Back

Include Internet Service Provider continuity procedures in the continuity plan.


CONTROL ID
00743
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

This Control has the following implementation support Control(s):
  • Include Local Area Network continuity procedures in the continuity plan., CC ID: 01381
  • Include Wide Area Network continuity procedures in the continuity plan., CC ID: 01294


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should establish several networks for communicating during a failure and/or disaster. (O62.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • A good BCP will provide treatments addressing recovery from loss or interruption of voice and data communications within and outside the organization. Such treatments may include human resource procedures for supporting the business function vendor and carrier negotiations alternate path design and… (Pg 42, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Business continuity plans should identify telecommunication carrier access points. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization should include critical infrastructure, such as communications, that could be affected during an emergency or disruptive incident when it develops the incident prevention, preparedness, and response procedures. (§ 4.4.7 ¶ 3(r ), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Standards / procedures should cover establishing a framework of controls to help secure the critical infrastructure. (CF.08.03.02d, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should help to ensure that critical business processes are supported by a resilient technical infrastructure (e.g., by duplicating business applications, Information Systems, and networks, and removing 'single points of failure'). (CF.20.01.05b, The Standard of Good Practice for Information Security)
  • The resilience of critical business processes should be improved by reducing single points of failure in the network by arranging for fall-back to alternative points of connection and links with external service providers. (CF.20.03.06c, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover establishing a framework of controls to help secure the critical infrastructure. (CF.08.03.02d, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity strategy should help to ensure that critical business processes are supported by a resilient technical infrastructure (e.g., by duplicating business applications, Information Systems, and networks, and removing 'single points of failure'). (CF.20.01.05b, The Standard of Good Practice for Information Security, 2013)
  • The resilience of critical business processes should be improved by reducing single points of failure in the network by arranging for fall-back to alternative points of connection and links with external service providers. (CF.20.03.06c, The Standard of Good Practice for Information Security, 2013)
  • Does the Business Continuity and Disaster Recovery program include an alternate and diverse means of communications in the event standard communication channels are unavailable? (§ K.1.2.11, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at the institution. (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the financial institution and service provider are considering alternate data communications infrastructure to achieve resilience. Consider the efficacy of managing the following risks: (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Disruption of data and voice communications between facilities and service providers. (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The organization should have continuity plans for voice and data services and should identify critical network components. (Pg E-4, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Alternative access mechanisms in the event of an outage to primary access to bankcard, ACH, and other retail payment networks. (App A Tier 1 Objectives and Procedures Objective 3:3 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Recovery of all required components linking the institution with third-party network switch, gateway, or related third-party data centers and bankcard processors. (App A Tier 2 Objectives and Procedures E.1 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)