Eze Castle Integration

Hedge IT Blog

We’ve Got MORE Questions: RFP on business and data protection

By Dina Ferriero,
Thursday, October 20th, 2011

Earlier this week, we shared some important questions to include in hedge fund technology RFPs, focusing on Staffing, Client Service Model and User Support. In today’s article, let’s dive back into the RFP process, and look at some hedge fund RFP questions on Business Continuity and Disaster Recovery Plans, Backup and Retention of Information, Data Security, and Intrusion Detection and Incident Response.

Business Continuity & Disaster Recovery Plans

  • Does your company have a written policy and program in place for business continuity and disaster recovery?

  • Have your company’s policy and program for business continuity and disaster recovery been fully implemented? If not fully implemented, please discuss those areas in detail and explain any plans to address them.

  • Hedge Fund Technology RFP Questions

    Do your business continuity and disaster recovery policies and programs include the implementation of the following actions? (Be sure to address all parts!)

    • Personnel requirements, including emergency management contacts and all operations personnel
    • The restoration of service to clients in a prioritized manner
    • Capability and support of multiple client recovery events
    • Geographically dispersed recovery locations to allow diversity of data centers, utilities, transportation, telecommunications, etc.
    • Full security controls (for operating systems, hardware, software, user access) activated at time of system recovery, same as in a normal state
    • Timely and ongoing client status reports as part of emergency response procedures
       
  • How often does your company test its business continuity and disaster recovery plans to ensure effectiveness?

  • Are there aspects of services that would be excluded or delayed in your recovery plans that would impact our fund? If yes, please explain.

  • Does your company use unaffiliated service providers for recovery services?

  • Are the recovery services dedicated or shared?

  • Is our fund at risk of being preempted in a disaster? If yes, please explain.

  • Did your most recent business continuity and disaster recovery test meet its stated objectives?

Backup & Retention of InformationHedge Fund DR Guide

  • Does your company have a written policy and program for backup and retention?

  • Are your backup and retention policy and program fully implemented? If the policy and program are not fully implemented, please discuss those areas in detail and your company’s plans to address them.

  • Does your company’s backup and retention policy and program have processes that include these elements? (Be sure to address all parts.)

    • Implemented and sustained process-data and information archiving
    • Media obsolescence
    • Local and offsite data retention
    • Climate-controlled environment
    • Validation of receipt
    • Segregation of bank data and information

Data Security

  • Does your company have a security methodology and process for consistent planning, design and implementation for the following systems? (Be sure to address all parts.)

    • Operating systems
    • Networks
    • Databases
    • Firewalls
    • Infrastructure
    • Software
    • Purchased third-party software and hardware
    • Applications
    • Physical security
    • Environmental security
    • Communications
       
  • Does your company’s methodology include security design considerations? (Be sure to address all parts.)

    • Data and information confidentiality
    • Data and information ownership
    • Administrative functions and controls
    • Privacy
    • Regulatory and compliance needs
    • Monitoring, tracking and auditing security events
    • Risk assessment and mitigation
       
  • Have your company’s security architecture methodology and processes been fully implemented? If the policy and program are not fully implemented, please discuss those areas in detail and your company’s plans to address them.

  • Does your company have a policy and program for training employees on information security?

  • Does your company have a written policy and program for encryption?

  • Are your company’s encryption policy and program fully implemented?

Hedge Fund Technology Outsourcing GuidebookIntrusion Detection & Incident Response

  • Does your company have a written policy and program for network intrusion detection and incident response?

  • Are your company’s network intrusion detection and incident response policy and program fully implemented? If the policy and program are not fully implemented, please discuss those areas in detail and your company’s plans to address them.

  • Does your company’s intrusion detection and incidence response policy include a program for implemented and sustained processes? Some of these include:

    • Monitoring and analysis of security alerts
    • Remedial action of security incidents
    • A fully implemented Intrusion Detection (IDS) tool
    • Action for network attacks against vulnerable services
    • Action for malware (such as viruses, trojans and worms)

       

  • Does your company have 24/7 coverage of the IPS environment?

  • Does your company’s staff monitor and take action on real-time attacks?

  • Does your company conduct testing to assess the effectiveness of the implemented controls?

To learn more about RFP guidelines and questions, download our Guide to Technology Outsourcing for Hedge Funds and check out Part 1 of our hedge fund tech RFP series. And, as always, our experts at Eze Castle Integration are always available to provide more information!

Contact an Eze Castle Representative

Categorized under: Hedge Fund Operations  Disaster Recovery  Business Continuity Planning 



Recent Posts / All Posts

 

Subscribe to Hedge IT

Follow Us

    Follow us on Twitter Follow us on FaceBook Follow us on LinkedIn Follow us on Google RSS Feed

Recent Articles

Categories

Archives