Back

Prepare the alternate facility for an emergency offsite relocation.


CONTROL ID
00744
CONTROL TYPE
Systems Continuity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Operational and Systems Continuity, CC ID: 00731

This Control has the following implementation support Control(s):
  • Include coverage for alternate facilities for all offices in contingency arrangements., CC ID: 00746
  • Establish, implement, and maintain Service Level Agreements for all alternate facilities., CC ID: 00745
  • Establish, implement, and maintain Memorandums Of Understanding for all alternate facilities., CC ID: 11695
  • Configure the alternate facility to meet the least needed operational capabilities., CC ID: 01395
  • Establish, implement, and maintain logical access controls at alternate facilities., CC ID: 13227
  • Establish, implement, and maintain physical access controls for alternate facilities., CC ID: 13226
  • Notify the primary facilities of any changes at the alternate facilities that could affect the continuity plan., CC ID: 13225
  • Protect backup systems and restoration systems at the alternate facility., CC ID: 04883
  • Review the alternate facility preparation procedures., CC ID: 04884


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • clear criteria for activation of the BCP and/or alternate sites; (4.2.2 Bullet 4, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • AIs’ alternate sites should be readily accessible and available for occupancy (i.e. 24 hours a day, 7 days a week) within the time requirement specified in their BCPs. Should the BCPs so require, the alternate sites should have pre-installed workstations, power, telephones and ventilation, and suf… (5.1.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Furthermore, it is necessary to understand the capability of each facility, such as a power supply facility, in preparation for the addition of OA equipment, personal computers, etc. (P53.2. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Indicates that a fundamental aspect of recovering from an outage is having access to record and information in electronic and physical forms. A checklist is provided so that an organization can ensure its backup measures are adequate: Ensure all resources required for the selected strategies are sto… (Pg 77, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • capable of ensuring the continuity of critical or important functions identically to the primary site, or providing the level of services necessary to ensure that the financial entity performs its critical operations within the recovery objectives; (Art. 12.5. ¶ 2(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Organisational safeguards: (Section 5.5 PS-03 Basic requirement ¶ 4, Cloud Computing Compliance Controls Catalogue (C5))
  • Alternative arrangements should involve separate, alternative processing facilities (inside the organization, at an external party site, or as part of a contract with a specialist business continuity arrangements provider), and be ready for immediate use. (CF.20.06.04, The Standard of Good Practice for Information Security)
  • Alternative arrangements should involve separate, alternative processing facilities (inside the organization, at an external party site, or as part of a contract with a specialist business continuity arrangements provider), and be ready for immediate use. (CF.20.06.04, The Standard of Good Practice for Information Security, 2013)
  • Processes should be established for minimizing the risks associated with organizations that are in close proximity, including developing plans to increase capabilities and capacities to service simultaneous organizations and developing procedures to ensure recovery sites will not likely be impacted … (§ 7.10, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. Measures may include geographic separation, redundancy, and failover capabilities for components. (A1.2 ¶ 2 Bullet 10 Implements Alternate Processing Infrastructure, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. (CP-7(4) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. (A1.2 Implements Alternate Processing Infrastructure, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
  • Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. (A1.2 ¶ 2 Bullet 10 Implements Alternate Processing Infrastructure, Trust Services Criteria, (includes March 2020 updates))
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • (R 3510(c), NASD Manual)
  • The continuity plan should include strategies for relocating to the alternate site. The organization should ensure the recovery site is appropriate in size, location, capacity, and requirements. (Pg 14, Pg G-16, Pg G-17, Exam Tier I Obj 5.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The alternate site should have hardware and software that is compatible with the hardware and software at the main site. The physical and logical security controls at the alternate site should be able to be maintained by the service provider. (Pg 27, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Assess the adequacy of the financial institution's business continuity plans for a partial or complete failure of each retail payment system. Determine whether the plans include: • Recovery of all required components linking the institution with third-party network switch, gateway, or related thir… (Exam Tier II Obj 5.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • (§ 395C.05, GAO/PCIE Financial Audit Manual (FAM))
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. (CP-7(4) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. (CP-7(4) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., FedRAMP Security Controls High Baseline, Version 5)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. (CP-7(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporti… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records, documents, and the alternate work site should be examined to ensure security controls are installed and implemented at the alternate work site and specific responsibilities and actions are defined for the implementation of the alternate work site control. Any problems discove… (PE-17, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. (CP-7(4) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Although major disruptions with long-term effects may be rare, they should be accounted for in the contingency plan. Thus, for all FIPS 199 moderate- or high-impact systems, the plan should include a strategy to recover and perform system operations at an alternate facility for an extended period. O… (§ 3.4.3 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • During a serious situation, addressing personnel and family matters often takes priority over resuming business. Planning for such matters may involve pre-identification of temporary housing, work space, and staffing. In some situations, the organization may need to use personnel from associated org… (Appendix D Subsection 3 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must establish an alternate work site with all of the proper communication infrastructure and equipment in case of a loss of the primary work site. (SG.PE-11 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should provide all essential mission and business functions to be transferred to the alternate processing site and/or storage site with little or no loss of continuity and this continuity should be maintained through the restoration back to the primary processing site and/or storage… (App F § CP-2(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should configure the alternate processing site so it is ready to use as the operational site. (App F § CP-7(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption. (CP-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. (CP-7(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption. (CP-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. (CP-7(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. (CP-7(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. (CP-7(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. (CP-2(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. (CP-2(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. (CP-7(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. (CP-2(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. (CP-7(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., TX-RAMP Security Controls Baseline Level 2)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., TX-RAMP Security Controls Baseline Level 2)