Back

Train personnel on the continuity plan.


CONTROL ID
00759
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Operational and Systems Continuity, CC ID: 00731

This Control has the following implementation support Control(s):
  • Utilize automated mechanisms for more realistic continuity plan training., CC ID: 01387
  • Incorporate simulated events into the continuity plan training., CC ID: 01402
  • Include cross-team coordination in continuity plan training., CC ID: 16235
  • Include stay at home order training in the continuity plan training., CC ID: 14382
  • Include personal protection in continuity plan training., CC ID: 14394


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number I.5(3): The organization must ensure employee training is included in the business continuity plan to enable personnel to carry out procedures quickly and properly when a threat occurs. App 2-1 Item Number VI.7.2(4): Employee educational training policies must be defined; trainin… (App 2-1 Item Number I.5(3), App 2-1 Item Number VI.7.2(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O65.3(8): When developing contingency plans, the organization shall define maintenance and control programs, such as training personal. O83: The organization shall provide training and education on handling computer system operations during disasters or failures. O83.1: The organization shall implem… (O65.3(8), O83, O83.1, O83.2(1), O83.2(2), O83.2(3), O84, O84.2(1), O84.2(2), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • O80.2: The organization should periodically conduct security education and training and when security-related accidents occur. O82.1(1): The organization should provide education and training when new staff is assigned, software is changed, a new system is installed, and at other opportunities to en… (O80.2, O82.1(1), O82.1(2), O83.3(2), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • For any computer systems only used in some departments, education and training should be implemented depending on the significance. For implementation of education and training, consideration should be given to ensure conformance with the company-wide contingency plan. (C16.1. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • All parties concerned, including those from the service provider, should receive regular training in activating the contingency plan and executing recovery procedures. (§ 5.1.8, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexit… (Art. 13.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • implement, as appropriate, relevant operational conclusions resulting from the tests referred to in point (g) and from post-incident analysis into the ICT risk assessment process and develop, according to needs and ICT risk profile, ICT security awareness programmes and digital operational resilienc… (Art. 16.1. ¶ 2(h), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Has the organization ensured that those persons who can affect the performance and effectiveness of the BCMS are competent on the basis of appropriate education, training or experience, or has action been taken to ensure that those persons can gain the necessary competence? (Support ¶ 4, ISO 22301: Self-assessment questionnaire)
  • Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster. Verify and enhance training according to the results of the contingency tests. (DS4.6 IT Continuity Plan Training, CobiT, Version 4.1)
  • Appropriate training should be arranged or provided by the organization for all staff members. A process should be used to identify and deliver the business continuity management training requirements and to evaluate the effectiveness of the delivery. Business continuity management staff should rece… (§ 5.3.1, § 10.3, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The organization must ensure all personnel assigned business continuity responsibilities have the competence to perform their tasks by determining the necessary competencies; conducting an analysis on personnel training needs; providing the training; ensuring the personnel gain the necessary compete… (§ 3.2.4, BS 25999-2, Business continuity management. Specification, 2007)
  • There are three activities for systems continuity training. These three are: Training and Awareness Design Training and Awareness Delivery Planning Training and Awareness Delivery The first activity entails designing a training and awareness program. It is recommended that formal learning events be … (Stage 4.2 Process, Stage 5.2 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • Business continuity awareness training should be conducted annually, at a minimum, to ensure the staff understands their roles and emergency response activities. Crisis management training is vital. (§ 5.6 ¶ 1, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The organization should include emergency response and incident personnel training when it develops its incident prevention, preparedness, and response procedures. The organization must ensure all persons who perform actions during an incident have the appropriate training, education, or experience.… (§ 4.4.7 ¶ 3(o), § 4.4.7 ¶ 5, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Individuals involved in emergencies should be regularly trained on their duties. (Revised Volume 3 1-I-12, Protection of Assets Manual, ASIS International)
  • The Business Continuity strategy should help to ensure that Business Continuity Management is embedded in the organization's culture (e.g., by promoting Business Continuity via regular communications throughout the organization and training / educating staff in Business Continuity activities). (CF.20.01.05a, The Standard of Good Practice for Information Security)
  • Individuals should be informed of their responsibilities regarding the Business Continuity Plan and provided with relevant training / tools to fulfil them. (CF.20.05.04, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should help to ensure that Business Continuity Management is embedded in the organization's culture (e.g., by promoting Business Continuity via regular communications throughout the organization and training / educating staff in Business Continuity activities). (CF.20.01.05a, The Standard of Good Practice for Information Security, 2013)
  • Individuals should be informed of their responsibilities regarding the Business Continuity Plan and provided with relevant training / tools to fulfil them. (CF.20.05.04, The Standard of Good Practice for Information Security, 2013)
  • provide relevant information and training related to emergency preparedness and response, as appropriate, to relevant interested parties, including persons working under its control. (§ 8.2 ¶ 2 f), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties, (§ 8.5 ¶ 2 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Organizations and service providers should ensure ICT disaster recovery training is completed by all staff members, especially new staff members in order to assume and discharge their responsibilities in a competent manner. Before being assigned responsibilities, they should be assessed as competent… (§ 5.9.1, § 5.9.2, § 5.9.3, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Carry out training to address any skills and performance deficits (Pillar 6 Step 3 Action 3, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Prepare staff surge capacity and deployment mechanisms; health advisories (guidelines and SOPs); pre- and post-deployment package (briefings, recommended/mandatory vaccinations, enhanced medical travel kits, psychosocial and psychological support, including peer support groups) to ensure staff well-… (Pillar 8 Step 2 Action 4, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (CP-3c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • When required by information system changes; and (CP-3b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (CP-3c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • When required by information system changes; and (CP-3b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (CP-3c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • When required by information system changes; and (CP-3b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • When required by information system changes; and (CP-3b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (CP-3c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Recovery plans for BES Cyber Systems; (CIP-004-6 Table R2 Part 2.1 Requirements 2.1.7., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
  • Recovery plans for BES Cyber Systems; (CIP-004-7 Table R2 Part 2.1 Requirements 2.1.7., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • Does the Business Continuity and Disaster Recovery program include awareness and education activities? (§ K.1.2.6, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • The organization shall train IT management and staff to handle system disruption or emergency situations in data centers and areas where there are data processing systems. (App A § 4.1 ¶ 1, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 5.2.1: The organization must provide annual training on the contingency plan. CSR 5.6.1: The organization must give training to employees and ensure they understand their emergency roles and responsibilities. CSR 5.6.2: The organization must provide periodic training in emergency water, fire, an… (CSR 5.2.1, CSR 5.6.1, CSR 5.6.2, CSR 5.6.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the S… (§242.1004 ¶ 1(b), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Individuals involved in emergencies should be regularly trained on their duties. The airport operator must ensure all individuals know what their responsibilities are when the contingency plan is activated. (§ 1542.301(a)(3), 49 CFR Part 1542, Airport Security)
  • Data backup and storage—centralized or decentralized approach. (§ 5.2.1.4 ¶ 1 2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financ… (Board and Senior Management Responsibilities, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility. (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Employee training; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Back-up site employees are able to recover clearing and settlement of open transactions within the timeframes addressed in the BCP and applicable industry guidance. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Trainin… (Other Policies, Standards and Processes, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the BCM program includes training and awareness to educate stakeholders about the entity's continuity objectives and BCM goals. (VI, "Training") (App A Objective 9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Management should implement a business continuity training program for all stakeholders. (VI Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Extent of targeted business continuity training provided to stakeholders, such as personnel, business continuity program staff, and the board. (VI Action Summary ¶ 2 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Process for reviewing and updating the business continuity training program. (VI Action Summary ¶ 2 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Validate that management incorporates significant business continuity concepts, interdependencies, disruption impacts, and operations resilience into the training program. (App A Objective 9:3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Implements a training program to educate stakeholders about the BCM goals and objectives. Elements may include: (App A Objective 9:1c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the training program aligns with the entity's BCM strategy. Determine whether management does the following: (App A Objective 9:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Familiarize staff with recovery processes. (App A Objective 10:11d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that personnel are adequately trained and knowledgeable of recovery plans and procedures. (App A Objective 10:11e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • A comprehensive continuity training program should be developed. The training should be used for new and existing employees and should be conducted continuously. The training should ensure all employees understand their roles and responsibilities. The training program should include training on secu… (Pg 4, Pg 13, Pg 14, Pg 29, Pg 32, Pg G-3, Pg G-5, Exam Tier I Obj 4.4, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Employees should be trained on recognizing events that can cause the continuity plan to be activated. Personnel should be trained on how to perform the appropriate procedures within the timeframes stated in the continuity plan. (Pg 35, Exam Tier II Obj F.4, FFIEC IT Examination Handbook - Operations, July 2004)
  • (SC-2.3, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Within [FedRAMP Assignment: ten (10) days] of assuming a contingency role or responsibility; (CP-3a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When required by information system changes; and (CP-3b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [FedRAMP Assignment: at least annually] thereafter. (CP-3c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Within [FedRAMP Assignment: ten (10) days] of assuming a contingency role or responsibility; (CP-3a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When required by information system changes; and (CP-3b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [FedRAMP Assignment: at least annually] thereafter. (CP-3c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Within [FedRAMP Assignment: ten (10) days] of assuming a contingency role or responsibility; (CP-3a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When required by information system changes; and (CP-3b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [FedRAMP Assignment: at least annually] thereafter. (CP-3c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., FedRAMP Security Controls High Baseline, Version 5)
  • When required by system changes; and (CP-3a.2., FedRAMP Security Controls High Baseline, Version 5)
  • [FedRAMP Assignment: at least annually] thereafter; and (CP-3a.3., FedRAMP Security Controls High Baseline, Version 5)
  • Within [FedRAMP Assignment: *See Additional Requirements] of assuming a contingency role or responsibility; (CP-3a.1., FedRAMP Security Controls High Baseline, Version 5)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., FedRAMP Security Controls Low Baseline, Version 5)
  • When required by system changes; and (CP-3a.2., FedRAMP Security Controls Low Baseline, Version 5)
  • [FedRAMP Assignment: at least annually] thereafter; and (CP-3a.3., FedRAMP Security Controls Low Baseline, Version 5)
  • Within [FedRAMP Assignment: *See Additional Requirements] of assuming a contingency role or responsibility; (CP-3a.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • When required by system changes; and (CP-3a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • [FedRAMP Assignment: at least annually] thereafter; and (CP-3a.3., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Within [FedRAMP Assignment: *See Additional Requirements] of assuming a contingency role or responsibility; (CP-3a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Train personnel with defined contingency plan responsibilities on their roles. (§ 4.7.7 Bullet 3, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Training should focus on familiarizing the personnel with their roles and teaching them skills to fulfill these roles. Training should be done annually, and newly appointed personnel should be trained soon after their appointment. Personnel should be trained so that they can accomplish their roles a… (§ 3.5.2, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Assignment: organization-defined frequency] thereafter; and (CP-3a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • When required by system changes; and (CP-3a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • When required by system changes; and (CP-3a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Assignment: organization-defined frequency] thereafter; and (CP-3a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • When required by system changes; and (CP-3a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • [Assignment: organization-defined frequency] thereafter; and (CP-3a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • When required by system changes; and (CP-3a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • [Assignment: organization-defined frequency] thereafter; and (CP-3a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • When required by system changes; and (CP-3a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • [Assignment: organization-defined frequency] thereafter; and (CP-3a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • [Assignment: organization-defined frequency] thereafter; and (CP-3a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • When required by system changes; and (CP-3a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • [Assignment: organization-defined frequency] thereafter; and (CP-3a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • When required by system changes; and (CP-3a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • (§ 3.6.4.4, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure personnel with significant roles in the contingency plan are identified and trained; initial and refresher training is provided at least annually; a record is present of the specific training that was received and when it is maintaine… (CP-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • When required by information system changes; and (CP-3b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • When required by information system changes; and (CP-3b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • When required by information system changes; and (CP-3b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Assignment: organization-defined frequency] thereafter. (CP-3c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Assignment: organization-defined frequency] thereafter. (CP-3c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Assignment: organization-defined frequency] thereafter. (CP-3c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Contingency plans should cover the full range of failures or problems that could be caused by cyber incidents. Contingency plans should include procedures for restoring systems from known valid backups, separating systems from all non-essential interferences and connections that could permit cyberse… (§ 6.2.6 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensure plan testing, training, and exercises; and (§ 3 ¶ 1 (6), NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Training requirements; (§ 3.1 ¶ 1 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Training for personnel with contingency plan responsibilities should focus on familiarizing them with ISCP roles and teaching skills necessary to accomplish those roles. This approach helps ensure that staff is prepared to participate in tests and exercises as well as actual outage events. Training … (§ 3.5.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Having selected and implemented the backup and system recovery strategies, the ISCP Coordinator must designate appropriate teams to implement the strategy. Each team should be trained and ready to respond in the event of a disruptive situation requiring plan activation. Recovery personnel should be … (§ 3.4.6 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Purpose of the plan; (§ 3.5.2 ¶ 1 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • An ISCP should be maintained in a state of readiness, which includes having personnel trained to fulfill their roles and responsibilities within the plan, having plans exercised to validate their content, and having systems and system components tested to ensure their operability in the environment … (§ 3.5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Personnel with outage assessment responsibilities should understand and be able to perform these procedures in the event the plan is inaccessible during the situation. Once impact to the system has been determined, the appropriate teams should be notified of updated information and the planned respo… (§ 4.2.3 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Personnel should be chosen to staff these teams based on their skills and knowledge. Ideally, teams are staffed with personnel responsible for the same or similar functions under normal conditions. For example, server recovery team members should include the server administrators. Team members must … (§ 3.4.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must train all personnel on their roles and responsibilities for Continuity Of Operations and provide refresher training on a predefined frequency. (SG.CP-4 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must train personnel in contingency roles and responsibilities to the system and provide scheduled refresher training. (App F § CP-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities. (CP-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities within {organizationally documented time period} of assuming a contingency role or responsibility. (CP-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes. (CP-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities {organizationally documented frequency} thereafter. (CP-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities. (CP-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities within {organizationally documented time period} of assuming a contingency role or responsibility. (CP-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes. (CP-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities {organizationally documented frequency} thereafter. (CP-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities. (CP-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities within {organizationally documented time period} of assuming a contingency role or responsibility. (CP-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes. (CP-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities {organizationally documented frequency} thereafter. (CP-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities. (CP-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities within {organizationally documented time period} of assuming a contingency role or responsibility. (CP-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes. (CP-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities {organizationally documented frequency} thereafter. (CP-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • When required by information system changes; and (CP-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (CP-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (CP-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • When required by information system changes; and (CP-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (CP-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • When required by information system changes; and (CP-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • When required by information system changes; and (CP-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (CP-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Assignment: organization-defined frequency] thereafter; and (CP-3a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • When required by system changes; and (CP-3a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide contingency training to system users consistent with assigned roles and responsibilities: (CP-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • [Assignment: organization-defined frequency] thereafter; and (CP-3a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • When required by system changes; and (CP-3a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; (CP-3a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Each covered entity shall provide relevant training to all employees responsible for implementing the plans regarding their roles and responsibilities. (§ 500.16 Incident Response and Business Continuity Management (c), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control, TX-RAMP Security Controls Baseline Level 1)
  • When required by information system changes; and (CP-3b., TX-RAMP Security Controls Baseline Level 1)
  • Within [TX-RAMP Assignment: 10 days] of assuming a contingency role or responsibility; (CP-3a., TX-RAMP Security Controls Baseline Level 1)
  • [TX-RAMP Assignment: at least annually] thereafter. (CP-3c., TX-RAMP Security Controls Baseline Level 1)
  • The organization provides contingency training to information system users consistent with assigned roles and responsibilities: (CP-3 Control, TX-RAMP Security Controls Baseline Level 2)
  • When required by information system changes; and (CP-3b., TX-RAMP Security Controls Baseline Level 2)
  • Within [TX-RAMP Assignment: 10 days] of assuming a contingency role or responsibility; (CP-3a., TX-RAMP Security Controls Baseline Level 2)
  • [TX-RAMP Assignment: at least annually] thereafter. (CP-3c., TX-RAMP Security Controls Baseline Level 2)