Back

Establish, implement, and maintain system continuity plan strategies.


CONTROL ID
00735
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a business continuity program., CC ID: 13210

This Control has the following implementation support Control(s):
  • Include emergency operating procedures in the continuity plan., CC ID: 11694
  • Define and prioritize critical business functions., CC ID: 00736
  • Establish, implement, and maintain Recovery Time Objectives for all in scope services., CC ID: 12241
  • Establish, implement, and maintain Recovery Time Objectives for all in scope systems., CC ID: 11688
  • Define and prioritize critical business records., CC ID: 11687
  • Include the protection of personnel in the continuity plan., CC ID: 06378
  • Establish, implement, and maintain a critical third party list., CC ID: 06815
  • Establish, implement, and maintain a critical resource list., CC ID: 00740
  • Include workstation continuity procedures in the continuity plan., CC ID: 01378
  • Include server continuity procedures in the continuity plan., CC ID: 01379
  • Include website continuity procedures in the continuity plan., CC ID: 01380
  • Include near-line capabilities in the continuity plan., CC ID: 01383
  • Include online capabilities in the continuity plan., CC ID: 11690
  • Include mainframe continuity procedures in the continuity plan., CC ID: 01382
  • Include telecommunications continuity procedures in the continuity plan., CC ID: 11691
  • Include system continuity procedures in the continuity plan., CC ID: 01268
  • Include Internet Service Provider continuity procedures in the continuity plan., CC ID: 00743
  • Include emergency power continuity procedures in the continuity plan., CC ID: 01254
  • Include evacuation procedures in the continuity plan., CC ID: 12773
  • Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan., CC ID: 01374
  • Designate an alternate facility in the continuity plan., CC ID: 00742
  • Include technical preparation considerations for backup operations in the continuity plan., CC ID: 01250
  • Include emergency communications procedures in the continuity plan., CC ID: 00750
  • Use available financial resources for the efficaciousness of the service continuity strategy., CC ID: 01370
  • Include purchasing insurance in the continuity plan., CC ID: 00762
  • Validate information security continuity controls regularly., CC ID: 12008


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • It is important that e-banking services are delivered on a continuous basis with reasonably fast response time, taking into account customers' general expectations. In this connection, AIs should ensure that resilience capability, capacity planning and performance monitoring process of their e-banki… (§ 9.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • It is important that e-banking services are delivered on a continuous basis with reasonably fast response time, taking into account customers' general expectations. In this connection, AIs should ensure that resilience capability, capacity planning and performance monitoring process of their e-banki… (§ 9.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • AIs should take appropriate measures having regard to common issues that could lead to disruptions of e-banking. Moreover, AIs should implement proper precautionary measures before and during scheduled maintenance or drills (see Annex B for examples of precautionary measures). (§ 9.5.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • AIs should ensure that their controls relating to system resilience and their capacity planning for e-banking cover all related systems and infrastructure components within their institutions as well as those of any relevant service providers to ensure stability, performance and continued system ava… (§ 9.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • O48: For head and branch offices, the organization shall establish and maintain procedures in order to be prepared for any failure or disaster and ensure the smooth operation of unmanned branches. O48.1, O48.2: In order to be prepared for a disaster and/or failure the organization shall ensure the f… (O48, O48.1, O48.2, O63.2, O95, O95.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Continuity—the new application should be able to continue with newer records as addition (or appendage) and help in ensuring seamless business continuity (Critical components of information security 12) (ii) e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Where information assets are managed by service providers, the FI should assess the service provider's disaster recovery capability and ensure disaster recovery arrangements for these information assets are established, tested and verified to meet its business needs. The FI should engage its service… (§ 8.3.4, Technology Risk Management Guidelines, January 2021)
  • Selecting alternate activities and resources that will be used in the event of an outage are talked about. The recommendation is to consider all viable options to find the best and cheapest possible solution. (Pg 76, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The organization should implement recovery strategies and resilience capabilities for all critical Information Technology assets. (Attach B ¶ 3, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Recovery plans should include information on the required resources and timeframes for recovering services. (Attach B ¶ 7(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Recovery plans should include an Information Technology Business Continuity Plan that focuses on the procedures for operating from an alternate site. (Attach B ¶ 7(g), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Resilience of systems to handle failure of individual components (Attachment G Control Objective Row 9, APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • resources and associated timeframes required in order to recover services; (Attachment B ¶ 7(b), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • APRA envisages that, for critical IT assets, a regulated institution would implement appropriate resilience capabilities and recovery strategies to cater for scenarios threatening an asset's availability. The level of resilience and recovery capability required by an institution would be based on an… (Attachment B ¶ 3, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Policies, plans, and procedures should be developed to ensure the staff secures classified equipment and material and sanitizes, and in some cases destroys, material and equipment, as necessary, when they must evacuate a site. (§ 3.1.54, Australian Government ICT Security Manual (ACSI 33))
  • focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, a… (3.7.3 84(a), Final Report EBA Guidelines on ICT and security risk management)
  • The time that is required to bring the alternate processes up to speed should be based on the risk and be appropriate for the system and the business process that it supports. (¶ 16, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • Preventing unauthorised physical site access and protection against theft, damage, loss and failure of operations. (Section 5.5 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • Have documented BC procedures been put in place to manage a disruptive incident, and have continuity activities based on recovery objectives been identifed in the BIA? (Operation ¶ 17, ISO 22301: Self-assessment questionnaire)
  • Have measures to reduce the likelihood, duration or impact of a disruption for identified risks been considered and implemented, and are these in accordance with the organization's risk appetite? (Operation ¶ 16, ISO 22301: Self-assessment questionnaire)
  • The CIP objective shall always be taken into account, from when the protection requirements are determined, during the definition of appropriate measures and through to the effective implementation of these measures, including the implementation and regular testing of relevant emergency preparedness… (II.9.60, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The Business Continuity Management program must have the following features: a strategy that is endorsed and supported by Board level management; a program that is appropriate for the complexity and size of the organization; plans to manage the impact and recovery of events; plans are exercised, rev… (Security Policy No. 7 ¶ 4, HMG Security Policy Framework, Version 6.0 May 2011)
  • The entity has established policies and procedures that prevent, detect and react to system outages, incidents and events that disrupt system processing, or results in the loss, accidental disclosure or unauthorized modification of the entity's PI. (S7.4 Continuity of physical and environmental protections, Privacy Management Framework, Updated March 1, 2020)
  • The development of the continuity plan should consider different scenarios to which the organization may be vulnerable. (¶ 42, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • The required time for commencing the alternative arrangements should be related to the urgency of the need to use the alternative arrangements. (¶ 15, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • The organization should implement a business continuity plan for program operations, including information system(s)(electronic and paper) that identifies how business continuity is maintained given various lengths of time information systems are not functioning or accessible. (CORE -14(b), URAC Health Utilization Management Standards, Version 6)
  • The organization should implement a business continuity plan for program operations, including information system(s)(electronic and paper) that is tested at least every two years. (CORE - 14(c), URAC Health Utilization Management Standards, Version 6)
  • Provide the required capacity and performance, taking into account aspects such as normal workloads, contingencies, storage requirements and IT resource life cycles. Provisions such as prioritising tasks, fault-tolerance mechanisms and resource allocation practices should be made. Management should … (DS3.4 IT Resources Availability, CobiT, Version 4.1)
  • Develop a framework for IT continuity to support enterprisewide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT continge… (DS4.1 IT Continuity Framework, CobiT, Version 4.1)
  • The goal of a strategy is to offer functional alternative operation methods after an interruption occurs that will enable the organization's critical business processes to continue running. Ideally the strategy should have three levels to it. Each level addresses different key needs. The most genera… (Stage 2, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • Business recovery and continuity strategies solutions may include using manual work processes; outsourcing some of the work; developing a disaster recovery plan for IT; identifying alternative staffing; and identifying alternative facilities. (§ 5.4 ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The organization must define and document the scope of the organizational resilience management system. The scope must be defined in terms of the organization's nature, size, and complexity from a continual improvement perspective. The organization must develop logistical procedures and capabilities… (§ 4.1.1 ¶ 1, § 4.1.1 ¶ 2(e), § 4.4.1 ¶ 4(b), § 4.4.1 ¶ 4(c), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The emergency operations plan should set the organization's priorities. (Revised Volume 3 1-I-14, Protection of Assets Manual, ASIS International)
  • Comprehensive continuity and contingency plans should be developed to deal with the possible loss of the Public Key Infrastructure (e.g., as a result of a disaster). (CF.08.06.09a, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including stakeholder requirements (e.g., to maintain business operations and comply with legal, regulatory, and contractual requirements relating to Business Continuity). (CF.20.01.04c, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should help to ensure that systems supporting critical business processes can be recovered in acceptable timeframes. (CF.20.01.05e, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should help to ensure that sensitive information is not disclosed to unauthorized parties and critical information is not corrupted. (CF.20.01.05f, The Standard of Good Practice for Information Security)
  • The Business Continuity program should apply across the organization and require each individual business environment to build resilient business applications and a resilient technical infrastructure (e.g., duplicate Information Systems and networks) to support critical business processes and protec… (CF.20.02.05c, The Standard of Good Practice for Information Security)
  • The Business Continuity Management team should maintain a central inventory for each individual business environment, which includes details about business continuity arrangements. (CF.20.02.06c, The Standard of Good Practice for Information Security)
  • Comprehensive continuity and contingency plans should be developed to deal with the possible loss of the Public Key Infrastructure (e.g., as a result of a disaster). (CF.08.06.09a, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including stakeholder requirements (e.g., to maintain business operations and comply with legal, regulatory, and contractual requirements relating to Business Continuity). (CF.20.01.04c, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity strategy should help to ensure that systems supporting critical business processes can be recovered in acceptable timeframes. (CF.20.01.05e, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity strategy should help to ensure that sensitive information is not disclosed to unauthorized parties and critical information is not corrupted. (CF.20.01.05f, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity program should apply across the organization and require each individual business environment to build resilient business applications and a resilient technical infrastructure (e.g., duplicate Information Systems and networks) to support critical business processes and protec… (CF.20.02.05c, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity Management team should maintain a central inventory for each individual business environment, which includes details about business continuity arrangements. (CF.20.02.06c, The Standard of Good Practice for Information Security, 2013)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for business resiliency and operational continuity to manage the risks of minor to catastrophic business disruptions. These policies, procedures, processes, and measures must protect t… (BCR-10, Cloud Controls Matrix, v3.0)
  • Business Continuity Planning. An organization should implement safeguards to protect business, especially critical business processes, from the effects of major failures or disasters and to minimize the damage caused by such events, an effective business continuity, including contingency planning/di… (¶ 8.1.6(1), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The availability requirements and service continuity requirements shall include the service response times. (§ 6.3.1 ¶ 2(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • information and communication technology (ICT) systems; (§ 8.3.4 ¶ 1 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • A business continuity risk assessment should be conducted to identify all events that could cause a disruption, such as equipment failure, natural disaster, or human error. The risk assessment should identify, quantify, and prioritize the risks against criteria, such as allowable outage times, busin… (§ 14.1.2, ISO 27002 Code of practice for information security management, 2005)
  • ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. (§ 5.30 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • When planning and executing incident response and recovery activities, the organization takes into consideration sector-wide impact of its systems and puts a priority on response and recovery activities for those systems ahead of the other systems. (DM.RS-2.5, CRI Profile, v1.2)
  • A planning process must be followed to develop plans for the prevention, strategy, emergency operations/response, mitigation, business continuity, and recovery of the organization. The planning process must occur regularly and when changes have been made that makes the existing plan inaccurate. Key … (§ 5.8.1, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • When there are dependancies upon critical service providers, does the Business Continuity and Disaster Recovery program include capabilities adequate to support the plan by SAS 70 reviews? (§ K.1.2.15.4, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • The organization should develop a contingency plan. (§ 2-3.a(9), Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • If a CMS business partner's data center is linked to other CMS business partners in order to transmit Medicare data, the contingency planning shall include links for receiving input, exchanging files, and distributing output. If the CMS business partner is using alternate/backup IT systems capabilit… (App A § 4.2, CMS Business Partners Systems Security Manual, Rev. 10)
  • plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. (§ 3554(b)(8), Federal Information Security Modernization Act of 2014)
  • The Information System Security Manager (ISSM) must develop a disaster recovery plan that identifies the essential information and applications used by the organization. (§ 8-615, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Internal systems and business processes. (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Address personnel, processes, technology, and facility issues. (IV Action Summary ¶ 2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that management has evaluated strategies and resource needs and allocates appropriate resources to achieve resilience: (App A Objective 6:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Include alternatives for any proprietary systems. (IV Action Summary ¶ 2 Bullet 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Alternatives for payment systems, facilities and infrastructure, data center(s), and branch relocation during a disaster. (V Action Summary ¶ 2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management considers scalability. (App A Objective 8:5b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Assess management's protocols for operations continuity and system recovery. Verify that procedures are clear, concise, accessible, and can be implemented in an emergency. Verify the BCP includes procedures for the following: (App A Objective 8:4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the BCP lists alternatives for core operations, facilities, infrastructure systems, suppliers, utilities, interdependent business partners, and key personnel. (App A Objective 8:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Uses infrastructure that supports varying levels of resilience depending on the criticality of the systems and software to ongoing business operations. (App A Objective 8:2d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Evaluation of approaches to implement and build security and resilience throughout its architecture. (App A Objective 12:6a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Analysis of the functionality, including security and resilience, of legacy systems and identification of gaps. (App A Objective 12:6b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management designs, implements, and operates its IT systems and processes to provide resilience for critical business activities. Assess whether management does the following: (App A Objective 8:2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • States that the organization should establish a continuity planning process to prioritize the critical operations and business objectives essential for recovery. The continuity strategy should include personnel, technology, facilities, manual operations, and communications requirements. (Pg 5, Pg G-1, Exam Tier I Obj 4.5, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (Obj 5.5, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Assess to what degree imaging has been included in the business continuity planning process, and if the business units reliant upon imaging systems are involved in the BCP process. (Exam Tier I Obj 9.5, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should ensure the service provider can maintain the confidentiality of the data during an emergency. (Pg 27, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The organization and service providers should develop and implement continuity plans. (Pg 34, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Obtain the institution's written contingency and business continuity plans for Obtain the institution's written contingency and business continuity plans for partial or complete failure of the systems and/or communication lines between the bank and correspondent bank, service provider, CHIPS, Federa… (Exam Tier II Obj 10.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The joint authorization board must approve and accept the time period for recovery to an alternate processing site. (Column F: CP-7a, FedRAMP Baseline Security Controls)
  • The service provider must define a time period for recovery of telecommunications services that is consistent with the Business Impact Analysis. (Column F: CP-8, FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the time period for recovery of the telecommunications services. (Column F: CP-8, FedRAMP Baseline Security Controls)
  • The organization must develop and implement a contingency plan. (Exhibit 4 CP-2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the Business Continuity Plan and/or the Disaster Recovery Plan address the timely recovery of Information Technology functions in the event of a disaster? (IT - Business Continuity Q 2, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has management established the maximum allowable downtime for the identified critical business functions? (IT - Business Continuity Q 7, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization should create contingency strategies to mitigate risks for contingency planning controls and cover backup and recovery, contingency planning and testing, and on-going maintenance. Several things should be considered, regardless of the platform or type of system, when technical solut… (§ 3.4, § 5.1, § 5.5, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • The organization to select a contingency planning strategy based on practical considerations, including feasibility and cost. Risk assessment can be used to help estimate the cost of options to decide on an optimal strategy. For example, is it more expensive to purchase and maintain a generator or t… (§ 3.6.4, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • The critical tasks in managing a network in an ICS environment are ensuring reliability and availability to support safe and efficient operation. In regulated industries, regulatory compliance can add complexity to security and authentication management, registry and installation integrity managemen… (§ 6.2.3 ICS-specific Recommendations and Guidance ¶ 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should ensure contingency plans include the mobile handheld devices owned by the organization. (Pg ES-2, § 4.2.2, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Supports incident management, service-level management, change management, release management, continuity management, and availability management for databases and data management systems. (T0306, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans. (T0548, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must develop a contingency plan and it must provide recovery objectives, restoration priorities, and metrics. (App F § CP-2.a Bullet 2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update formal, documented procedures for implementing the Contingency Planning policy and its associated controls. (App F § CP-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should provide compensating security controls for circumstances that could interfere with recovery and reconstitution to a known state. (App F § CP-10(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must protect the system from harm by considering the mean time to failure for defined components in specific operational environments. (App F § SI-13.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must provide substitute components, when needed, and mechanisms to exchange the component active roles and standby roles. (App F § SI-13.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Supports incident management, service-level management, change management, release management, continuity management, and availability management for databases and data management systems. (T0306, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans. (T0548, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops a contingency plan for the information system that provides recovery objectives, restoration priorities, and metrics. (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that provides recovery objectives, restoration priorities, and metrics. (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that provides recovery objectives, restoration priorities, and metrics. (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that provides recovery objectives, restoration priorities, and metrics. (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Bank systems should reduce bank vulnerability to system failures, unauthorized intrusions, and other problems. Back-up systems should be maintained and tested on a regular basis to minimize the risk of system failures and unauthorized intrusions. System failures and unauthorized intrusions may resul… (¶ 38, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • Review the organization's cyber recovery plan annually. Update as necessary. (Table 2: Improvements Baseline Security Measures Cell 1, Pipeline Security Guidelines)