Back

Establish, implement, and maintain Service Level Agreements for all alternate facilities.


CONTROL ID
00745
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Prepare the alternate facility for an emergency offsite relocation., CC ID: 00744

This Control has the following implementation support Control(s):
  • Include recovery time in Service Level Agreements for all alternate facilities., CC ID: 16331
  • Include priority-of-service provisions in Service Level Agreements for all alternate facilities., CC ID: 16330
  • Include backup media transportation in Service Level Agreements for alternate facilities., CC ID: 16329
  • Include transportation services in Service Level Agreements for alternate facilities., CC ID: 16328
  • Include that the shared service provider will not oversubscribe their services in the Service Level Agreement., CC ID: 04892
  • Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement., CC ID: 04893


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When backup operations are contracted out, the organization should regularly identify and review its backup priorities, minimum amount of guaranteed service, and other service offerings. (T25.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • It is desirable to come to an agreement regarding the service level by means of concluding an SLA or confirming the SLO. It is also advisable to consider in advance the responses to take in case the contractor cannot fulfill the contracted operations as per the SLA due to the impact of a wide-area d… (C21.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Presents a checklist for alternate processing service contract considerations. For each item check yes or no. The list covers the following general issues: The description of the alternate processing facilities should indicate adequate physical security and appropriate environmental controls Availab… (Pg 66, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The organization should establish formal arrangements with an alternate processing site to be used as a recovery site in case of a disaster at the primary processing site. (Attach B ¶ 5, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • A critical facet with respect to recovery is the usage of additional data processing sites. APRA envisages that a regulated institution would have formal arrangements in place to allow for recovery to an alternate processing site in the event of a disaster impacting the primary site(s). (Attachment B ¶ 5, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Develop a framework for IT continuity to support enterprisewide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT continge… (DS4.1 IT Continuity Framework, CobiT, Version 4.1)
  • Each Business Continuity Plan should be supported by the provision of business continuity arrangements, such as separate processing facilities, reciprocal arrangements with another organization, or a contract with a specialist provider of business continuity arrangements. (CF.20.06.02, The Standard of Good Practice for Information Security)
  • Contracts with specialist providers of business continuity arrangements (or equivalent) should be established. (CF.20.06.08, The Standard of Good Practice for Information Security)
  • Each Business Continuity Plan should be supported by the provision of business continuity arrangements, such as separate processing facilities, reciprocal arrangements with another organization, or a contract with a specialist provider of business continuity arrangements. (CF.20.06.02, The Standard of Good Practice for Information Security, 2013)
  • Contracts with specialist providers of business continuity arrangements (or equivalent) should be established. (CF.20.06.08, The Standard of Good Practice for Information Security, 2013)
  • Authorization must be obtained prior to relocation or transfer of hardware, software or data to an offsite premises. (FS-06, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Disaster recovery service activation should be included in the SLAs. The agreements should include the requirements in section 5.8.2 and the requirement for any associated fees to be paid. (§ 7.12, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • The organization must establish agreements and arrangements for a backup data center that has sufficient processing capacity, is available, and is in a state of readiness. (CSR 5.10.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Determine whether there is a comprehensive, written agreement or contract for alternative processing or facility recovery. (TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The organization should have a formal agreement with the alternate site. (Pg G-8, Exam Tier I Obj 6.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should ensure all alternate sites meet its requirements. The contract with the alternate site should state who is responsible for telecommunications. (Pg 29, FFIEC IT Examination Handbook - Operations, July 2004)
  • The service provider should ensure the organization's right to use the alternate site in the event of an emergency. (Pg 27, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • (SC-2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., FedRAMP Security Controls High Baseline, Version 5)
  • Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., FedRAMP Security Controls High Baseline, Version 5)
  • Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and (CP-7b., FedRAMP Security Controls High Baseline, Version 5)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and (CP-7b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must ensure agreements are in place with the alternate site for the secure storage of Federal Tax Information and system backups. (§ 5.6.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and (CP-7b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and (CP-7b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and (CP-7b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and (CP-7b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • The alternate processing site agreements should be examined to ensure they contain a priority-of-service provision to meet the organization's availability requirements. (CP-7(3), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Site guarantee; (§ 3.4.3 ¶ 9 Bullet 6, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Guarantee of compatibility; (§ 3.4.3 ¶ 9 Bullet 11, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Other contractual issues, as applicable; and (§ 3.4.3 ¶ 9 Bullet 23, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Two or more organizations with similar or identical system configurations and backup technologies may enter into a formal agreement to serve as alternate sites for each other or enter into a joint contract for an alternate site. This type of site is set up via a reciprocal agreement or memorandum of… (§ 3.4.3 ¶ 8, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Alternate and offsite facility requirements; and (§ 3.6 ¶ 2 Bullet 7, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Alternate site contract, including testing times; (§ 3.6 ¶ 5 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Offsite storage contract; (§ 3.6 ¶ 5 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Backup media should be stored offsite in a secure, environmentally controlled location. When selecting the offsite location, hours of the location, ease of accessibility to backup media, physical storage limitations, and the contract terms should be taken into account. The ISCP Coordinator should re… (§ 5.1.5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • An MOU or an SLA for an alternate site should be developed specific to the organization's needs and the partner organization's capabilities. The legal department of each party must review and approve the agreement. In general, the agreement should address at a minimum, each of the following elements… (§ 3.4.3 ¶ 9, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Development/Acquisition Phase. As initial concepts evolve into information system development, specific contingency solutions may be determined. As in the Initiation phase, technical contingency planning considerations in this phase should reflect system and operational requirements. The design shou… (Appendix F ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must identify all alternate telecommunication services and start the necessary agreements to allow operations to be resumed inside a defined period. (SG.CP-8 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must identify an alternate control center and the necessary telecommunications and start the necessary agreements to allow the resumption of critical functions in a defined time period. (SG.CP-9 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should develop agreements with the alternate control center that contains priority-of-service provisions. (SG.CP-9 Requirement Enhancements 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must identify an alternate processing site and initiates necessary agreements to permit the resumption of Information System operations in a predefined time when primary information processing is unavailable. (App F § CP-7.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should establish contingency Service Level Agreements that contain priority of service clauses that meet system availability needs. (App F § CP-7(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of {organizationally documented information system operations} for essential missions/business functions within {organizationally documented time period consistent with reco… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of {organizationally documented information system operations} for essential missions/business functions within {organizationally documented time period consistent with reco… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and (CP-7b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and (CP-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and rec… (CP-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and (CP-7b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Reviews and updates Interconnection Security Agreements [TX-RAMP Assignment: at least annually]. (CA-3c., TX-RAMP Security Controls Baseline Level 1)
  • The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). (CP-7(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and (CP-7b., TX-RAMP Security Controls Baseline Level 2)
  • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery ti… (CP-7a., TX-RAMP Security Controls Baseline Level 2)
  • Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and (CP-6a., TX-RAMP Security Controls Baseline Level 2)
  • Reviews and updates Interconnection Security Agreements [TX-RAMP Assignment: at least annually]. (CA-3c., TX-RAMP Security Controls Baseline Level 2)