Establish, implement, and maintain a critical personnel list.
CONTROL ID 00739
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Detective
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Include the protection of personnel in the continuity plan., CC ID: 06378
This Control has the following implementation support Control(s):
Identify alternate personnel for each person on the critical personnel list., CC ID: 12771
Define the triggering events for when to activate the pandemic plan., CC ID: 06801
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The contingency plan must include have arrangements for reserving or activating substitute staff in the event of unforeseen circumstances. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control. (App 2-1 Item Number VI.4.2(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
O62.1: The organization shall designate at least a primary and secondary responsible person to contact and come to the office when a failure and/or disaster occurs and review these selections regularly. For the computer center, the organization shall designate computer center operation managers and … (O62.1, O63.2(4), O65.3(3), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
Talks about identifying and handling critical personnel within an organization. Business continuity plans should address:
how to communicate with employees
human resource issues such as short term replacements and training
issues relating to the disaster event
psychological effects of disruption on … (Pg 40, Pg 41, Australia Better Practice Guide - Business Continuity Management, January 2000)
Has the organization identified authorized personnel to manage contingency plans? (Table Row XII.21, OECD / World Bank Technology Risk Checklist, Version 7.3)
Appropriate strategies should be identified for maintaining core skills and knowledge. These should extend beyond employees to contractors and stakeholders who have extensive specialist skills and knowledge. Strategies for providing or protecting these skills include: multi-skill training; documenti… (§ 7.3, § 8.3.3, § 8.7.3(a), § 8.7.4, BS 25999-1, Business continuity management. Code of practice, 2006)
Incident response personnel must be nominated by the organization. The nominees must have the necessary responsibility, authority, and competence to manage an incident. (§ 4.3.2.1, BS 25999-2, Business continuity management. Specification, 2007)
A full description of the incident management team and the constituent specialist recovery teams for services, platforms, and facilities should be included in the continuity plan. The plan should include each member's roles and responsibilities, along with his/her contact information. (§ 8.4.5, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
Alternative staffing required for business continuity. Personnel outside the likely impacted area should be identified, and if there are none, consider increasing staffing levels in the primary region. Consider also how many people will be needed to perform a specific job and multiply that number by… (§ 5.4.A, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
Business continuity plans should identify personnel responsibilities and individuals accountable for the continuity process. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
The organization should include a list of all key personnel and aid agencies and their contact details when it develops its incident prevention, preparedness, and response procedures. (§ 4.4.7 ¶ 3(p), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
The Business Continuity program should determine the individual business environments to be supported by Business Continuity plans and arrangements by identifying and recording relevant details (e.g., in a central Business Continuity risk register) about key internal and external stakeholders (inclu… (CF.20.02.02d, The Standard of Good Practice for Information Security)
The Business Continuity program should determine the individual business environments to be supported by Business Continuity plans and arrangements by identifying and recording relevant details (e.g., in a central Business Continuity risk register) about key internal and external stakeholders (inclu… (CF.20.02.02d, The Standard of Good Practice for Information Security, 2013)
A process to identify key personnel for each critical business function and transition their duties to others in the event they become ill or unable to perform their respective duties. (4.8, Pandemic Response Planning Policy)
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other… (CIS Control 17: Safeguard 17.2 Establish and Maintain Contact Information for Reporting Security Incidents, CIS Controls, V8)
a list of key personnel and aid agencies, including contact details, e.g. fire department and spillage clean-up services; (8.2 ¶ 4 Bullet 10, ISO 14004:2016, Environmental management systems â General guidelines on implementation, Third Edition)
{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsib… (§ 8.4.4 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
The organization needs to identify individuals and deputies to perform the following functions: a person to determine how to address the failure or disaster; the team composition who will make the decision to activate the disaster recovery plan; and the person who activates the use of third parties.… (§ 7.2 ¶ 5, § 7.2 ¶ 6(b), § 7.15.4, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
All personnel involved in the continuity process should be identified in the continuity plan with a description of their duties. (§ 14.1.1, § 14.1.4, ISO 27002 Code of practice for information security management, 2005)
Establish an incident management team, including rapid deployment of designated staff from national and partner organizations, within a public health emergency operation centre (PHEOC) or equivalent if available (Pillar 1 Step 2 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
Establish dedicated and equipped teams and ambulances to transport suspected and confirmed cases, and referral mechanisms for severe cases with co morbidity (Pillar 7 Step 2 Action 2, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
In addition, organizations must continually identify and evaluate those roles that are essential to achieving strategy and business objectives. The decision of whether a role is essential is made by assessing the consequences of having that role temporarily or permanently unfilled. The question need… (Attracting, Developing, and Retaining Individuals ¶ 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
Roles and responsibilities for internal dependency management are defined and assigned. (DM.ID-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
The business continuity plan should define emergency contact personnel roles in the event of a significant business disruption. These personnel must be a registered principal and member of senior management. A minimum of two such personnel is required. (R 3520, NASD Manual)
When there are dependancies upon critical service providers, does the Business Continuity and Disaster Recovery program include contact information for key personnel which is updated at least annually? (§ K.2.15.1, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
Does the Business Continuity and Disaster Recovery program include identification of personnel? (§ K.1.2.9, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
The contingency plan must clearly assign recovery responsibilities and provide backup personnel. (CSR 5.2.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans; (§242.1004 ¶ 1(a), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
People. (App A Objective 4:2a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
The service provider should ensure it has enough staff to provide for the resumption of services at the alternate site. (Exam Tier I Obj 5.1, Exam Tier I Obj 10.7 (Testing Strategies), FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
The service provider should ensure it has enough staff to provide for the resumption of services at the alternate site. (Pg 27, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
Personnel must be defined that are associated with previously determined critical operations. (SC-1.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
The service provider must develop a list of key contingency organizational elements and key contingency personnel (by name and/or by role), including designated Federal Risk and Authorization Management Program personnel. (Column F: CP-2f, FedRAMP Baseline Security Controls)
The service provider must develop a list of key contingency organizational elements and key contingency personnel (by name and/or by role), including designated federal risk and authorization management program personnel. (Column F: CP-2b, FedRAMP Baseline Security Controls)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., FedRAMP Security Controls High Baseline, Version 5)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., FedRAMP Security Controls Low Baseline, Version 5)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., FedRAMP Security Controls Moderate Baseline, Version 5)
Does the Business Continuity Plan or Disaster Recovery Plan identify the critical plan personnel and their backups? (IT - Business Continuity Q 4, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
Critical personnel ought to be identified and included in the business continuity plan. The standards are not specific regarding roles and responsibilities. (§ 3.6.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
The contingency plan should be examined to ensure critical roles and responsibilities are identified and assigned. (CP-2.2, CP-3.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Personnel list for authorized physical and cyber access to the ICS. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 1 Bullet 6, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Names and contact information of team members; (§ 3.6 ¶ 2 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Personnel to be notified should be clearly identified in the contact lists appended to the plan. This list should identify personnel by their team position, name, and contact information (e.g., home, work, cell phone, email addresses, and home addresses). An entry may resemble the following format: (§ 4.2.2 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Management should establish a communications plan that designates key personnel and outlines a program for employee notification. (¶ 39, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
Identify the primary and alternate security manager or officer responsible for executing and maintaining the plan; (3.1 ¶ 1 Bullet 1, Pipeline Security Guidelines)
