations  Disaster Recovery  Operational Due Diligence  Business Continuity Planning 



Recent Posts / All Posts