Back

Include coverage for alternate facilities for all offices in contingency arrangements.


CONTROL ID
00746
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Prepare the alternate facility for an emergency offsite relocation., CC ID: 00744

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Offers checklists for contingency arrangements for offices. The first checklist describes what is necessary for thorough non-IT offsite backup procedures. Check yes or no as applicable: Identify all categories of offsite backup addressed by the organization's procedures taking into consideration har… (Pg 85, Pg 87, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The Business Continuity Plan should include arrangements for resuming critical business processes by using alternative facilities (e.g., via reciprocal arrangements with another organization or a contract with a specialist provider of business continuity arrangements). (CF.20.05.05, The Standard of Good Practice for Information Security)
  • Alternative information processing arrangements should be established for each individual business environment to enable critical business processes (and related services) to continue (at an acceptable level) in the event of a disaster or emergency affecting the underlying business applications, Inf… (CF.20.06.01, The Standard of Good Practice for Information Security)
  • Business continuity arrangements should cover all business locations and users associated with the organization's critical business processes. (CF.20.06.03, The Standard of Good Practice for Information Security)
  • The Business Continuity Plan should include arrangements for resuming critical business processes by using alternative facilities (e.g., via reciprocal arrangements with another organization or a contract with a specialist provider of business continuity arrangements). (CF.20.05.05, The Standard of Good Practice for Information Security, 2013)
  • Alternative information processing arrangements should be established for each individual business environment to enable critical business processes (and related services) to continue (at an acceptable level) in the event of a disaster or emergency affecting the underlying business applications, Inf… (CF.20.06.01, The Standard of Good Practice for Information Security, 2013)
  • Business continuity arrangements should cover all business locations and users associated with the organization's critical business processes. (CF.20.06.03, The Standard of Good Practice for Information Security, 2013)
  • Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Work locations for business functions; and (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Workspace recovery - the adequacy of floor space, desk top computers, network connectivity, e-mail access, and telephone service; and (TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • If the organization is relying on outside facilities for recovery, determine whether the recovery site: ▪ Has the ability to process the required volume; ▪ Provides sufficient processing time for the anticipated workload based on emergency priorities; and ▪ Is available for use until the insti… (Exam Tier I Obj 6.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (SC-2.3, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • When the organization contracts with a commercial vendor to have an alternate site, the following must be negotiated and clearly stated in the contract: work space, testing time, hardware requirements, telecommunications requirements, security requirements, support services, and how long the organiz… (§ 3.4.3 ¶ 7, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Obtaining necessary office supplies and work space; (§ 4.3.2 ¶ 2 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must determine what the requirements are for an alternate storage site and start the necessary agreements. (SG.CP-7 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)