Back

Define and prioritize critical business functions.


CONTROL ID
00736
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

This Control has the following implementation support Control(s):
  • Review and prioritize the importance of each business unit., CC ID: 01165
  • Review and prioritize the importance of each business process., CC ID: 11689
  • Document the mean time to failure for system components., CC ID: 10684
  • Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities., CC ID: 12759


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Based on the business impact analysis, the business and support functions should be able to define the minimum level of critical services to be delivered in the event of a disaster. (3.1.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The organization should consider reducing or shutting down business services in developing failure/disaster recovery routines. (O63.2(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • An important aspect of a business impact analysis (BIA), is creating a list that ranks the organization's key business processes. The list should contain details such as the rank each process is assigned, what activities are undertaken within each process and what resources each activity requires. P… (Pg 32, Pg 33, Pg 74, Workbook Pg 8 thru Workbook Pg 10, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualit… (3.7.1 78, Final Report EBA Guidelines on ICT and security risk management)
  • identifies the critical ICT processes and the relevant supporting ICT systems that should be part of the business resilience and continuity plans with: (Title 3 3.3.4(a) 54.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • As part of the process to identify the ICT risks with a potential significant prudential impact on the institution, competent authorities should review documentation from the institution and form an opinion on which ICT systems and services are critical for the adequate functioning, availability, co… (Title 3 3.2.2 40., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • To this end, competent authorities should review the methodology and processes applied by the institution to identify the ICT systems and services that are critical, taking into consideration that some ICT systems and services may be considered critical by the institution from a business continuity … (Title 3 3.2.2 41., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; (4.7 42(c)(ii), Final Report on EBA Guidelines on outsourcing arrangements)
  • outsourcing of critical or important functions and other outsourcing arrangements; (4.7 43(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; (4.12.2 68(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • assess if the outsourcing arrangement concerns a critical or important function, as set out in Title II; (4.12 61(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in th… (4.13.1 77, Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availabilit… (4.14 100, Final Report on EBA Guidelines on outsourcing arrangements)
  • For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related op… (4.13.3 88, Final Report on EBA Guidelines on outsourcing arrangements)
  • Thus, it is reasonable to create a relationship between the business processes and the value creation of an organisation and the information to be protected as well as the employed IT and/or the employed applications. For this, the business processes and their dependence on the most important applic… (§ 8.1.2 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • If the existing budget or staffing resources are not sufficient to be able to implement all the required safeguards immediately, corresponding prioritisation must be defined. (§ 9.3 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Determination of the priorities for the restoration (Section 5.14 BCM-02 Basic requirement ¶ 2 Bullet 7, Cloud Computing Compliance Controls Catalogue (C5))
  • Identification of critical products and services (Section 5.14 BCM-02 Basic requirement ¶ 2 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • Do the plans detail how to communicate with interested parties, including the media, during the disruption and how to prioritize activities? (Operation ¶ 29, ISO 22301: Self-assessment questionnaire)
  • Critical business processes and alternative mechanisms should be identified to resume service in case of an outage. (¶ 43, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • Information that is vital to the operations of the organization should be protected and recoverable in the assigned timeframes. Information that is required to enable delivering the organization's critical activities should have appropriate availability, integrity, confidentiality, and currency. (§ 7.6, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The level of service the business expects from the IT department should be defined by the organization. This definition should clearly define priorities, allowing the IT Head to determine which services require greater protection, redundancy, and resilience over the others. All business processes an… (§ 5.2 ¶ 6, § 7 ¶ 1, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Critical business functions are defined as activities and processes that are essential for ensuring continuity of business critical activities. Prior to conducting an examination of functions, it is necessary to understand the organization's business well enough to answer these five questions: What … (Stage 1, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • Consider options to have work done by an outside provider. Figure out the degree of quality and consistency required for each function and determine options that could work but might not exactly meet specifications; outsource work to suppliers; and establish reciprocal agreements with competitors wh… (§ 5.4.B ¶ 1, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Business continuity plans should identify critical applications and processes, along with the acceptable downtime levels. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The scope of the organizational resilience management system must define the organizational boundaries: the entire organization or one or more of its parts. (§ 4.1.1 ¶ 2(a), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including requirements for protecting the integrity of information (e.g., against corruption) and the confidentiality of information (e.g., against unauthorized disclosure). (CF.20.01.04d, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including major business environments (including the culture of local environments and the jurisdictions in which those environments operate), critical business processes, and products / services offered. (CF.20.01.04f, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including requirements for protecting the integrity of information (e.g., against corruption) and the confidentiality of information (e.g., against unauthorized disclosure). (CF.20.01.04d, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including major business environments (including the culture of local environments and the jurisdictions in which those environments operate), critical business processes, and products / services offered. (CF.20.01.04f, The Standard of Good Practice for Information Security, 2013)
  • protecting prioritized activities, (§ 8.3.1 ¶ 2 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • prevention of further loss or unavailability of prioritized activities; (§ 8.4.4 ¶ 2 c) 3), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • All assets involved in critical business processes should be identified and included in the business continuity plan. (§ 14.1.1, ISO 27002 Code of practice for information security management, 2005)
  • The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. (§ 8.2.2 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Identify and support critical functions that must continue during a widespread outbreak of COVID-19 (e.g. water and sanitation; fuel and energy; food; telecommunications/internet; finance; law and order; education; and transportation), necessary resources, and essential workforce (Pillar 8 Step 3 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The organization's cyber resilience strategy addresses the organization's obligations for performing core business functions including those performed for the financial sector as a whole, in the event of a disruption, including the potential for multiple concurrent or widespread interruptions and cy… (DM.RS-2.2, CRI Profile, v1.2)
  • The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. (Business Environment (DM.BE), CRI Profile, v1.2)
  • The organization's cyber resilience strategy addresses the organization's obligations for performing core business functions including those performed for the financial sector as a whole, in the event of a disruption, including the potential for multiple concurrent or widespread interruptions and cy… (DM.RS-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders during cybersecurity incidents and cyber attacks (e.g., propagation of malware or corrupted data). (DM.RS-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Cyber resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations). (DM.BE-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • In response to an incident, it may be necessary to break the connections between different network segments. In that event, the services necessary to support essential operations should be maintained in such a way that the devices can continue to operate properly and/or shutdown in an orderly manner… (9.3.2 ¶ 4, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Does the Business Continuity and Disaster Recovery program include any dependencies upon critical service providers? (§ K.1.2.15, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • The organization must document a list of critical operations, applications, and data. The document must prioritize the data and operations, reflect the current conditions, and be approved by senior program managers. (CSR 5.3.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization must identify the mission essential functions, the business essential functions, and the assets that support the mission essential functions and business essential functions in order to plan for priority restoration. (COEF-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The criticality of specific data and applications that support other contingency plan components shall be assessed. The covered entity shall assess this to determine if it is a reasonable and appropriate safeguard in the environment and, if it is reasonable and appropriate, then implement it, or doc… (§ 164.308(a)(7)(ii)(E), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components. (§ 164.308(a)(7)(ii)(E), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact… (Business Impact Analysis, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business conti… (Business Continuity Planning Process, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Identification of critical business functions. (III.A Action Summary ¶ 2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management developed an appropriate and repeatable BIA process that identifies all business functions and prioritizes them in order of criticality, analyzes related interdependencies, and assesses a disruption's impact. (III.A, "Business Impact Analysis") (App A Objective 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Management should develop a BIA that identifies all business functions and prioritizes them in order of criticality, analyzes related interdependencies among business processes and systems, and assesses a disruption's impact through established metrics. The BIA should define recovery priorities and … (III.A Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Prioritization and procedures to recover functions, services, and processes. (App A Objective 8:1e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • All critical functions should be defined for each department. The following are some questions departments should ask themselves when defining the critical functions: What interdependencies exist? If specialized equipment is used, how is it used? If a network or the Internet were not available, how … (Pg 10, Exam Tier I Obj 8.7, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Critical data and operations should be identified and prioritized. Effective hardware maintenance, problem management and change management help prevent unexpected interruptions. (SC-1.1, SC-2.4, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The service provider must develop a list of key contingency organizational elements and key contingency personnel (by name and/or by role), including designated federal risk and authorization management program personnel. (Column F: CP-2b, FedRAMP Baseline Security Controls)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Identifies essential mission and business functions and associated contingency requirements; (CP-2a.1., FedRAMP Security Controls High Baseline, Version 5)
  • Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; (CP-2a.4., FedRAMP Security Controls High Baseline, Version 5)
  • Identifies essential mission and business functions and associated contingency requirements; (CP-2a.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; (CP-2a.4., FedRAMP Security Controls Low Baseline, Version 5)
  • Identifies essential mission and business functions and associated contingency requirements; (CP-2a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; (CP-2a.4., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Are critical business functions identified and prioritized in the Business Continuity Plan? (IT - Business Continuity Q 5, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.1.1 Bullet 3: Analyze the business function of all Information System elements as necessary. § 4.7.2 Bullet 2: Identify the business critical activities involving ePHI. § 4.7.2 Bullet 3: Identify the critical services or operations involving ePHI. (§ 4.1.1 Bullet 3, § 4.7.2 Bullet 2, § 4.7.2 Bullet 3, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The first step of the Business Impact Analysis is to determine the business processes and recovery criticality. The Information System Contingency Plan Coordinator should coordinate with internal and external points of contact and management to identify and validate which business processes depend o… (§ 3.2.1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Identifies essential mission and business functions and associated contingency requirements; (CP-2a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; (CP-2a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Identifies essential mission and business functions and associated contingency requirements; (CP-2a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; (CP-2a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; (CP-2a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Identifies essential mission and business functions and associated contingency requirements; (CP-2a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Identifies essential mission and business functions and associated contingency requirements; (CP-2a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; (CP-2a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Identifies essential mission and business functions and associated contingency requirements; (CP-2a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; (CP-2a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Identifies essential mission and business functions and associated contingency requirements; (CP-2a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; (CP-2a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization should identify mission or business-critical functions. The identification of critical functions is often called a business plan. (§ 3.6.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Identify and prioritize critical business functions in collaboration with organizational stakeholders. (T0108, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Define and prioritize essential system capabilities or business functions required for partial or full system restoration after a catastrophic failure event. (T0050, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability. (T0109, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Determine mission/business processes and recovery criticality. Mission/Business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum time that … (§ 3.2 ¶ 2 (1), NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Define and prioritize essential system capabilities or business functions required for partial or full system restoration after a catastrophic failure event. (T0050, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify and prioritize critical business functions in collaboration with organizational stakeholders. (T0108, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability. (T0109, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops a contingency plan for the information system that identifies essential missions and business functions and associated contingency requirements. (CP-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that identifies essential missions and business functions and associated contingency requirements. (CP-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that identifies essential missions and business functions and associated contingency requirements. (CP-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that identifies essential missions and business functions and associated contingency requirements. (CP-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Identifies essential mission and business functions and associated contingency requirements; (CP-2a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; (CP-2a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identifies essential mission and business functions and associated contingency requirements; (CP-2a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; (CP-2a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated (GV.OC-04, The NIST Cybersecurity Framework, v2.0)
  • Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms (RC.RP-04, The NIST Cybersecurity Framework, v2.0)
  • Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determin… (Bullet 6: Incident Response, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
  • Regulations should be performance-based, leverage existing cybersecurity frameworks, voluntary consensus standards, and guidance—including the Cybersecurity and Infrastructure Security Agency (CISA)'s Cybersecurity Performance Goals and the National Institute of Standards and Technology (NIST) Fra… (STRATEGIC OBJECTIVE 1.1 Subsection 1 ¶ 2, National Cybersecurity Strategy)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1., TX-RAMP Security Controls Baseline Level 1)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4., TX-RAMP Security Controls Baseline Level 1)
  • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (CP-2a.4., TX-RAMP Security Controls Baseline Level 2)
  • Identifies essential missions and business functions and associated contingency requirements; (CP-2a.1., TX-RAMP Security Controls Baseline Level 2)