Back

Establish, implement, and maintain a critical resource list.


CONTROL ID
00740
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

This Control has the following implementation support Control(s):
  • Define and maintain continuity Service Level Agreements for all critical resources., CC ID: 00741
  • Establish and maintain a core supply inventory required to support critical business functions., CC ID: 04890


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Business resumption very often relies on the recovery of technology resources that include applications, hardware equipment and network infrastructure as well as electronic records. The technology requirements that are needed during recovery for individual business and support functions should be sp… (4.4.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Talks about defining critical resources. Resources include people, infrastructure, assets and supplies and finance. When identifying resources, use this checklist to be sure nothing is overlooked: Document and confirm organizational objectives and outputs List key business processes that underpin ac… (Pg 35, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The organization should clearly identify the relevant Information Technology assets in the recovery strategies, plans, and agreements to ensure it maintains control over them. (Attach B ¶ 17(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • documentation that clearly identifies the relevant IT assets (e.g. an asset inventory and systems architecture diagrams); (Attachment B ¶ 17(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • As part of the overall business continuity policy, financial entities shall conduct a business impact analysis (BIA) of their exposures to severe business disruptions. Under the BIA, financial entities shall assess the potential impact of severe business disruptions by means of quantitative and qual… (Art 11.5., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Estimation of the resources required for recovery (Section 5.14 BCM-02 Basic requirement ¶ 2 Bullet 10, Cloud Computing Compliance Controls Catalogue (C5))
  • Have the resource requirements for the selected strategy options been determined, including people, information and data, infrastructure, facilities, consumables, IT, transport, finance and partner/supplier services? (Operation ¶ 15, ISO 22301: Self-assessment questionnaire)
  • Have you determined what needs to be monitored and measured, when, by whom, the methods to be used, and when the results will be evaluated? (Performance evaluation ¶ 1, ISO 22301: Self-assessment questionnaire)
  • Develop a framework for IT continuity to support enterprisewide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT continge… (DS4.1 IT Continuity Framework, CobiT, Version 4.1)
  • Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery situations. Avoid the distraction of recovering less-critical items and ensure response and recovery in line with prioritised business needs, while ensuring that … (DS4.3 Critical IT Resources, CobiT, Version 4.1)
  • The resources that will be required to resume services should be estimated by the organization. The resources may include the following: the numbers, skills, and knowledge of required staff; required facilities and work sites; any supporting plant and equipment technology; external suppliers and ser… (§ 6.4, § 7.5.2, § 8.7.3, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The key products and services within the scope of the business continuity management system must be identified. (§ 3.2.1.2, BS 25999-2, Business continuity management. Specification, 2007)
  • The level of data availability is ruled by the underlying storage hardware and the features used to protect the stored data. These features include redundant array of independent disks (RAID), direct attached storage (DAS), network attached storage (NAS), and storage area networks (SAN). This sectio… (Annex E.3, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • When defining the scope of the organizational resilience management system, the organization must think about critical functions, assets, objectives, products, and services. (§ 4.1.1 ¶ 2(c), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Standards / procedures should cover identifying the organization's critical infrastructure. (CF.08.03.02a, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover determining the Information Systems that support or enable the critical infrastructure. (CF.08.03.02b, The Standard of Good Practice for Information Security)
  • A review should be performed to identify the Information Systems that support or enable critical infrastructure (e.g., Supervisory Control and Data Acquisition systems, process control personal computers, and embedded systems). (CF.08.03.03b, The Standard of Good Practice for Information Security)
  • Details recorded about Information Systems that support or enable critical infrastructure should include the types and classification of information processed by each critical Information System. (CF.08.03.05a, The Standard of Good Practice for Information Security)
  • Details recorded about Information Systems that support or enable critical infrastructure should include the owner(s) of each critical Information System. (CF.08.03.05b, The Standard of Good Practice for Information Security)
  • Details recorded about Information Systems that support or enable critical infrastructure should include the location and function of each critical Information System. (CF.08.03.05c, The Standard of Good Practice for Information Security)
  • Details recorded about Information Systems that support or enable critical infrastructure should include the level of criticality of each Information System. (CF.08.03.05d, The Standard of Good Practice for Information Security)
  • Details recorded about Information Systems that support or enable critical infrastructure should include the interrelationship (and any dependencies) with other Information Systems. (CF.08.03.05e, The Standard of Good Practice for Information Security)
  • Critical infrastructure security controls should include methods of reviewing critical infrastructure and supporting Information Systems on a regular basis (e.g., every six months) to identify if and when it is no longer critical. (CF.08.03.07c, The Standard of Good Practice for Information Security)
  • The Business Continuity program should determine the individual business environments to be supported by Business Continuity plans and arrangements by identifying and recording relevant details (e.g., in a central Business Continuity risk register) about underlying technical infrastructure (e.g., In… (CF.20.02.02c, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover identifying the organization's critical infrastructure. (CF.08.03.02a, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should cover determining the Information Systems that support or enable the critical infrastructure. (CF.08.03.02b, The Standard of Good Practice for Information Security, 2013)
  • A review should be performed to identify the Information Systems that support or enable critical infrastructure (e.g., Supervisory Control and Data Acquisition systems, process control personal computers, and embedded systems). (CF.08.03.03b, The Standard of Good Practice for Information Security, 2013)
  • Details recorded about Information Systems that support or enable critical infrastructure should include the types and classification of information processed by each critical Information System. (CF.08.03.05a, The Standard of Good Practice for Information Security, 2013)
  • Details recorded about Information Systems that support or enable critical infrastructure should include the owner(s) of each critical Information System. (CF.08.03.05b, The Standard of Good Practice for Information Security, 2013)
  • Details recorded about Information Systems that support or enable critical infrastructure should include the location and function of each critical Information System. (CF.08.03.05c, The Standard of Good Practice for Information Security, 2013)
  • Details recorded about Information Systems that support or enable critical infrastructure should include the level of criticality of each Information System. (CF.08.03.05d, The Standard of Good Practice for Information Security, 2013)
  • Details recorded about Information Systems that support or enable critical infrastructure should include the interrelationship (and any dependencies) with other Information Systems. (CF.08.03.05e, The Standard of Good Practice for Information Security, 2013)
  • Critical infrastructure security controls should include methods of reviewing critical infrastructure and supporting Information Systems on a regular basis (e.g., every six months) to identify if and when it is no longer critical. (CF.08.03.07c, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity program should determine the individual business environments to be supported by Business Continuity plans and arrangements by identifying and recording relevant details (e.g., in a central Business Continuity risk register) about underlying technical infrastructure (e.g., In… (CF.20.02.02c, The Standard of Good Practice for Information Security, 2013)
  • resource needs, (§ 9.3 ¶ 4 d) 7, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • the resource requirements; (§ 8.4.4.3 f), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall determine the resource requirements to implement the selected business continuity solutions. The types of resources considered shall include, but not be limited to: (§ 8.3.4 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • equipment and consumables; (§ 8.3.4 ¶ 1 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • transportation and logistics; (§ 8.3.4 ¶ 1 f), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • During the continuity plan risk assessment, all critical resources should be identified. (§ 14.1.1, § 14.1.2, ISO 27002 Code of practice for information security management, 2005)
  • The organization can use a range of techniques for identifying uncertainties that may affect one or more objectives. The following factors, and the relationship between these factors, should be considered: - tangible and intangible sources of risk; - causes and events; - threats and opportunities; -… (§ 6.4.2 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • top management should assess resource needs during management reviews and set objectives for continual improvement and for monitoring effectiveness of planned activities; and (§ 5.1 Guidance ¶ 1(g), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization's resources (e.g., hardware, devices, data, and software) are prioritized for protection based on their sensitivity/classification, criticality, vulnerability, business value, and importance to the organization. (ID.AM-5.2, CRI Profile, v1.2)
  • The organization's resources (e.g., hardware, devices, data, and software) are prioritized for protection based on their sensitivity/classification, criticality, vulnerability, business value, and importance to the organization. (ID.AM-5.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The business continuity plan should define all "mission critical systems" necessary for complete processing of securities transactions including customer account maintenance and delivery of funds. (R 3510, NASD Manual)
  • Resource management objectives consistent with the overall program (disaster/emergency management and business continuity programs) goals and objectives for the identified hazards must be established by the organization. Procedures must be developed to locate, acquire, test, distribute, maintain, st… (§ 5.6, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Does the Business Continuity and Disaster Recovery program include identification of applications? (§ K.1.2.9, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Does the Business Continuity and Disaster Recovery program include identification of equipment? (§ K.1.2.9, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Does the Business Continuity and Disaster Recovery program include identification of facilities? (§ K.1.2.9, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • The organization must identify and document the key resources that support critical and sensitive operations. The types of resources to identify include computer hardware, software, and supplies; system documentation; telecommunications; human resources; and office facilities and supplies. (CSR 5.8.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Management should develop a BIA that identifies all business functions and prioritizes them in order of criticality, analyzes related interdependencies among business processes and systems, and assesses a disruption's impact through established metrics. The BIA should define recovery priorities and … (III.A Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Review and verify that the written BCP: ▪ Addresses the recovery of each business unit/department/function/application: - According to its priority ranking in the risk assessment; - Considering interdependencies among systems; and - Considering long-term recovery arrangements. ▪ Addresses the re… (Exam Tier I Obj 5.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • IT resources should meet the operational needs of the organization. Management should coordinate the following IT resources: infrastructure, operating software, application software, hardware, and personnel. (Pg 19, Exam Obj 5.1, FFIEC IT Examination Handbook - Management)
  • The organization should ensure it knows which of its services rely on service providers, including key telecommunication providers and network service providers. (Pg 25, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Assess the adequacy of the financial institution's business continuity plans for a partial or complete failure of each retail payment system. Determine whether the plans include: • Recovery of all required components linking the institution with third-party network switch, gateway, or related thir… (Exam Tier II Obj 5.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Data criticality is defined for security purposes and for inclusion in the business continuity plan. It further requires that any other resources be defined that support previously determined vital business operations and data. Specifically, resources supporting critical data include: Hardware S… (SC-1.1, SC-1.2, SC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Identify critical system assets supporting [Selection: all; essential] mission and business functions. (CP-2(8) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Identify critical system assets supporting [Selection: all; essential] mission and business functions. (CP-2(8) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Identifying the organization's resources is the second step of the Business Impact Analysis. The Information System Contingency Plan Coordinator, working with internal and external points of contact and management, should identify all of the information system resources. These resources will be need… (§ 3.2.2, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Identify critical system assets supporting [Selection: all; essential] mission and business functions. (CP-2(8) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Identify critical system assets supporting [Selection: all; essential] mission and business functions. (CP-2(8) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • It is recommended that the C-SCRM PMO have the lead responsibility of coordinating with mission and business process and budget officials to build out and maintain a multi-year C-SCRM program budget that captures both recurring and non-recurring resource requirements and maps those requirements to a… (3.6. ¶ 8, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Identify critical system assets supporting [Selection: all; essential] mission and business functions. (CP-2(8) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • (§ 3.6.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Assist in identifying, prioritizing, and coordinating the protection of critical cyber defense infrastructure and key resources. (T0261, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • In this step, the system is analyzed in its operational context from two perspectives. First, a mission or business function perspective is applied to identify critical resources (i.e., those resources for which damage or destruction would severely impact operations) and sources of system fragility.… (3.2.3 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • A critical resource can be a resource for which damage (e.g., corruption or reduced availability), denial of service, or destruction results in the inability to complete a critical task. In addition, if a resource is used in multiple tasks, it can be highly critical overall even if it is not critica… (3.2.3.1 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Resource requirements; (§ 3.1 ¶ 1 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business processes and related interdependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, soft… (§ 3.2 ¶ 2 (2), NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business processes as quickly as possible. Working with management and internal and external POCs associated with the system, the ISCP Coordinator should ensure that the complete information system r… (§ 3.2.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • When evaluating the choices, the ISCP Coordinator should consider that purchasing equipment when needed is cost-effective but can add significant overhead time to recovery while waiting for shipment and setup; conversely, storing unused equipment is costly, but allows recovery operations to begin mo… (§ 3.4.4 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Hardware, software, and other equipment (types, specifications, and amount); (§ 3.6 ¶ 2 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Assist in identifying, prioritizing, and coordinating the protection of critical cyber defense infrastructure and key resources. (T0261, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Identify critical system assets supporting [Selection: all; essential] mission and business functions. (CP-2(8) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identify critical system assets supporting [Selection: all; essential] mission and business functions. (CP-2(8) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8) ¶ 1, TX-RAMP Security Controls Baseline Level 2)