Back

Establish, implement, and maintain a continuity plan.


CONTROL ID
00752
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a business continuity program., CC ID: 13210

This Control has the following implementation support Control(s):
  • Activate the continuity plan if the damage assessment report indicates the activation criterion has been met., CC ID: 01373
  • Report changes in the continuity plan to senior management., CC ID: 12757
  • Identify all stakeholders in the continuity plan., CC ID: 13256
  • Lead or manage business continuity and system continuity, as necessary., CC ID: 12240
  • Include a business continuity testing policy in the continuity plan, as necessary., CC ID: 13234
  • Include identification procedures in the continuity plan, as necessary., CC ID: 14372
  • Refrain from adopting impromptu measures when continuity procedures exist., CC ID: 13093
  • Include the continuity strategy in the continuity plan., CC ID: 13189
  • Restore systems and environments to be operational., CC ID: 13476
  • Document and use the lessons learned to update the continuity plan., CC ID: 10037
  • Implement alternate security mechanisms when the means of implementing the security function is unavailable., CC ID: 10605
  • Include roles and responsibilities in the continuity plan, as necessary., CC ID: 13254
  • Monitor and evaluate business continuity management system performance., CC ID: 12410
  • Coordinate continuity planning with governmental entities, as necessary., CC ID: 13258
  • Coordinate continuity planning with community organizations, as necessary., CC ID: 13259
  • Coordinate and incorporate supply chain members' continuity plans, as necessary., CC ID: 13242
  • Include incident management procedures in the continuity plan., CC ID: 13244
  • Include the use of virtual meeting tools in the continuity plan., CC ID: 14390
  • Include scenario analyses of various contingency scenarios in the continuity plan., CC ID: 13057
  • Include the annual statement based on the continuity plan review in the continuity plan., CC ID: 12775
  • Establish, implement, and maintain the continuity procedures., CC ID: 14236
  • Document the uninterrupted power requirements for all in scope systems., CC ID: 06707
  • Document all supporting information in the continuity plan, such as purpose, scope, and requirements., CC ID: 01371
  • Document the concept of operations in the continuity plan, including a line of succession., CC ID: 01372
  • Review and update the continuity plan call tree mechanism after a personnel status change., CC ID: 01167
  • Establish, implement, and maintain damage assessment procedures., CC ID: 01267
  • Establish, implement, and maintain a recovery plan., CC ID: 13288
  • Include restoration procedures in the continuity plan., CC ID: 01169
  • Disseminate and communicate business functions across multiple facilities separated by geographic separation., CC ID: 10662
  • Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary., CC ID: 10665


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Contingency plans should be maintained and regularly tested by AIs and their service providers to ensure business continuity, e.g. in the event of a breakdown in the systems of the service provider or telecommunication problems with the host country. (2.7.1, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • AIs should implement sufficient and effective alternative service delivery channels to ensure e-banking services can be provided continuously to customers as far as appropriate. In particular, if an Internet banking system is temporarily not accessible, AIs should ensure that their other service cha… (§ 9.5.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Once the recovery strategies for individual business and support functions are determined and the BCP requirements are finalised, the development of the BCP should commence. The objective of the BCP is to provide detailed guidance and procedures to respond to and manage a crisis, to resume and conti… (4.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The internal audit function of an AI should conduct periodic review of its BCP to determine whether the plan is realistic and remain relevant, and whether it adheres to the policies and standards established by the AI. (2.2.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Individual business and support functions, with the assistance of the BCP function, should review their business impact analysis and recovery strategy, say on an annual basis. This aims to confirm the validity of, or whether updates are needed to, the BCP requirements (including the technical specif… (6.2.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Significant internal changes (e.g. merger or acquisitions, business re-organisation or departure of key personnel) should be reflected in the plan immediately and reported to senior management. (6.2.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Formal testing documentation (including testing plan, testing scenarios, testing procedures and testing results) should be produced to ensure thoroughness and effectiveness of testing. Specifically, a post mortem review report should be prepared at the completion of the testing for formal sign-off b… (6.1.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • AIs should develop an IT disaster recovery plan to ensure that critical application systems and technology services can be resumed in accordance with the business recovery requirements. Please refer to TM-G-2 “Business Continuity Planning” on how to develop detailed recovery procedures of applic… (5.4.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Reviewing and approving the contingency plan, which covers cybersecurity scenarios and corresponding contingency strategies, developed for the internet trading system; and (3.1. ¶ 1 (g), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • App 2-1 Item Number I.5(1): The organization must develop a business continuity policy. App 2-1 Item Number VI.7.2(1): Contingency plans must be developed based on the risk analysis, and they must be consistent with the business continuity plan. This is an IT general control. (App 2-1 Item Number I.5(1), App 2-1 Item Number VI.7.2(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • App 2-1 Item Number I.5(5): The organization must review and update the business continuity plan, as necessary, to maintain its effectiveness. App 2-1 Item Number VI.7.2(6): The contingency plan must be updated regularly and it must be ensured that it is up to date. This is an IT general control. (App 2-1 Item Number I.5(5), App 2-1 Item Number VI.7.2(6), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O15: The organization shall create manuals describing alterative measures, countermeasures, and recovery procedures for failures or disasters. O48: For head and branch offices, the organization shall establish and maintain procedures in order to be prepared for any failure or disaster and ensure th… (O15, O48, O48.1, O48.2, O65, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization shall review contingency plans when changes have been made to higher priority business operations; when changes are made to the infrastructure, site facilities, and/or organizations; and when priority for business operations not included in the contingency plan becomes higher. (O65.4, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • O65.3(8): When developing contingency plans, the organization shall define maintenance and control programs, such as reviewing the plans based on the training drills. O83.1: The organization shall implement education and training on failures, disasters, and its contingency plans on a regular basis i… (O65.3(8), O83.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Events that trigger the implementation of a business continuity plan may have significant security implications. Depending on the event, some or all of the elements of the security environment may change. Different tradeoffs may exist between availability, integrity, confidentiality, and accountabil… (Critical components of information security 29) ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Due to the dynamic nature of the cloud, information may not immediately be located in the event of a disaster. Business continuity and disaster recovery plans must be well documented and tested. The cloud provider must understand the role it plays in terms of backups, incident response and recovery.… (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 2 ¶ 7 h., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Ensure that there are plans and procedures in place to address adverse conditions or termination of the outsourcing arrangement such that the institution will be able to continue business operations and that all documents, records of transactions and information previously given to the service provi… (5.7.2 (c), Guidelines on Outsourcing)
  • The disaster recovery plan should be reviewed, updated and tested regularly in accordance with changing technology conditions and operational requirements. (§ 5.1.9, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should also put in place a contingency plan based on credible worst-case scenarios for service disruptions to prepare for the possibility that its current service provider may not be able to continue operations or render the services required. The plan should incorporate identification of via… (§ 5.1.10, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • IT incidents, if handled inappropriately, may escalate into situations that have a severe impact on the FI’s operations or its customers. The FI should evaluate the recovery plan and incident response procedures at least annually and update them as and when changes to business operations, systems … (§ 8.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • To strengthen recovery measures relating to large scale disruptions and to achieve risk diversification, the FI should implement rapid backup and recovery capabilities at the individual system or application cluster level. The FI should consider inter-dependencies between critical systems in drawing… (§ 8.2.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The organization should develop a Business Continuity Plan. (Control: 0913, Australian Government Information Security Manual: Controls)
  • Pg 43 says that a business continuity plan should be created in a way which recognizes the interdependencies between systems. Where possible, plans should be consolidated into an organization-wide plan. Pg 12 Outputs explains what a good business continuity plan should contain and bring together. A … (Pg 12 Outputs, Pg 43, Pg 60, Pg 61, Pg 73, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Indicates that the goal of business continuity management is to ensure uninterrupted availability of all key business resources that support critical business activities. It is recommended that an organization place emphasis on planning to handle the organization as a whole during a crisis rather th… (Pg 12 Objective, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Talks about maintaining and updating the business continuity plan. Administrative procedures and guidelines should be developed to provide for periodic testing and documentation maintenance of service area recovery plans and ongoing training. ongoing responsibilities should be defined to ensure appr… (Pg 64, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Financial institutions should put BCPs in place to ensure that they can react appropriately to potential failure scenarios and that they are able to recover the operations of their critical business activities after disruptions within a recovery time objective (RTO, the maximum time within which a s… (3.7.2 81, Final Report EBA Guidelines on ICT and security risk management)
  • Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT service… (3.7.2 80, Final Report EBA Guidelines on ICT and security risk management)
  • BCPs should be updated at least annually, based on testing results, current threat intelligence and lessons learned from previous events. Any changes in recovery objectives (including RTOs and RPOs) and/or changes in business functions, supporting processes and information assets, should also be con… (3.7.4 88, Final Report EBA Guidelines on ICT and security risk management)
  • appropriate contingency planning to enable the availability, continuity, and recovery of critical ICT systems and services to minimize disruption to an institution's operations within acceptable limits. (Title 3 3.3.4(a) 54.a(iii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Procedures should be implemented to ensure computerized systems that support critical processes have continuity of support when there is a system breakdown. (¶ 16, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • The Business Continuity Plans should be adequately documented and tested. (¶ 16, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • The business impact analysis as well as the business continuity plans and contingency plans are verified, updated and tested at regular intervals (at least once a year) or after essential organisational or environment-related changes. The tests also involve affected customers (tenants) and relevant … (Section 5.14 BCM-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Continuous improvement process of the plans (Section 5.14 BCM-03 Basic requirement ¶ 1 Bullet 7, Cloud Computing Compliance Controls Catalogue (C5))
  • Methods used for the implementation of the plans (Section 5.14 BCM-03 Basic requirement ¶ 1 Bullet 6, Cloud Computing Compliance Controls Catalogue (C5))
  • Strategic establishment and control of a business continuity management (BCM). planning, implementing and testing business continuity concept as well as incorporating safeguards in order to ensure and maintain operations. (Section 5.14 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • Has continual improvement been considered? (Context of the organization ¶ 7, ISO 22301: Self-assessment questionnaire)
  • Have these actions been documented? (Operation ¶ 9, ISO 22301: Self-assessment questionnaire)
  • Have documented BC procedures been put in place to manage a disruptive incident, and have continuity activities based on recovery objectives been identifed in the BIA? (Operation ¶ 17, ISO 22301: Self-assessment questionnaire)
  • The organization must verify that all locations where system assets, including cryptographic items, and information are stored have developed Business Continuity plans and Disaster Recovery plans. (Mandatory Requirement 49, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must test and review the Business Continuity Plan at least annually or after a significant organizational change. (Mandatory Requirement 70, HMG Security Policy Framework, Version 6.0 May 2011)
  • For a Business Continuity Management program to be effective, it must be tested, reviewed, and updated and be supported by trained staff. (Security Policy No. 7 ¶ 4 Bullet 4, HMG Security Policy Framework, Version 6.0 May 2011)
  • List X contractors must prepare contingency plans that detail how to protect protectively marked assets should their site be chosen for a challenge inspection. (¶ 55, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • App 2 ¶ 14.g(2): For IT systems that process and access restricted information, the system shall have a defined business contingency plan. This is applicable to UK contractors. App 6 ¶ 15.g(2): For IT systems that process and access UK restricted information, the system shall have a defined busine… (App 2 ¶ 14.g(2), App 6 ¶ 15.g(2), The Contractual process, Version 5.0 October 2010)
  • The continuity plan should be periodically reviewed and updated. (¶ 44, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • Has a Disaster Recovery Plan been implemented? (Table Row XII.13, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Written procedures for system recovery should be developed. (¶ 19.6, Good Practices For Computerized systems In Regulated GXP Environments)
  • Systems should have adequate alternative arrangements for systems which need to continue operating in the event of a breakdown. (¶ 15, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Procedures should be defined and validated for system failures or breakdowns. (¶ 16, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Determine whether IT management has established procedures for assessing the adequacy of the plan in regard to the successful resumption of the IT function after a disaster, and update the plan accordingly. (DS4.10 Post-resumption Review, CobiT, Version 4.1)
  • Encourage IT management to define and execute change control procedures to ensure that the IT continuity plan is kept up to date and continually reflects actual business requirements. Communicate changes in procedures and responsibilities clearly and in a timely manner. (DS4.4 Maintenance of the IT Continuity Plan, CobiT, Version 4.1)
  • Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan… (DS4.5 Testing of the IT Continuity Plan, CobiT, Version 4.1)
  • Define, implement and maintain procedures for IT operations, ensuring that the operations staff members are familiar with all operations tasks relevant to them. Operational procedures should cover shift handover (formal handover of activity, status updates, operational problems, escalation procedure… (DS13.1 Operations Procedures and Instructions, CobiT, Version 4.1)
  • Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recove… (DS4.2 IT Continuity Plans, CobiT, Version 4.1)
  • Develop plans for responding to various types of crises and recovering from business disruption. (OCEG GRC Capability Model, v. 3.0, P8.2 Prepare to Address Crisis Situations, OCEG GRC Capability Model, v 3.0)
  • The business continuity documentation should be created and maintained by individuals who are tasked with this duty. The documentation may include: the business continuity policy; business impact analyses; threat and risk assessments; awareness and training programs; business continuity management s… (§ 5.5, § 8.3.1, § 8.7.1, BS 25999-1, Business continuity management. Code of practice, 2006)
  • A maintenance program should be established that is clearly defined and documented. Whenever any external or internal changes occur that impact the organization, the plan should be reviewed. The review also should identify new services or products that may need to be included in the business continu… (§ 9.4, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The business continuity management policy, strategies, solutions, and plans should be regularly maintained and reviewed. Each component of the business continuity plan should be regularly reviewed and updated; updated when there are significant changes to personnel, operating environment, processes,… (§ 4.3 ¶ 4, § 5.4.1, § 8.3.5, BS 25999-1, Business continuity management. Code of practice, 2006)
  • A documented plan must be developed to detail how an incident will be managed and how the organization will maintain or recover activities to a predetermined level after a disruption. The business continuity and incident management plans must collectively contain the following information: existing … (§ 4.3.3.1, § 4.3.3.3, BS 25999-2, Business continuity management. Specification, 2007)
  • Business continuity management arrangements must be validated by testing and reviewing and must be kept up-to-date. The business continuity management arrangements must be reviewed at defined intervals to ensure they are adequate, suitable, and effective. The business continuity appropriateness and … (§ 4.4.1, § 4.4.3.1, § 4.4.3.2, § 4.4.3.3, BS 25999-2, Business continuity management. Specification, 2007)
  • § 5.2 ¶ 3(f) The Information Technology Service Continuity (ITSC) strategies can be improved continuously, only if the pre-defined service levels are being monitored, measured, analyzed, and reported on constantly. § 9.5 ¶ 2 Contingency plan test results should be documented, and the continuity … (§ 5.2 ¶ 3(f), § 9.5 ¶ 2, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Decide the structure, format, components and content of the organization's business continuity plan. The plan should have an appointed owner, clearly defined objectives and scope and a clear planning process. Once these things are in place, information should be gathered to populate the plan with an… (Stage 3.2 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • A process should be established that ensures the organization's BCM strategy planning is regularly reviewed and updated as needed. A regular review of business continuity plans and the organization's systems any time a major change is made to some aspect of the organization's technology, business p… (Stage 2.1 Process, Stage 5.2 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • Contingency planning or disaster recovery planning, including responding to security incidents should be considered in physical and environmental security. This planning should include the coordination and logistics of the full scope of business activities. A plan that has not been successfully test… (§ 5.3.4 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The business continuity management (BCM) system should include defining BCM and its business value; describing the steps to deploy and maintain a BCM program; establishing BCM ownership; defining the BCM metrics to evaluate the program's progress; and deploying a BCM continuous quality program. (§ 5.1.A ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Techniques that can be used to evaluate business continuity maintenance include examining the document change history to ensure updates are recorded; reviewing the maintenance requirements to ensure specific individuals have been assigned to component maintenance and that management provides guidanc… (§ 5.7 ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Business unit or regional management should ensure a business continuity management continuous quality program has been deployed and the business continuity management definition is updated to define the business value. When system and business processes change, the recovery procedures must be updat… (§ 5.1.B ¶ 2, § 5.5 ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Business continuity plans should identify the potential sources of disruption; critical applications and processes, along with the acceptable downtime levels; acceptable response and recovery times; locations and storage mechanisms for backups; data back up frequency; alternate sites; equipment and … (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Business continuity plans should identify continuity test plans and maintenance activities. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization must develop incident prevention, preparedness, and response procedures to fit its needs. The procedures should address the following: the types of onsite hazards that exist (storage tanks, compressed gas, flammable materials) and the actions to take if a disruptive incident or acci… (§ 4.4.7 ¶ 3, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organization must develop, implement, and maintain procedures, with regard to the hazards, threats, risks, and its organizational resilience management system, to document, record, and communicate any changes and the management system and the results and evaluations of reviews. The organization … (§ 4.4.3 ¶ 1(a), § 4.4.7 ¶ 4, § 4.4.7 ¶ 6, § 4.6.3 ¶ 1(b), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The continuity plan should address contingencies for 3 major categories: natural, accidental, and human. The plan should be as simple as possible and should outline specific responsibilities for personnel assigned emergency responsibilities. (Revised Volume 3 1-I-7, Protection of Assets Manual, ASIS International)
  • The emergency plan should be reviewed and updated annually and after training drills, emergencies, personnel changes, procedural changes, and facility design changes. (Revised Volume 3 1-I-10, Protection of Assets Manual, ASIS International)
  • The Business Continuity strategy should help to ensure that Business Continuity planning is performed throughout the organization as a formal program of work (e.g., a Business Continuity program). (CF.20.01.05d, The Standard of Good Practice for Information Security)
  • The Business Continuity program should apply across the organization and require each individual business environment to develop and maintain comprehensive Business Continuity plans for critical parts of the organization (based on a Business Continuity risk assessment). (CF.20.02.05d, The Standard of Good Practice for Information Security)
  • The Business Continuity program should apply across the organization and require each individual business environment to keep Business Continuity plans and arrangements up-to-date. (CF.20.02.05g, The Standard of Good Practice for Information Security)
  • Business Continuity plans should include conditions for their invocation, sufficient detail so that they can be followed by individuals who do not normally carry them out, and arrangements for the secure storage of plans (e.g., off-site), and their retrieval in case of emergency. (CF.20.05.07, The Standard of Good Practice for Information Security)
  • Business Continuity plans should cover details about key activities. (CF.20.05.08, The Standard of Good Practice for Information Security)
  • Business Continuity plans should include the reconfiguring or restoring of the relevant elements of technical security infrastructure. (CF.20.05.09, The Standard of Good Practice for Information Security)
  • Business Continuity plans should be updated on a regular basis. (CF.20.05.11, The Standard of Good Practice for Information Security)
  • Each Business Continuity Plan should be reviewed regularly by business representatives, IT staff, and Information Security specialists to identify any need for changes (often referred to as a checklist test). (CF.20.05.10a, The Standard of Good Practice for Information Security)
  • Business continuity arrangements should be updated on a regular basis. (CF.20.06.11, The Standard of Good Practice for Information Security)
  • Before new systems are promoted into the live environment, contingency plans should be developed or updated. (CF.18.06.04b, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should help to ensure that Business Continuity planning is performed throughout the organization as a formal program of work (e.g., a Business Continuity program). (CF.20.01.05d, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity program should apply across the organization and require each individual business environment to develop and maintain comprehensive Business Continuity plans for critical parts of the organization (based on a Business Continuity risk assessment). (CF.20.02.05d, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity program should apply across the organization and require each individual business environment to keep Business Continuity plans and arrangements up-to-date. (CF.20.02.05g, The Standard of Good Practice for Information Security, 2013)
  • Business Continuity plans should include conditions for their invocation, sufficient detail so that they can be followed by individuals who do not normally carry them out, and arrangements for the secure storage of plans (e.g., off-site), and their retrieval in case of emergency. (CF.20.05.07, The Standard of Good Practice for Information Security, 2013)
  • Business Continuity plans should cover details about key activities. (CF.20.05.08, The Standard of Good Practice for Information Security, 2013)
  • Business Continuity plans should include the reconfiguring or restoring of the relevant elements of technical security infrastructure. (CF.20.05.09, The Standard of Good Practice for Information Security, 2013)
  • Business Continuity plans should be updated on a regular basis. (CF.20.05.11, The Standard of Good Practice for Information Security, 2013)
  • Each Business Continuity Plan should be reviewed regularly by business representatives, IT staff, and Information Security specialists to identify any need for changes (often referred to as a checklist test). (CF.20.05.10a, The Standard of Good Practice for Information Security, 2013)
  • Business continuity arrangements should be updated on a regular basis. (CF.20.06.11, The Standard of Good Practice for Information Security, 2013)
  • Before new systems are promoted into the live environment, contingency plans should be developed or updated. (CF.18.06.04b, The Standard of Good Practice for Information Security, 2013)
  • A predefined set of emergency policies that will preempt normal policies for the duration of a declared pandemic. These emergency policies are to be organized into different levels of response that match the level of business disruption expected from a possible pandemic disease outbre… (4.4, Pandemic Response Planning Policy)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for business resiliency and operational continuity to manage the risks of minor to catastrophic business disruptions. These policies, procedures, processes, and measures must protect t… (BCR-10, Cloud Controls Matrix, v3.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain a business continuity plan based on the results of the operational resilience strategies and capabilities. (BCR-04, Cloud Controls Matrix, v4.0)
  • Audit plans, activities and operational action items focusing on data duplication, data access, and data boundary limitations shall be designed to minimize the risk of business process disruption. (CO-01, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Policies and procedures shall be established for equipment maintenance ensuring continuity and availability of operations. (OP-04, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • prepare to respond by planning actions to prevent or mitigate adverse environmental impacts from emergency situations; (§ 8.2 ¶ 2 a), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • Risk management involves developing a Disaster Recovery Plan that defines a prioritized and organized disaster response, plans the continuance of the business operations, and plans for the recovery. (§ 4.3.7.1 ¶ 4, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The service provider shall create, implement, and maintain a service continuity plan and an availability plan. (§ 6.3.2 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service continuity plan shall include procedures for a major loss of service. (§ 6.3.2 ¶ 2(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service continuity plan shall include availability targets when the plan is invoked. (§ 6.3.2 ¶ 2(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. (§ 10.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, respo… (§ 5.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes… (§ 5.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. (§ 5.3 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • focus on the impact of events that could potentially disrupt operations, (§ 8.4.1 ¶ 3 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • be developed based on stated assumptions and an analysis of interdependencies, and (§ 8.4.1 ¶ 3 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • are reviewed within the context of promoting continual improvement, and (§ 8.5 ¶ 2 f), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • make changes to the business continuity management system, if necessary. (§ 10.1 ¶ 1 f), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal aud… (§ 5.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall conduct evaluations at planned intervals and when significant changes occur. (§ 9.1.2 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall evaluate the BCMS performance and the effectiveness of the BCMS. (§ 9.1.1 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: (§ 9.3 ¶ 4, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; (§ 9.1.2 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsib… (§ 8.4.4 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • audit results, (§ 9.3 ¶ 2 c) 3), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall review the organization’s BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. (§ 9.3 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • update of the risk assessment, business impact analysis, business continuity plans and related procedures; (§ 9.3 ¶ 4 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to (§ 9.3 ¶ 4 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Each plan shall be usable and available at the time and place at which it is required. (§ 8.4.4.3 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • what will be done; (§ 6.2.2 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall identify and document business continuity plans and procedures based on the output of the selected strategies and solutions. (§ 8.4.1 ¶ 2, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall document and maintain business continuity plans and procedures. The business continuity plans shall provide guidance and information to assist teams to respond to a disruption and to assist the organization with response and recovery. (§ 8.4.4.1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall implement and maintain selected business continuity solutions so they can be activated when needed. (§ 8.3.5 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • evaluate the suitability, adequacy and effectiveness of its business impact analysis, risk assessment, strategies, solutions, plans and procedures; (§ 8.6 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • update of the business impact analysis, risk assessment, business continuity strategies and solutions, and business continuity plans; (§ 9.3.3.1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Plans, policies, and provisions should be documented and an appropriate level staff member should be assigned responsibility for ensuring the documents are periodically reviewed and updated. The current versions, software, and asset inventories should be maintained by a configuration management syst… (§ 5.12, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • All policies, plans, and provisions should be periodically reviewed and updated. Outsourced service providers should ensure their emergency plans are kept up-to-date with any changes that are made in business practices and technology. (§ 5.12, § 7.15.5.1, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. (A.17.1.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Continuity plans should be developed and implemented. The plans should ensure the availability of system resources and information at the required level in the required time period. The plan should include roles and responsibilities; identify acceptable losses; describe how to recover and restore op… (§ 14.1.3, ISO 27002 Code of practice for information security management, 2005)
  • Reviews should be made of the continuity plan on a regular basis to ensure no changes need to be made to update the plan. (§ 14.1.5, ISO 27002 Code of practice for information security management, 2005)
  • The continuity plan should be updated when the system is upgraded; new equipment is purchased; personnel changes; there's a new location; and new processes are added to the system. (§ 14.1.5, ISO 27002 Code of practice for information security management, 2005)
  • The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: (§ 8.7.2 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test a… (§ 8.7.2 ¶ 4, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. (§ 17.1.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • The back-up and recovery procedures should be reviewed at a specified, documented frequency. (§ 12.3.1 ¶ 7, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Conduct regular operational reviews to assess implementation success and epidemiological situation, and adjust operational plans as necessary (Pillar 1 Step 3 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Efforts and resources at points of entry (POEs) should focus on supporting surveillance and risk communication activities. (Pillar 4: Points of entry, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Healthcare facilities should prepare for large increases in the number of suspected cases of COVID-19. Staff should be familiar with the suspected COVID-19 case definition, and able to deliver the appropriate care pathway. Patients with, or at risk of, severe illness should be given priority over mi… (Pillar 7: Case management, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Regularly monitor and evaluate the effectiveness of readiness and response measures at points of entry, and adjust readiness and response plans as appropriate (Pillar 4 Step 3 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed. (PR.IP-9.1, CRI Profile, v1.2)
  • The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed. (PR.IP-9.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Develops a contingency plan for the information system that: (CP-2a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Develops a contingency plan for the information system that: (CP-2a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Develops a contingency plan for the information system that: (CP-2a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Develops a contingency plan for the information system that: (CP-2a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The security program, in relation to protecting personal information, should include Business Continuity Management plans and Disaster Recovery Plans. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • A business continuity plan should be created. The contents of the plan should be consistent with the strategies mentioned by the rules. In addition, the rules require each member to communicate to customers how prompt access to funds and securities will be arranged in the event the member can no lon… (R 3510(c), NASD Manual)
  • (R 3510(b), NASD Manual)
  • The plans (below) that are developed by the organization must be individual plans, integrated into a single plan, or a combination. The emergency operations/response plan must assign the responsibilities to carry out specific actions during an emergency; the prevention plan must create interim and l… (§ 5.8.3.2, § 5.8.3.4, § 5.8.3.5, § 5.8.3.6, § 5.8.3.7, § 5.8.3.8, § 5.11.1, § 5.11.2, § 5.11.3, § 5.11.5, § 5.11.6, Annex A.5.8.3.2, Annex A.5.8.3.4, Annex A.5.8.3.7, Annex A.5.8.3.8, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • The planning process must be performed routinely or when the system changes and the accuracy of the existing plan is questionable. (§ 5.8.1.2, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Each Responsible Entity shall implement its documented recovery plan(s) to collectively include each of the applicable requirement parts in CIP-009-6 Table R2 – Recovery Plan Implementation and Testing. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning and Real-time Operations.] (B. R2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Does the information security policy cover Business Continuity? (§ B.1.4, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Does the information security policy cover disaster recovery? (§ B.1.15, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Is there a documented policy for Business Continuity and Disaster Recovery that has been approved by management? (§ K.1, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Does the Business Continuity and Disaster Recovery program include an annual review which includes critical functions? (§ K.1.2.16, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Does the Business Continuity and Disaster Recovery program include an annual review which includes organizational structure? (§ K.1.2.16, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Does the Business Continuity and Disaster Recovery program include an annual review which includes personnel changes? (§ K.1.2.16, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Does the Business Continuity and Disaster Recovery program include a maintenance schedule to Revise and test the plan? (§ K.1.2.5, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Has a third party evaluated the Business Continuity and Disaster Recovery program in the past 12 months? (§ K.1.1, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Is the pandemic plan reviewed annually? (§ K.2.9, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Are there requirements to review and update the Business Continuity Plan for each significant business change to the critical supporting vendors? (§ V.1.67.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • App A § 3 ¶ 6: This section lists 14 statements that define what an acceptable contingency plan should include and the list is not all-inclusive. § 3.4 ¶ 1: CMS business partners shall develop and document an IT systems contingency plan. The contingency plan must describe the implemented arrange… (App A § 3 ¶ 6, § 3.4 ¶ 1, App A § 5 ¶ 1, CMS Business Partners Systems Security Manual, Rev. 10)
  • § 3.4 ¶ 3: The organization shall put updated contingency plans and test results in the contractor's System Security Profile. § 3.4 ¶ 4: CMS business partners shall submit newly developed and/or updated IT systems contingency plans to CMS within 10 working days after they have been approved by t… (§ 3.4 ¶ 3, § 3.4 ¶ 4, App A § 9, CMS Business Partners Systems Security Manual, Rev. 10)
  • § 3.4 ¶ 1: Contingency plans shall be reviewed annually and whenever new systems are planned or new safeguards are contemplated. § 3.4 ¶ 3: CMS business partners shall review contingency plans 365 days from the date of the last review and/or update. The contingency plan shall be updated if a sig… (§ 3.4 ¶ 1, § 3.4 ¶ 3, App A § 6 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 5.2.1: Contingency plans must include all of the items listed in the CMS business partners Systems Security Manual, Appendix B. CSR 5.2.8: The organization must develop contingency plans, software procedures, and security and backup provisions to protect the system against improper data modifica… (CSR 5.2.1, CSR 5.2.8, CSR 5.11.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Contingency plans must be reviewed and updated, if required, whenever new safeguards are contemplated or new operations are planned, but at a minimum of every 3 years. (CSR 5.7.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • CSR 5.2.7: The organization must re-evaluate contingency plans before proposed changes are approved. CSR 5.7.2: Contingency plans must be reviewed and updated, if required, whenever new safeguards are contemplated or new operations are planned, but at a minimum of every 3 years. CSR 5.7.3: The organ… (CSR 5.2.7, CSR 5.7.2, CSR 5.7.3, CSR 5.7.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Airport operators must develop a contingency plan. (§ 1542.301(a), 49 CFR Part 1542, Airport Security)
  • The airport operator must review and update the contingency plan, as needed, to ensure all information contained in the plan is current. (§ 1542.301(a)(2), § 1542.301(a)(3), 49 CFR Part 1542, Airport Security)
  • Each agency must develop, document, and implement an information security program, which must include any information and information systems provided or managed by another agency or contractor. The program must include plans and procedures that ensure the continuity of operations for all agency inf… (§ 3544(b)(8), Federal Information Security Management Act of 2002)
  • The organization must have a Disaster Recovery Plan. (CODP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The organization must have a Disaster Recovery Plan. (CODP-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The organization must have a Disaster Recovery Plan. (CODP-3, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. (§ 164.308(a)(7)(ii)(C), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • (§ I.A.4.b(i), The National Strategy to Secure Cyberspace, February 2003)
  • A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financ… (Board and Senior Management Responsibilities, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business conti… (Business Continuity Planning Process, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. (TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Include(s) emergency preparedness and crisis management plans that: (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Bas… (Business Continuity Plan Development, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine the existence of an appropriate enterprise-wide BCP. (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavaila… (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Examiners should review BCM strategies and determine whether the strategies: (IV Action Summary ¶ 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Management should develop business continuity plan(s) (BCP) with sufficient detail in relation to the entity's size and complexity. The BCP should address key business needs and incorporate inputs from all business units. (V Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Communications protocols, event management, business continuity, and disaster recovery. (V Action Summary ¶ 2 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Resilience. (IX Action Summary ¶ 2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • BCP. (IX Action Summary ¶ 2 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Assess the appropriateness of the entity's enterprise-wide BCP. (V, "Business Continuity Plan") (App A Objective 8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Time to identify and implement solutions. (App A Objective 6:1b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Aligning BCM with business strategy and risk appetite. (App A Objective 2:4c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that management implemented a comprehensive BCP that is reflective of the entity's risk environment. The BCP should outline the following: (App A Objective 8:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Assessing and updating business continuity strategies and plans to reflect the current business conditions and operating environment for continuous improvement. (App A Objective 2:5i, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Immediate steps to protect personnel and customers and minimize damage. (App A Objective 8:1d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Other procedures as applicable. Examples may include: (App A Objective 8:4d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management reviews and updates the business continuity program to reflect the current environment. Triggers that prompt maintenance and improvement of the BCM may include the following: (App A Objective 11:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • A documentation process to ensure the institution's information assets and technology inventory and disaster recovery plans are updated as appropriate when patches are applied. (App A Objective 6.15.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • As part of the governance structure, financial institution management should ensure development, implementation, and maintenance of the following: - An effective IT risk management structure. - A comprehensive information security program. - A formal project management process. - An enterprise-wide … (I.B IT Responsibilities and Functions, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Process for business continuity planning. (App A Objective 2:7 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the institution maintains an adequate and up-to-date enterprise-wide business continuity plan. Determine whether the board oversees implementation and approves policies related to business continuity planning. (App A Objective 3:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • IT contingency planning and business recovery. (App A Objective 4:1 g., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Business continuity and resilience planning. (App A Objective 12:4 g., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the board of directors approved policies and management established and implemented policies, procedures, and responsibilities for an enterprise-wide business continuity program, including the following: (App A Objective 12:9, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Management responsibility to document, maintain, and test the plan and backup systems periodically according to risk. (App A Objective 12:9 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Annual review and approval of the business continuity program by the board of directors. (App A Objective 12:9 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Contingency planning is adequate; (TIER II OBJECTIVES AND PROCEDURES E.2. Bullet 7, FFIEC IT Examination Handbook - Audit, April 2012)
  • Contingency plans are appropriate for the size and complexity of the wire transfer function; and (TIER II OBJECTIVES AND PROCEDURES E.1. Bullet 8, FFIEC IT Examination Handbook - Audit, April 2012)
  • The organization should have plans for managing a pandemic event. A pandemic involves more complexity than a typical disaster. (Pg D-1, Pg D-6, Exam Tier I Obj 8.3, Exam Tier I Obj 10.5 (Testing Strategies), FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The continuity plan should be maintained by integrating continuity planning into all business decisions; listing continuity planning responsibilities in job descriptions and personnel evaluations; and performing tests of the continuity plan and by individual or committee reviews. The pandemic plan s… (Pg 6, Pg 15, Pg 25 thru Pg 27, Pg D-7, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The continuity plan and pandemic plan should be updated on an annual basis. Updates should be conducted after changes in processes and after testing the continuity plan and based on audit recommendations. (Pg 4, Pg 6, Pg 21, Pg 27, Pg 28, Pg D-9, Pg G-5, Pg G-19, Exam Tier I Obj 2.6, Exam Tier I Obj 4.6, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization's continuity plan should be updated to address e-banking. (Pg 36, Obj 5.5, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The Board of Directors should update and approve the organization's continuity plan on an annual basis. (Pg 30, FFIEC IT Examination Handbook - Management)
  • Determine whether posted emergency procedures address: ▪ Personnel evacuation; ▪ Shutting off utilities; ▪ Powering down equipment; ▪ Activating and deactivating fire suppression equipment; and ▪ Securing valuable assets. (Exam Tier II Obj F.2, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should ensure the continuity plan test results are documented and the continuity plan is updated, as needed. (Pg 29, FFIEC IT Examination Handbook - Operations, July 2004)
  • Service provider(s) continuity plans should be integrated into the organization's continuity plan. (Pg 25, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The organization and service provider should continually review and update their continuity plans. (Pg 25, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Business continuity; (App A Tier 1 Objectives and Procedures Objective 2:3 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Financial institutions and their TSPs should develop, implement, and test appropriate disaster recovery and business continuity plans capable of maintaining acceptable retail payment-related customer service levels. For financial institutions and service providers with complex retail payment operati… (Business Continuity Planning, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the adequacy of the financial institution's business continuity plans for a partial or complete failure of each retail payment system. Determine whether the plans include: (App A Tier 2 Objectives and Procedures E.1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Evaluate the adequacy of the ACH contingency plan; determine whether the financial institution has tested it and whether it includes provisions for partial or complete failure of the system or communication lines between the institution, ACH operators, customers, and associated data centers. (App A Tier 2 Objectives and Procedures L.1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization and the service provider(s) should each develop a continuity plan. (Pg 34, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Obtain the institution's written contingency and business continuity plans for Obtain the institution's written contingency and business continuity plans for partial or complete failure of the systems and/or communication lines between the bank and correspondent bank, service provider, CHIPS, Federa… (Exam Tier II Obj 10.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • (SP-2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops a contingency plan for the information system that: (CP-2a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews the contingency plan for the information system [FedRAMP Assignment: at least annually]. (CP-2d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops a contingency plan for the information system that: (CP-2a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops a contingency plan for the information system that: (CP-2a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews the contingency plan for the information system [FedRAMP Assignment: at least annually]. (CP-2d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews the contingency plan for the information system [FedRAMP Assignment: at least annually]. (CP-2d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization must develop and implement a contingency plan. (Exhibit 4 CP-2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • The organization must periodically review the contingency plan and update it, as necessary. (Exhibit 4 CP-5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Has management established and documented the Business Continuity Plan to ensure all systems and processes can be recovered in a timely way? (IT - Business Continuity Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the Business Continuity Plan or Disaster Recovery Plan reviewed at least annually or when significant changes in technology, infrastructure, or Information Technology services occur? (IT - Business Continuity Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • If the Disaster Recovery Plan has been invoked, was the Disaster Recovery Plan updated based upon the lessons learned? (IT - Business Continuity Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Business Continuity Plan or Disaster Recovery Plan include a provision to notify the National Credit Union Administration regional director inside of 5 days of a catastrophic act and filing a catastrophic act report in a reasonable time period? (IT - Business Continuity Q 23, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Implement procedures to periodically update the contingency plan. (§ 4.7.7 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • When information system contingency plans are being written, they must be coordinated with the other plans that are associated with the target system, such as information system security plans, facility-level plans, mission-essential function support, and organization-level plans. Contingency plans … (§ 3.1, § 4.5, App A, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • The contingency plan should be maintained to accurately reflects procedures, system requirements, organizational structure, and policies. The plan should be reviewed and updated regularly as part of the change management process to ensure new information is documented and contingency measures are re… (§ 3.6, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.7., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review the contingency plan for the system [Assignment: organization-defined frequency]; (CP-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Addresses the sharing of contingency information; and (CP-2a.6., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; (CP-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Develop a contingency plan for the system that: (CP-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (CP-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (CP-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Develop a contingency plan for the system that: (CP-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; (CP-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.7., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Addresses the sharing of contingency information; and (CP-2a.6., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Review the contingency plan for the system [Assignment: organization-defined frequency]; (CP-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (CP-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review the contingency plan for the system [Assignment: organization-defined frequency]; (CP-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; (CP-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develop a contingency plan for the system that: (CP-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.7., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Addresses the sharing of contingency information; and (CP-2a.6., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed (PR.IP-9, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity incidents. (RC.RP Recovery Planning, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Response strategies are updated (RS.IM-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Recovery strategies are updated (RC.IM-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Recovery strategies are updated. (RC.IM-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • The following ought to be in the written plan: • Emergency response: The initial actions to be taken that will protect lives and limit damage should be documented. • Recovery: Plan steps for continued support of critical functions. • Resumption: Determine what is required in order to return to… (§ 3.6.3, § 3.6.4.4, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • (§ 3.6.5, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure a contingency plan has been developed, reviewed and approved by senior personnel, disseminated throughout the organization, reviewed continuously, and that specific responsibilities and actions are defined for the implementation of th… (CP-2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Organizational records and documents should be examined to ensure the contingency plan is updated at least annually and specific responsibilities and actions are defined for the implementation of the contingency plan update control. Any problems discovered during the implementation of the contingenc… (CP-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develops a contingency plan for the information system that: (CP-2a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develops a contingency plan for the information system that: (CP-2a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develops a contingency plan for the information system that: (CP-2a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Contingency plans should cover the full range of failures or problems that could be caused by cyber incidents. Contingency plans should include procedures for restoring systems from known valid backups, separating systems from all non-essential interferences and connections that could permit cyberse… (§ 6.2.6 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment. (T0070, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure the execution of disaster recovery and continuity of operations. (T0477, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans. (T0548, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should consider implementing a controlled, audited, and manual override of automated mechanisms during emergencies. (SG.AC-4 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Management must review and approve the Continuity of Operations plan. (SG.CP-2 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review the Continuity of Operations plan after changes or problems and update it on an organizationally defined period. (SG.CP-6 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop, document, and update a Critical Infrastructure and Key Resources protection plan. (App G § PM-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop an Information System contingency plan. (App F § CP-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must review the contingency plan on a predefined frequency. (App F § CP-2.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must revise the contingency plan for organizational, system, or operational environment changes and for problems identified during contingency plan implementation, execution, or testing. (App F § CP-2.e, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must review the results of the contingency plan tests and exercises and initiate any necessary corrective actions. (App F § CP-4.b§, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop contingency plans for the different categories of disruptions or failures on the Industrial Control System. (App I § CP-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment. (T0070, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Ensure the execution of disaster recovery and continuity of operations. (T0477, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans. (T0548, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. (CP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current contingency planning policy {organizationally documented frequency}. (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current contingency planning procedures {organizationally documented frequency}. (CP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that: (CP-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that is reviewed and approved by {organizationally documented personnel}. (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that is reviewed and approved by {organizationally documented roles}. (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews the contingency plan for the information system {organizationally documented frequency}. (CP-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. (CP-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. (CP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current contingency planning policy {organizationally documented frequency}. (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current contingency planning procedures {organizationally documented frequency}. (CP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that: (CP-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that is reviewed and approved by {organizationally documented personnel}. (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that is reviewed and approved by {organizationally documented roles}. (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews the contingency plan for the information system {organizationally documented frequency}. (CP-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. (CP-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. (CP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current contingency planning policy {organizationally documented frequency}. (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current contingency planning procedures {organizationally documented frequency}. (CP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that: (CP-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that is reviewed and approved by {organizationally documented personnel}. (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that is reviewed and approved by {organizationally documented roles}. (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews the contingency plan for the information system {organizationally documented frequency}. (CP-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. (CP-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. (CP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current contingency planning policy {organizationally documented frequency}. (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current contingency planning procedures {organizationally documented frequency}. (CP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that is reviewed and approved by {organizationally documented personnel}. (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that is reviewed and approved by {organizationally documented roles}. (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews the contingency plan for the information system {organizationally documented frequency}. (CP-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. (CP-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that: (CP-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Develops a contingency plan for the information system that: (CP-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Develops a contingency plan for the information system that: (CP-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Develops a contingency plan for the information system that: (CP-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develops a contingency plan for the information system that: (CP-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develop a contingency plan for the system that: (CP-2a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; (CP-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (CP-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review the contingency plan for the system [Assignment: organization-defined frequency]; (CP-2d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Addresses the sharing of contingency information; and (CP-2a.6., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.7., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; (CP-2d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Develops a contingency plan for the information system that: (CP-2a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The system rules shall define the service provision requirements. (§ A.3.a.2.a, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • business continuity and disaster recovery planning and resources; (§ 500.03 Cybersecurity Policy (e), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., TX-RAMP Security Controls Baseline Level 1)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2., TX-RAMP Security Controls Baseline Level 1)
  • Develops a contingency plan for the information system that: (CP-2a., TX-RAMP Security Controls Baseline Level 1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6., TX-RAMP Security Controls Baseline Level 1)
  • Reviews the contingency plan for the information system [TX-RAMP Assignment: at least annually]; (CP-2d., TX-RAMP Security Controls Baseline Level 1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (CP-2a.6., TX-RAMP Security Controls Baseline Level 2)
  • Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and (CP-1a.2., TX-RAMP Security Controls Baseline Level 2)
  • Develops a contingency plan for the information system that: (CP-2a., TX-RAMP Security Controls Baseline Level 2)
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; (CP-2e., TX-RAMP Security Controls Baseline Level 2)
  • Reviews the contingency plan for the information system [TX-RAMP Assignment: at least annually]; (CP-2d., TX-RAMP Security Controls Baseline Level 2)