Back

Include emergency communications procedures in the continuity plan.


CONTROL ID
00750
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

This Control has the following implementation support Control(s):
  • Include managing multiple responding organizations in the emergency communications procedure., CC ID: 01249
  • Expedite emergency communications' fiscal decisions in accordance with accounting principles., CC ID: 01266
  • Maintain contact information for key third parties in a readily accessible manner., CC ID: 12764
  • Log important conversations conducted during emergencies with third parties., CC ID: 12763
  • Identify the appropriate staff to route external communications to in the emergency communications procedures., CC ID: 12762
  • Identify who can speak to the media in the emergency communications procedures., CC ID: 12761


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Where the incident involves a disruption of critical e-banking service and may last for a prolonged period of time, AIs should consider making a press release where the situation so warrants, such as when such a press release will be a demonstrable faster or more effective communication means than i… (§ 8.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • A communication strategy should be formulated by the senior management to ensure that consistent and up-to-date messages are conveyed to all relevant parties (e.g. customers, media and business partners) on a timely basis. In particular, AIs should proactively notify the customers affected, or likel… (§ 8.2.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • Where the incident involves a disruption of critical e-banking service and may last for a prolonged period of time, AIs should consider making a press release where the situation so warrants, such as when such a press release will be a demonstrable faster or more effective communication means than i… (§ 8.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • A communication strategy should be formulated by the senior management to ensure that consistent and up-to-date messages are conveyed to all relevant parties (e.g. customers, media and business partners) on a timely basis. In particular, AIs should proactively notify the customers affected, or likel… (§ 8.2.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • the process for timely internal and external communications (see subsection 4.7 below); and (4.2.2 Bullet 6, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • AIs should formulate a formal strategy for communication with key external parties (e.g. regulators, investors, customers, counterparties, business partners, service providers, the media and other stakeholders). The strategy needs to set out to which parties AIs should communicate in the event of a … (4.7.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • F38: The organization shall install communications systems in computer rooms and data storage rooms for use during emergencies to alert personnel of a fire or other emergency and to provide instructions on firefighting and evacuation. F38.3: The organization shall provide emergency call and announce… (F38, F38.3, F111, F112, F112.2, F112.3, O7.3(3), O7.3(4), O62, O63.2(5), O76.3(3), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In addition, it is recommended to use different telephone lines for emergency from those for hot line phones intended for communication in the event of failure of the computer systems. (F38.2. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Typical communications systems for emergency use include alarm bells, alarm sirens, announce systems for emergency, and telephones for emergency. Select a proper type of equipment among those or a proper combination for installation depending on the conditions of the computer room and data storage r… (F38.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Emergency call and announce systems for emergency should be provided from the location where the personnel in charge of management of the building reside or the central control and monitoring station or other such location serving as the core for disaster control in the building, in order to ensure … (F38.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Being able to maintain customer confidence throughout a crisis or an emergency situation is of great importance to the reputation and soundness of the FI. FIs should include in their incident response procedures a predetermined action plan to address public relations issues. (§ 7.3.8, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Recovery plans should include a communication plan to notify key internal stakeholders and external stakeholders when the recovery plan is executed. (Attach B ¶ 7(f), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • a communication plan for notifying key internal and external stakeholders if a regulated institution's recovery plan is invoked; and (Attachment B ¶ 7(f), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • (Pg 56, Pg 79, Pg 80, Australia Privacy Act 1988)
  • In the event of a disruption or emergency, and during the implementation of the BCPs, financial institutions should ensure that they have effective crisis communication measures in place so that all relevant internal and external stakeholders, including the competent authorities when required by nat… (3.7.5 91, Final Report EBA Guidelines on ICT and security risk management)
  • CSIRTs shall be equipped with an appropriate system for managing and routing requests, in order to facilitate handovers. (ANNEX I ¶ 1(1)(c)(i), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • the CSIRTs shall be equipped with an appropriate system for managing and routing requests, in particular to facilitate effective and efficient handovers; (Article 11 1 ¶ 1(c), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate. (Article 21 2(j), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • As part of the ICT risk management framework referred to in Article 6(1), financial entities shall have in place crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public, as appropri… (Art. 14.1., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Financial entities, other than microenterprises, shall have a crisis management function, which, in the event of activation of their ICT business continuity plans or ICT response and recovery plans, shall, inter alia, set out clear procedures to manage internal and external crisis communications in … (Art. 11.7., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Defined communication channels, roles and responsibilities including the notification of the customer (Section 5.14 BCM-03 Basic requirement ¶ 1 Bullet 4, Cloud Computing Compliance Controls Catalogue (C5))
  • Do the plans detail how to communicate with interested parties, including the media, during the disruption and how to prioritize activities? (Operation ¶ 29, ISO 22301: Self-assessment questionnaire)
  • Have internal and external communication protocols been established as part of these procedures? (Operation ¶ 18, ISO 22301: Self-assessment questionnaire)
  • Does the IRS and associated procedures include thresholds, assessment, activation, resource provision and communication? (Operation ¶ 20, ISO 22301: Self-assessment questionnaire)
  • Is there a procedure for managing internal and external communications during a disruptive incident? (Operation ¶ 23, ISO 22301: Self-assessment questionnaire)
  • In line with Fundamental Rule 7, in the event of a disruption or emergency (including at an outsourced or third party service provider), firms should ensure that they have effective crisis communication measures in place. This is so all relevant internal and external stakeholders, including the Bank… (§ 10.9, SS2/21 Outsourcing and third party risk management, March 2021)
  • The counter-terrorist protective security policy must include procedures to liaison with emergency services and any multi-agency contingency plans. (Mandatory Requirement 66.f, HMG Security Policy Framework, Version 6.0 May 2011)
  • Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recove… (DS4.2 IT Continuity Plans, CobiT, Version 4.1)
  • Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (12.10.1(b)(1), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (12.10.1(b)(1), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Does the plan address the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? - Specific incident response procedures? - Business recovery and continuity procedures? - … (12.10.1(b)(1), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (12.10.1(b)(1), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • An emergency the situation should be assessed and managed directly by the person who learns about the incident or escalated to the crisis management team. If the person receiving word of the incident must respond, they should determine if they are physically and emotionally able to do so, whether ot… (Pg 15 BCM Incident Readiness and Response, Stage 3.1 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The organization must develop, implement, and maintain procedures, with regard to the hazards, threats, risks, and its organizational resilience management system, for communicating internally between the organization's functions and levels; communicating externally with stakeholders and partners; e… (§ 4.4.3 ¶ 1(b), § 4.4.3 ¶ 1(c), § 4.4.3 ¶ 1(d), § 4.4.3 ¶ 1(f), § 4.4.3 ¶ 1(g), § 4.4.3 ¶ 1(h), § 4.4.3 ¶ 1(k), § 4.4.3 ¶ 2, § 4.4.3 ¶ 3, § 4.4.7 ¶ 3(h), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The creation of a communications plan before and during an outbreak that accounts for congested telecommunications services. (4.2, Pandemic Response Planning Policy)
  • Communication plan and cadence throughout the pandemic (4.4(e), Pandemic Response Planning Policy)
  • Plan for how customers will interact with the organization in different ways (4.10(g), Pandemic Response Planning Policy)
  • Alternate means to communicate during the pandemic (4.4(f), Pandemic Response Planning Policy)
  • A consistent unified framework for business continuity planning and plan development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business… (BCR-01, Cloud Controls Matrix, v3.0)
  • The organization should have in place a process for communicating with external interested parties in case of emergency situations that could affect or concern them. An organization can also find it useful to document its processes for external communication. (7.4.3 ¶ 2, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - recei… (§ 7.4 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • assuring availability of the means of communication during a disruptive incident, (§ 8.4.3 ¶ 1 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish an… (§ 8.4.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • details on how and under what circumstances the organization will communicate with employees and their relatives, key interested parties and emergency contacts, (§ 8.4.4 ¶ 2 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsib… (§ 8.4.4 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • the reporting requirements; (§ 8.4.4.3 g), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • ensuring the availability of the means of communication during a disruption; (§ 8.4.3.1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • facilitating structured communication with emergency responders; (§ 8.4.3.1 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • documented procedures to guide their actions (see 8.4.4), including those for the activation, operation, coordination and communication of the response. (§ 8.4.2.4 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. (§ 8.7.2 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Communicate information about COVID-19 to travellers (Pillar 4 Step 2 Action 3, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Engage with existing public health and community-based networks, media, local NGOs, schools, local governments and other sectors such as healthcare service providers, education sector, business, travel and food/agriculture sectors using a consistent mechanism of communication (Pillar 2 Step 2 Action 2, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Prepare local messages and pre-test through a participatory process, specifically targeting key stakeholders and at-risk groups (Pillar 2 Step 1 Action 3, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Systematically establish community information and feedback mechanisms including through: social media monitoring; community perceptions, knowledge, attitude and practice surveys; and direct dialogues and consultations (Pillar 2 Step 3 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Establish and utilize clearance processes for timely dissemination of messages and materials in local languages and adopt relevant communication channels (Pillar 2 Step 2 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Establish dedicated and equipped teams and ambulances to transport suspected and confirmed cases, and referral mechanisms for severe cases with co morbidity (Pillar 7 Step 2 Action 2, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Disseminate case definition in line with WHO guidance and investigation protocols to healthcare workers (public and private sectors) (Pillar 3 Step 1 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Implement national risk-communication and community engagement plan for COVID-19, including details of anticipated public health measures (use the existing procedures for pandemic influenza if available) (Pillar 2 Step 1 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • It is critical to communicate to the public what is known about COVID-19, what is unknown, what is being done, and actions to be taken on a regular basis. Preparedness and response activities should be conducted in a participatory, community-based way that are informed and continually optimized acco… (Pillar 2: Risk communication and community engagement, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Review and update existing national IPC guidance: health guidance should include defined patient-referral pathway including an IPC focal point, in collaboration with case management. Community guidance should include specific recommendations on IPC measures and referral systems for public places suc… (Pillar 6 Step 1 Action 3, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • National public health emergency management mechanisms should be activated with engagement of relevant ministries such as health, education, travel and tourism, public works, environment, social protection, and agriculture, to provide coordinated management of COVID-19 preparedness and response. NAP… (Pillar 1: Country?level coordination, planning, and monitoring, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Implement triage, early detection, and infectious-source controls, administrative controls and engineering controls; implement visual alerts (educational material in appropriate language) for family members and patients to inform triage personnel of respiratory symptoms and to practice respiratory e… (Pillar 6 Step 2 Action 4, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • In addition to the list above, separate lines of communication are needed when normal channels are inoperative or insufficient for communicating matters requiring heightened attention. Many organizations provide a means to communicate anonymously to the board of directors or a board delegate - such … (Methods of Communicating ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Minimum cybersecurity requirements for third-parties include how the organization and its suppliers and partners will communicate and coordinate in times of emergency, including: (DM.ED-6.5, CRI Profile, v1.2)
  • Minimum cybersecurity requirements for third-parties include how the organization and its suppliers and partners will communicate and coordinate in times of emergency, including: (DM.ED-6.5, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Reading incident response and recovery plan documentation to understand the service organization's processes for recovering from identified system events, including its incident response procedures, incident communication protocols, recovery procedures, alternate processing plans, and procedures for… (¶ 3.59 Bullet 12, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The business continuity plan should provide for alternate communications between the firm, employees and customers. (R 3510(c), NASD Manual)
  • Members should create an incident response plan to provide a framework to manage detected security events or incidents, analyze their potential impact and take appropriate measures to contain and mitigate their threat. Members should consider in appropriate circumstances forming an incident response… (Information Security Program Bullet 4 Response and Recovery from Events that Threaten the Security of the Electronic Systems ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • When there are dependancies upon critical service providers, does the Business Continuity and Disaster Recovery program include communication in the event of a disruption at their facility? (§ K.1.2.15.3, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Does the Business Continuity and Disaster Recovery program include an assured Business Continuity capability for the product or service in scope? (§ K.1.2.3, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the TSP's facilities. (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriat… (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Customers; (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Local, state, and federal agencies; and (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Regulators. (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Notification standards (employees, customers, regulators, vendors, service providers); (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at the institution. (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Trainin… (Other Policies, Standards and Processes, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Assessment of alternate data communications infrastructure between the entity and critical third-party service providers. (IV.A Action Summary ¶ 3 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Communications protocols, event management, business continuity, and disaster recovery. (V Action Summary ¶ 2 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the entity's BCM includes communication protocols. (IV.B, "Communications") (App A Objective 7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management (either an individual or team) has implemented procedures to communicate with both internal and external stakeholders. (App A Objective 8:3b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Network equipment, connectivity, and communication needs, including entity-owned and personal mobile devices. (App A Objective 8:1h, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Crisis or emergency management communication protocols, including the designation of a spokesperson(s) to communicate with the news media, as appropriate. (App A Objective 8:13d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The continuity plan should include processes for communicating to internal and external stakeholders, customers, and employees. The continuity plan should include employee notification procedures. These procedures should include how to contact employees, who employees are to call to be accounted for… (Pg 14, Pg 32, Pg 33, Pg C-5, Pg G-5, Pg G-6, Exam Tier I Obj 4.3, Exam Tier I Obj 5.1, Exam Tier I Obj 9.1, Exam Tier I Obj 9.2, Exam Tier I Obj 10.6 (Testing Strategies), FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should develop plans to communicate with its customers during an outage. (Pg 36, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • (SC-2.3, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Does the Business Continuity Plan or Disaster Recovery Plan identify a command center site? (IT - Business Continuity Q 4, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.7.6 Bullet 1: Establish and implement procedures to enable continuation of critical business processes for ePHI protection while operating in emergency mode. § 4.7.6 Bullet 2: Emergency mode operation is defined as only those critical business processes that must occur to protect ePHI during a… (§ 4.7.6 Bullet 1, § 4.7.6 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. (CP-11 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. (CP-11 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Communication procedure and list of personnel to contact in the case of an emergency including ICS vendors, network administrators, ICS support personnel, etc. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 1 Bullet 7, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, public relations professionals). (T0096, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The type of information to be relayed to those being notified should be documented in the plan. The amount and detail of information relayed may depend on the specific team being notified. As necessary, notification information may include the following: (§ 4.2.2 ¶ 7, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Notifications also should be sent to POCs of external organizations or interconnected system partners that may be adversely affected if they are unaware of the situation. Depending on the type of outage or disruption, the POC may have recovery responsibilities. For each system interconnection with a… (§ 4.2.2 ¶ 6, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Notifying internal and external business partners associated with the system; (§ 4.3.2 ¶ 2 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • An outage or disruption may occur with or without prior notice. For example, advance notice is often given that a hurricane is predicted to affect an area or that a computer virus is expected on a certain date. However, there may be no notice of equipment failure or a criminal act. Notification proc… (§ 4.2.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The notification strategy should define procedures to be followed in the event that specific personnel cannot be contacted. Notification procedures should be documented clearly in the contingency plan. Copies of the procedures can be made and located securely at alternate locations. A common manual … (§ 4.2.2 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Communicate guidance to stakeholders during a pandemic. (Appendix D Subsection 2 ¶ 1 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Local response organizations should be contacted directly or through state emergency management. (Appendix D Subsection 4 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Information system contingency plans are rarely developed or executed on their own. When an incident occurs that impacts information system operations, it often impacts the organization's personnel. Proper considerations for the safety, security, and well-being of personnel should be planned for in … (Appendix D ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The OEP should also include procedures and multiple contact methods for collecting a personnel head count after the disaster. It is important for senior management to know who was in the building prior to the event and who has been accounted for (both onsite and offsite personnel) so that civil auth… (Appendix D Subsection 1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Like internal communication, organizations should pay deliberate attention to the message being communicated to external parties. Again, an effective method is to designate a specific POC or team from the organization to be responsible for press releases and media communication. The POC or team's pr… (Appendix D Subsection 5 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • One of the most important activities is internal communication within the organization. Staff and management need to know what has occurred, the status of the situation, what actions they should take, and who is in charge of the situation. One person or team should be responsible for internal commun… (Appendix D Subsection 5 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The crisis communication plan typically addresses internal communication flows to personnel and management and external communication with the public. The most effective way to provide helpful information and to reduce rumors is to communicate clearly and often. The plan should also prepare the orga… (Appendix D Subsection 5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The information system provides the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. (CP-11 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. (CP-11 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. (CP-11 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Contingency plans should be current. Institutions should be prepared, as part of the contingency planning process, to reassure the public that the temporary malfunction of their Web sites does not jeopardize their funds and that the bank is fully capable of meeting their banking needs through other … (¶ 3, Internet Security: Distributed Denial of Service Attacks - OCC Alert 2000-1)
  • Management should establish a communications plan that designates key personnel and outlines a program for employee notification. (¶ 39, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • include a plan to communicate with essential persons in the event of a cybersecurity-related disruption to the operations of the covered entity, including employees, counterparties, regulatory authorities, third-party service providers, disaster recovery specialists, the senior governing body and an… (§ 500.16 Incident Response and Business Continuity Management (a)(2)(iii), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)