Back

Establish, implement, and maintain Service Level Agreements for all alternate facilities.


CONTROL ID
00745
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Prepare the alternate facility for an emergency offsite relocation., CC ID: 00744

This Control has the following implementation support Control(s):
  • Include that the shared service provider will not oversubscribe their services in the Service Level Agreement., CC ID: 04892
  • Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement., CC ID: 04893


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • When backup operations are contracted out, the organization should regularly identify and review its backup priorities, minimum amount of guaranteed service, and other service offerings. (T25.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Presents a checklist for alternate processing service contract considerations. For each item check yes or no. The list covers the following general issues: The description of the alternate processing facilities should indicate adequate physical security and appropriate environmental controls Availab… (Pg 66, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The organization should establish formal arrangements with an alternate processing site to be used as a recovery site in case of a disaster at the primary processing site. (Attach B ¶ 5, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • A critical facet with respect to recovery is the usage of additional data processing sites. APRA envisages that a regulated institution would have formal arrangements in place to allow for recovery to an alternate processing site in the event of a disaster impacting the primary site(s). (Attachment B ¶ 5, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Develop a framework for IT continuity to support enterprisewide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT continge… (DS4.1 IT Continuity Framework, CobiT, Version 4.1)
  • Each Business Continuity Plan should be supported by the provision of business continuity arrangements, such as separate processing facilities, reciprocal arrangements with another organization, or a contract with a specialist provider of business continuity arrangements. (CF.20.06.02, The Standard of Good Practice for Information Security)
  • Contracts with specialist providers of business continuity arrangements (or equivalent) should be established. (CF.20.06.08, The Standard of Good Practice for Information Security)
  • Each Business Continuity Plan should be supported by the provision of business continuity arrangements, such as separate processing facilities, reciprocal arrangements with another organization, or a contract with a specialist provider of business continuity arrangements. (CF.20.06.02, The Standard of Good Practice for Information Security, 2013)
  • Contracts with specialist providers of business continuity arrangements (or equivalent) should be established. (CF.20.06.08, The Standard of Good Practice for Information Security, 2013)
  • Authorization must be obtained prior to relocation or transfer of hardware, software or data to an offsite premises. (FS-06, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Disaster recovery service activation should be included in the SLAs. The agreements should include the requirements in section 5.8.2 and the requirement for any associated fees to be paid. (§ 7.12, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • The organization must establish agreements and arrangements for a backup data center that has sufficient processing capacity, is available, and is in a state of readiness. (CSR 5.10.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Determine whether there is a comprehensive, written agreement or contract for alternative processing or facility recovery. (TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The organization should have a formal agreement with the alternate site. (Pg G-8, Exam Tier I Obj 6.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should ensure all alternate sites meet its requirements. The contract with the alternate site should state who is responsible for telecommunications. (Pg 29, FFIEC IT Examination Handbook - Operations, July 2004)
  • The service provider should ensure the organization's right to use the alternate site in the event of an emergency. (Pg 27, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • (SC-2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization must ensure agreements are in place with the alternate site for the secure storage of Federal Tax Information and system backups. (§ 5.6.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and (CP-7b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and (CP-7b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • The alternate processing site agreements should be examined to ensure they contain a priority-of-service provision to meet the organization's availability requirements. (CP-7(3), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must identify all alternate telecommunication services and start the necessary agreements to allow operations to be resumed inside a defined period. (SG.CP-8 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must identify an alternate control center and the necessary telecommunications and start the necessary agreements to allow the resumption of critical functions in a defined time period. (SG.CP-9 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should develop agreements with the alternate control center that contains priority-of-service provisions. (SG.CP-9 Requirement Enhancements 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must identify an alternate processing site and initiates necessary agreements to permit the resumption of Information System operations in a predefined time when primary information processing is unavailable. (App F § CP-7.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should establish contingency Service Level Agreements that contain priority of service clauses that meet system availability needs. (App F § CP-7(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of {organizationally documented information system operations} for essential missions/business functions within {organizationally documented time period consistent with reco… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of {organizationally documented information system operations} for essential missions/business functions within {organizationally documented time period consistent with reco… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and (CP-7b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Reviews and updates Interconnection Security Agreements [TX-RAMP Assignment: at least annually]. (CA-3c., TX-RAMP Security Controls Baseline Level 1)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., TX-RAMP Security Controls Baseline Level 2)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., TX-RAMP Security Controls Baseline Level 2)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., TX-RAMP Security Controls Baseline Level 2)
  • Reviews and updates Interconnection Security Agreements [TX-RAMP Assignment: at least annually]. (CA-3c., TX-RAMP Security Controls Baseline Level 2)