Back

Establish, implement, and maintain continuity roles and responsibilities.


CONTROL ID
00733
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity framework., CC ID: 00732

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The senior management should establish clearly which function in the institution has the responsibility for managing the entire process of business continuity planning (the BCP function). (2.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • For the first two phases, clear responsibilities should be established and activities prioritised. A recovery tasks checklist should be developed and included in the BCP. It is recognised that certain tasks involved in the full recovery phase may depend on the nature of the disaster concerned and th… (4.3.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • O7: The organization shall define responsibilities for the disaster prevention and control unit. O65.2: When developing contingency plans, the organization shall consider including securing additional personnel for unexpected situations. (O7, O65.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • A list of roles and responsibilities for different staff members during a disaster is offered. The chief executive is responsible for briefing the board on the situation along with the expected impact and recovery timeframe. The executive acts as the focal point for the organization when it comes to… (Pg 52 thru Pg 54, Pg 57, Pg 68 thru Pg 72, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and busin… (3.2.1 2, Final Report EBA Guidelines on ICT and security risk management)
  • Do the roles carry the authority for ensuring conformance and reporting, as well as the responsibility? (Leadership ¶ 3, ISO 22301: Self-assessment questionnaire)
  • Have you determined what needs to be monitored and measured, when, by whom, the methods to be used, and when the results will be evaluated? (Performance evaluation ¶ 1, ISO 22301: Self-assessment questionnaire)
  • Develop a framework for IT continuity to support enterprisewide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT continge… (DS4.1 IT Continuity Framework, CobiT, Version 4.1)
  • Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recove… (DS4.2 IT Continuity Plans, CobiT, Version 4.1)
  • A high level official, for example, a board director or elected representative, should own the business continuity management policy. Management should nominate or appoint a senior person who has appropriate authority to be accountable for the business continuity management policy and implementation… (§ 4.3 ¶ 2, § 5.2.1, § 7.8.3, § 8.7.4, BS 25999-1, Business continuity management. Code of practice, 2006)
  • A Board member should be responsible for the Information Technology Service Continuity (ITSC) strategy and he/she should be included when new business initiatives, including mergers and acquisitions, directional change, and any decision that could impact the ITSC, are being decided. (§ 5.1 ¶ 2, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Creating a business continuity management strategy team is called for. This team then identifies the organization's business strategies and objectives. The scope of the existing strategies and findings from business impact analyses are then used to reshape the strategy or generate a new one from scr… (Stage 2.1 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • When deploying the Business Continuity Management (BCM) system, the business unit (BU) or regional management should create ownership for BCM within the BU by assigning key roles, such as a BU BCM sponsor, manager, and coordinator. (§ 5.1.B ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Business continuity plans should identify personnel responsibilities and individuals accountable for the continuity process. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization must create an organizational resilience management team with the appropriate authority to oversee incident preparedness, response, and recovery. (§ 4.4.1 ¶ 4(a), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The specific roles and responsibilities of all personnel assigned duties during an emergency should be defined. Alternate personnel should be assigned for each defined role. (Revised Volume 3 1-I-10, Revised Volume 3 1-I-16, Protection of Assets Manual, ASIS International)
  • A Process should be established for assigning responsibilities for protecting information, business applications, Information Systems, and networks when owners are unavailable. (CF.02.05.04a, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should help to ensure that the organization is able to manage a major crisis (e.g., by having an incident management capability and establishing a Crisis Management Team). (CF.20.01.05c, The Standard of Good Practice for Information Security)
  • Business owners should be appointed for each individual business environment, who are responsible for the corresponding Business Continuity Plan and arrangements, and are supported by a local team of individuals. (CF.20.02.03, The Standard of Good Practice for Information Security)
  • The Business Continuity program should require roles and responsibilities of individuals involved in Business Continuity to be identified. (CF.20.02.04a, The Standard of Good Practice for Information Security)
  • A Process should be established for assigning responsibilities for protecting information, business applications, Information Systems, and networks when owners are unavailable. (CF.02.05.04a, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity strategy should help to ensure that the organization is able to manage a major crisis (e.g., by having an incident management capability and establishing a Crisis Management Team). (CF.20.01.05c, The Standard of Good Practice for Information Security, 2013)
  • Business owners should be appointed for each individual business environment, who are responsible for the corresponding Business Continuity Plan and arrangements, and are supported by a local team of individuals. (CF.20.02.03, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity program should require roles and responsibilities of individuals involved in Business Continuity to be identified. (CF.20.02.04a, The Standard of Good Practice for Information Security, 2013)
  • A consistent unified framework for business continuity planning and plan development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business… (BCR-01, Cloud Controls Matrix, v3.0)
  • A consistent unified framework for Business Continuity planning and plan development shall be established, documented and adopted to ensure all Business Continuity plans are consistent in addressing priorities for testing and maintenance and information security requirements. Requirements for Busine… (RS-03, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • ICT users. An organization should establish Users roles which include responsibility for: • using ICT resources in conformance with ICT policy, directives and procedures; and • protecting ICT business assets in conformance with ICT security policy, directives and procedures. (§ 5.1.4, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, respo… (§ 5.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsib… (§ 8.4.4 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • ensuring that the BCMS conforms to the requirements of this document; (§ 5.3 ¶ 2 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • reporting on the performance of the BCMS to top management. (§ 5.3 ¶ 2 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • assign roles and responsibilities for tasks within them. (§ 8.4.1 ¶ 3 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization must have a documented disaster/emergency management and business continuity programs that includes roles and responsibilities. The organization must appoint a program coordinator who is authorized to administer the program and keep it up to date. Annex A.4.2 lists additional duties… (§ 4.1(1), § 4.2, § 4.3, Annex A.4.2, Annex A.4.3, Annex A.4.3.1, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Does the Business Continuity and Disaster Recovery program include conditions for the associated roles and responsibilities that come with activating the plan? (§ K.1.2.4, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Does the Business Continuity and Disaster Recovery program include roles and responsibilities for those who invoke and execute the plan? (§ K.1.2.7, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • App A § 3 ¶ 4: IT management, system security personnel, and all organizational components shall be actively involved in providing information to develop the contingency plan, to make decisions, and to provide testing support. App A § 6.5 ¶ 2: The organization should establish test teams to prep… (App A § 3 ¶ 4, App A § 6.5 ¶ 2, App A § 8.1, App A § 8.3, CMS Business Partners Systems Security Manual, Rev. 10)
  • The contingency plan must clearly assign recovery responsibilities and provide backup personnel. (CSR 5.2.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing prog… (Principles of the Business Continuity Testing Program, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Roles and responsibilities of crisis management group members; (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Define responsibilities and decision-making authorities for designated teams or staff members; (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the testing policy identifies key roles and responsibilities of the participants in the testing program. (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Policy 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Management assignment of BCM-related responsibilities. (II.A Action Summary ¶ 2 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The board and senior management govern business continuity through defining responsibilities and accountability, and by allocating adequate resources to business continuity. (II.A Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Designation of emergency personnel, including for critical business process-level employees. (IV.A Action Summary ¶ 3 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the board and senior management promote effective governance of business continuity through defined responsibilities, accountability, and adequate resources to support the program. (II.A, "Board and Senior Management Responsibilities") (App A Objective 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Staffing and skills needed to operate critical functions related to business continuity. (App A Objective 6:4a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Designated emergency personnel, including critical business process-level employees (i.e., those necessary to ensure all critical business operations function appropriately). (App A Objective 6:4f, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Assigning business continuity responsibility and accountability. (App A Objective 2:4a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Defining business continuity roles, responsibilities, and succession plans. (App A Objective 2:5a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Raise issues with appropriate personnel and assign responsibility for resolution. (App A Objective 10:28c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Identify personnel with key information security roles during a disaster and training of personnel in those roles. (App A Objective 6.34.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should do the following: - Identify personnel who will have critical information security roles during a disaster, and train personnel in those roles. - Define information security needs for backup sites and alternate communication networks. - Establish and maintain policies that addre… (II.C.21 Business Continuity Considerations, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Backup personnel are identified and trained. (App A Objective 5:2 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The Board of Directors and senior management should allocate resources and assign individuals to implement a continuity plan; review and approve the continuity plan at least annually; oversee the training program; and ensure testing of the continuity plan is accomplished. Managers from the different… (Pg 3, Pg 13, Pg 14, Pg 18, Pg 19, Pg 31, Pg D-4, Pg D-5, Pg G-2, Exam Tier I Obj 1.3, Exam Tier I Obj 2.2, Exam Tier I Obj 8.2, Exam Tier I Obj 10.2 (Testing Policy), FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (Obj 5.5, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The Board of Directors and senior management should establish policies and procedures for organization-wide continuity plans. Personnel from each department should be responsible for developing and maintaining their respective department's continuity plans. (Pg 10, Pg 30, FFIEC IT Examination Handbook - Management)
  • The continuity plan should state the specific responsibilities of all parties. (Pg 25, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Define the organizational roles and responsibilities of the contingency plan. (§ 4.7.1 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The Information System Contingency Plan Coordinator must designate teams to implement the strategies that have been selected. All teams should be trained and ready. Recovery team members need to understand the individual procedures the team will execute, the recovery effort goal, and how the interde… (§ 3.4.6, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • The contingency plan should be examined to ensure roles and responsibilities are assigned. (CP-2.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Identification of individuals responsible for performing, testing, storing, and restoring backups. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 3 Bullet 5, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The Continuity of Operations plan must define the roles and responsibilities for employees and contractors during a significant event. (SG.CP-3 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The Continuity of Operations plan must identify the personnel responsible for leading the recovery and response effort. (SG.CP-3 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop a contingency plan and it must address contingency roles and responsibilities and include assigned individuals and their contact information. (App F § CP-2.a Bullet 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information. (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information. (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information. (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information. (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)