Back

Identify all critical business records.


CONTROL ID
00737
CONTROL TYPE
Records Management
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define and prioritize critical business records., CC ID: 11687

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Each BCP should clearly identify information deemed vital for recovery of critical business and support functions in the event of a disaster and the relevant protection measures. Vital information includes that stored on both electronic or non-electronic media (e.g. paper records). (4.6.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • When designing and planning the security process the organization should estimate the importance of the business processes, specialized tasks, and information. (3.2 Bullet 4, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • identify data they may need to access, recover, or transfer as a priority in a disruption or stressed exit; and (§ 10.17 Bullet 3, SS2/21 Outsourcing and third party risk management, March 2021)
  • The identity and location of critical files and the ability to conduct backups of user-level and system-level information (including system state information) shall be supported by the control system without affecting normal plant operations. (11.5.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Information protection champions should support local information security coordinators by facilitating information security-related activities, such as identifying critical and sensitive information. (CF.12.02.05a, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be identified. (CF.03.03.02a-1, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be documented. (CF.03.03.02a-2, The Standard of Good Practice for Information Security)
  • Information protection champions should support local information security coordinators by facilitating information security-related activities, such as identifying critical and sensitive information. (CF.12.02.05a, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be identified. (CF.03.03.02a-1, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be documented. (CF.03.03.02a-2, The Standard of Good Practice for Information Security, 2013)
  • The responsible entity shall implement and document a program to identify, classify, and protect information associated with critical cyber assets. (§ R.4, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
  • Does the Business Continuity and Disaster Recovery program include identification of vital records necessary for recovery? (§ K.1.2.9, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. (Exam Tier I Obj 10.7 (Testing Strategies), FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determin… (Bullet 6: Incident Response, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)