Back

Designate an alternate facility in the continuity plan.


CONTROL ID
00742
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

This Control has the following implementation support Control(s):
  • Separate the alternate facility from the primary facility through geographic separation., CC ID: 01394
  • Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs., CC ID: 01391


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Alternate processing procedures and structures must be defined and assessed in order to continue operations until the system can be recovered from a failure. The feasibility of the alternative processing procedures and structures must be verified by persons in charge of the user and operation depart… (App 2-1 Item Number VI.7.4(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization should establish backup sites based on its business operation priorities. (T25, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In case that the computer center fails due to a disaster, etc., it is recommended, in the sense of risk dispersion, to establish backup centers considering the priority of business operations. (P74.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • (Pg 77, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Recovery plans should include information on the alternate sites for recovery operations. (Attach B ¶ 7(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • relevant information pertaining to alternate sites for the recovery of business and/or IT operations and details of the location and procedures for gaining access to off-site data storage; (Attachment B ¶ 7(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • CSIRTs shall rely on an infrastructure the continuity of which is ensured. To that end, redundant systems and backup working space shall be available. (ANNEX I ¶ 1(1)(c)(iii), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • the CSIRTs shall be equipped with redundant systems and backup working space to ensure continuity of their services. (Article 11 1 ¶ 1(f), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • immediately accessible to the financial entity's staff to ensure continuity of critical or important functions in the event that the primary processing site has become unavailable. (Art. 12.5. ¶ 2(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Central securities depositories shall maintain at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs. (Art. 12.5. ¶ 1, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Data reporting service providers shall additionally maintain adequate resources and have back-up and restoration facilities in place in order to offer and maintain their services at all times. (Art. 12.3. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Are the Disaster Recovery facilities sufficient to allow continued operations in the event of a regional disaster? (Table Row XII.18, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • A strategy for reducing the impact of the unavailability of the normal worksite should be developed by the organization. This strategy may include one or more of the following: alternative sites; working from home or remote sites; and use of an alternative workforce at an established site. (§ 7.4, BS 25999-1, Business continuity management. Code of practice, 2006)
  • Site model types include the following: Active/Contingency (a remote or back-up site that is activated when an incident occurs, often called a cold back-up site); Active/Active (where both the primary and alternate sites are running during normal operations and after an incident the processing is tr… (Annex D, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • A third party alternative site may be a good idea to consider as part of resource recovery strategy. Third party sites may offer dedicated space, syndicated space, mobile facilities or prefabricated units. It also different measures to be taken for alternative site preparation. One suggestion given… (Stage 2, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • If a business continuity plan is activated, alternative office space probably will be required. Alternative office space solutions include using another organizational facility located outside the disaster zone; using remote access; and using commercial recovery sites. (§ 5.4.C ¶ 1, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Business continuity plans should identify alternate sites. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization should include command and control procedures for alternate sites when it develops its incident prevention, preparedness, and response procedures. (§ 4.4.7 ¶ 3(f), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The location of the alternate headquarters and operating locations should be defined, along with who should report to them. (Revised Volume 3 1-I-33, Protection of Assets Manual, ASIS International)
  • The Business Continuity program should apply across the organization and require each individual business environment to provide alternative arrangements to support critical business processes in the event of a major incident or disaster (e.g., by maintaining a hot, warm, or cold site where business… (CF.20.02.05e, The Standard of Good Practice for Information Security)
  • Critical business processes should be supported by business applications and technical infrastructure (e.g., computer systems, networks, or voice facilities) that use robust, reliable hardware and software, and are supported by alternative or duplicate facilities. (CF.20.03.01, The Standard of Good Practice for Information Security)
  • Business continuity arrangements should enable critical business processes to continue in the event of prolonged unavailability. (CF.20.06.05, The Standard of Good Practice for Information Security)
  • Business continuity arrangements should enable critical business processes to continue in the event of prolonged unavailability of technical infrastructure. (CF.20.06.06, The Standard of Good Practice for Information Security)
  • Business continuity arrangements should enable critical business processes to continue in the event of prolonged unavailability of services. (CF.20.06.07, The Standard of Good Practice for Information Security)
  • The Business Continuity program should apply across the organization and require each individual business environment to provide alternative arrangements to support critical business processes in the event of a major incident or disaster (e.g., by maintaining a hot, warm, or cold site where business… (CF.20.02.05e, The Standard of Good Practice for Information Security, 2013)
  • Critical business processes should be supported by business applications and technical infrastructure (e.g., computer systems, networks, or voice facilities) that use robust, reliable hardware and software, and are supported by alternative or duplicate facilities. (CF.20.03.01, The Standard of Good Practice for Information Security, 2013)
  • Business continuity arrangements should enable critical business processes to continue in the event of prolonged unavailability. (CF.20.06.05, The Standard of Good Practice for Information Security, 2013)
  • Business continuity arrangements should enable critical business processes to continue in the event of prolonged unavailability of technical infrastructure. (CF.20.06.06, The Standard of Good Practice for Information Security, 2013)
  • Business continuity arrangements should enable critical business processes to continue in the event of prolonged unavailability of services. (CF.20.06.07, The Standard of Good Practice for Information Security, 2013)
  • The direct operation of the recovery center and personal travel, safety, and welfare is dependent on environmental stability. Environmental instability has an effect on many items, such as power supply and telecommunications and personnel travel and safety to/from the recovery center. If the followi… (§ 5.2, § 6.2.2, § 6.2.3, § 6.2.4, § 6.2.7, § 6.2.8, § 6.2.9, § 6.2.10, § 8.2, § 8.3, § 8.4, § 8.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Map vulnerable populations and public and private health facilities (including traditional healers, pharmacies and other providers) and identify alternative facilities that may be used to provide treatment (Pillar 7 Step 1 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Facilities that have the ability to support continuity, response, and recovery operations must be identified. (§ 5.12.2, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Does the Business Continuity and Disaster Recovery program include a virtual or physical command center where management can meet in a secure setting? (§ K.1.2.2, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Does the Business Continuity and Disaster Recovery program include a virtual or physical command center where management can organize in a secure setting? (§ K.1.2.2, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Does the Business Continuity and Disaster Recovery program include a virtual or physical command center where management can conduct emergency operations in a secure setting? (§ K.1.2.2, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • For cloud computing services, does the failover site for the underlying infrastructure run on the same vendor physical systems? (§ V.1.61, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, does the failover site for the underlying infrastructure run on different vendor physical systems? (§ V.1.62, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The organization must plan and make arrangements for the lodging and travel of disaster recovery personnel, if necessary. (CSR 5.10.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization must identify an alternate site that allows all mission or business essential functions to be partially restored. (COAS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The organization must identify an alternate site that allows all mission or business essential functions to be restored. (COAS-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Management should evaluate whether there are appropriate resources to ensure resilience, including an accessible, off-site repository of software, configuration settings, and related documentation, appropriate backups of data, and off-site infrastructure to operate recovery systems. (IV.A Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Alternatives for payment systems, facilities and infrastructure, data center(s), and branch relocation during a disaster. (V Action Summary ¶ 2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Maintain an accessible, off-site repository of software, configuration settings, and related documentation. (App A Objective 6:3d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • On-site medical support and mobile command centers. (App A Objective 6:4d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the BCP includes procedures to establish an alternate physical location(s) where personnel and customers can go to conduct business, if appropriate. (App A Objective 8:7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the BCP lists alternatives for core operations, facilities, infrastructure systems, suppliers, utilities, interdependent business partners, and key personnel. (App A Objective 8:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the BCP includes site relocation for short-, medium-, and long-term scenarios. (App A Objective 8:5a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the entity's IT infrastructure implementation includes considerations for server and data redundancy and resilience of telecommunications lines. (App A Objective 13:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization should decide on an alternate processing site. The decision should be based on criticality of the processes and recovery time. (Pg G-8 thru Pg G-10, Exam Tier I Obj 4.1, Exam Tier I Obj 6.4, Exam Tier I Obj 6.6, Exam Tier I Obj 7.2, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should ensure that the service provider's continuity plan uses an alternate site to maintain data files and programs and arrangements have been made to continue processing at the site in the event of an outage or disaster. (Pg 26, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Focuses on data backups and brings alternate site strategies into the picture when describing where to put the backups. Section SC-2.1 points out that although choosing a backup storage location is a matter of judgment, the backup location should be far enough away from the primary location that it … (SC-2.1, SC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The organization must identify an alternate processing site and have an agreement with the site for the secure resumption of the system(s) used to process, transmit, and store Federal Tax Information. (§ 5.6.6, Exhibit 4 CP-7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the Business Continuity Plan or Disaster Recovery Plan identify an alternate command site? (IT - Business Continuity Q 4, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • All contingency plans for FIPS 199 moderate- or high-impact systems must include a strategy to recover and operate at an alternate site for an extended period of time. Low-impact systems do not require an alternate site -- whether or not to have one is an organizational decision. There are three typ… (§ 3.4.3, § 5.1.5 ¶ 2 thru 3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure alternate processing site agreements cover the resumption of services in a predefined period of time, the alternate processing site agreements are reviewed and updated on a regular basis, and specific responsibilities and actions are … (CP-7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Providing physical security for the control center/control room is essential to reduce the potential of many threats. Control centers/control rooms frequently have consoles continuously logged onto the primary control server, where speed of response and continual view of the plant is of utmost impor… (§ 6.2.11.1 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • As discussed above, these three alternate site types are the most common. There are also variations, and hybrid mixtures of features from any one of the three. Each organization should evaluate its core requirements in order to establish the most effective solution. Two examples of variations to the… (§ 3.4.3 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The ISCP Coordinator should look at information provided in the BIA to determine what critical mission/business processes a system supports, the MTD, and the impact loss of the system would have on the business to establish what type of recovery site is needed. An information system recovery strateg… (§ 5.1.5 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must identify an alternate control center and the necessary telecommunications and start the necessary agreements to allow the resumption of critical functions in a defined time period. (SG.CP-9 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. (CP-2(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. (CP-9(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. (CP-9(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. (CP-9(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)