Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.
Guidance:
The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.