Back

Include risk prioritized recovery procedures for each business unit in the recovery plan.


CONTROL ID
01166
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include restoration procedures in the continuity plan., CC ID: 01169

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Individual critical business and support functions should formulate their own recovery strategies on how to achieve the recovery time-frame and to deliver the minimum level of critical services derived from the business impact analysis. This involves determination of an alternate site, total number … (3.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • For the first two phases, clear responsibilities should be established and activities prioritised. A recovery tasks checklist should be developed and included in the BCP. It is recognised that certain tasks involved in the full recovery phase may depend on the nature of the disaster concerned and th… (4.3.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The organization must determine the acceptable recovery time for and priority for each business process. (App 2-1 Item Number VI.7.1(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • If damage to important data files occur due to troubles and disasters, it is necessary to acquire backup copies and define the storage and management method for the early recovery of damaged files. (P39.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to define a response to a failure or disaster. (P116.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • As all systems are vulnerable, the FI should define its recovery and business resumption priorities. The FI should also test and practise its contingency procedures so that disruptions to its business arising from a serious incident may be minimised. (§ 8.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should define system recovery and business resumption priorities and establish specific recovery objectives including RTO and recovery point objective (RPO) for IT systems and applications. RTO is the duration of time, from the point of disruption, within which a system should be restored. RP… (§ 8.2.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should test the recovery dependencies between systems. Bilateral or multilateral recovery testing should be conducted where networks and systems are linked to specific service providers and vendors. (§ 8.3.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • FIs should clearly identify risks associated with the types of services being offered in the risk management process. The FI should also formulate security controls, system availability and recovery capabilities, which commensurate with the level of risk exposure, for all internet operations. (§ 12.0.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • For a foreign subsidiary, the recovery plans should have procedures to repatriate data and information for an orderly transition of operations when there is a financial failure. (Attach B ¶ 19, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • procedures for the recovery and restoration of critical services in an orderly manner to the recovery point, within the required timeframe, and to a level of service agreed with the business; (Attachment B ¶ 7(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The response and recovery plans should consider both short-term and long-term recovery options. The plans should: (3.7.3 84, Final Report EBA Guidelines on ICT and security risk management)
  • The plans should also consider alternative options where recovery may not be feasible in the short term because of costs, risks, logistics or unforeseen circumstances. (3.7.3 85, Final Report EBA Guidelines on ICT and security risk management)
  • Financial institutions should put BCPs in place to ensure that they can react appropriately to potential failure scenarios and that they are able to recover the operations of their critical business activities after disruptions within a recovery time objective (RTO, the maximum time within which a s… (3.7.2 81, Final Report EBA Guidelines on ICT and security risk management)
  • focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, a… (3.7.3 84(a), Final Report EBA Guidelines on ICT and security risk management)
  • determination of recovery objectives for the supporting ICT systems (e.g. typically determined by the business and/or regulations in terms of RTO and RPO); (Title 3 3.3.4(a) 54.a(ii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Have prioritized time frames been set for the resumption of all activities? (Operation ¶ 13, ISO 22301: Self-assessment questionnaire)
  • Develop plans for responding to various types of crises and recovering from business disruption. (OCEG GRC Capability Model, v. 3.0, P8.2 Prepare to Address Crisis Situations, OCEG GRC Capability Model, v 3.0)
  • The organization should assess the impacts of activities being disrupted over time; establish the maximum tolerable period of disruption by determining what the maximum amount of time can be before an activity is resumed, the minimum level that an activity needs to be performed at after it is resume… (§ 6.2.2, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The disaster recovery plan should describe strategies to recover systems and information based on results from the business impact analysis. Recovery strategies should be developed independently for each IT system or component. (§ 5.5.A, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The Business Continuity program should require risk treatment options for Business Continuity to be identified and selected (i.e., accepting risks, avoiding risks, transferring risks, or mitigating risks). (CF.20.02.04c, The Standard of Good Practice for Information Security)
  • The Business Continuity program should require risk treatment options for Business Continuity to be identified and selected (i.e., accepting risks, avoiding risks, transferring risks, or mitigating risks). (CF.20.02.04c, The Standard of Good Practice for Information Security, 2013)
  • The organization should establish and maintain a data recovery capability. (Critical Control 8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • There shall be a defined and documented method for determining the impact of any disruption to the organization that must incorporate the following: - Identify critical products and services - Identify all dependencies, including processes, applications, business partners, and third party service … (BCR-09, Cloud Controls Matrix, v3.0)
  • Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process, CIS Controls, V8)
  • Business Continuity/Disaster Recovery. It is important that safeguards are in place to ensure the ongoing function of the business in the event of a disaster by providing the ability to recover each part of the business subsequent to a disruption in an appropriate time frame. Guidance on business co… (¶ 13.13, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • stabilizing, continuing, resuming and recovering prioritized activities and their dependencies and supporting resources, and (§ 8.3.1 ¶ 2 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • how the organization will continue or recover its prioritized activities within predetermined timeframes, (§ 8.4.4 ¶ 2 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • meet the requirements to continue and recover prioritized activities within the identified time frames and agreed capacity; (§ 8.3.2 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • meet the requirements to continue and recover prioritized activities within the identified time frames and agreed capacity; (§ 8.3.3 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • continue or recover prioritized activities within predetermined time frames; (§ 8.4.4.2 a) 1), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • establish priorities (using life safety as the first priority); (§ 8.4.2.3 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The entity shall discuss measures to address business continuity risks, including an identification of critical business operations and redundancies or other measures implemented to enhance resilience of the system or to reduce impact, including insurance against loss. (TC-TL-550a.2. 2, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • Organization's recovery plans are executed by first resuming critical services and core business functions, and without causing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications. (RC.RP-1.2, CRI Profile, v1.2)
  • The recovery plan includes recovery of resilience following a long term loss of capability (e.g., site or third-party) detailing when the plan should be activated and implementation steps. (RC.RP-1.5, CRI Profile, v1.2)
  • When planning and executing incident response and recovery activities, the organization takes into consideration sector-wide impact of its systems and puts a priority on response and recovery activities for those systems ahead of the other systems. (DM.RS-2.5, CRI Profile, v1.2)
  • Organization's recovery plans are executed by first resuming critical services and core business functions, and without causing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications. (RC.RP-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The recovery plan includes recovery of resilience following a long term loss of capability (e.g., site or third-party) detailing when the plan should be activated and implementation steps. (RC.RP-1.5, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • When planning and executing incident response and recovery activities, the organization takes into consideration sector-wide impact of its systems and puts a priority on response and recovery activities for those systems ahead of the other systems. (DM.RS-2.5, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(4) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The contingency plan must identify what critical interfaces need to be established by the CMS business partner while recovering from a disaster. (CSR 5.2.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Procedures shall be developed (and implemented as needed) to enable critical business processes to continue protecting electronic protected health information when operating in emergency mode. (§ 164.308(a)(7)(ii)(C), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact… (Business Impact Analysis, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • BCP; and (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 3 Sub-Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Addresses the recovery of each business unit/department/function/application: (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • According to its priority ranking in the risk assessment; (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Considering long-term recovery arrangements. (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Management should develop a BIA that identifies all business functions and prioritizes them in order of criticality, analyzes related interdependencies among business processes and systems, and assesses a disruption's impact through established metrics. The BIA should define recovery priorities and … (III.A Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Prioritization and procedures to recover functions, services, and processes. (App A Objective 8:1e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that recovery alternatives can accommodate the services and processing capabilities affecting critical operations, including: (App A Objective 8:5c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that management developed a coordinated disaster recovery strategy for data centers, networks, servers, storage, service monitoring, user support, and related software. Verify that procedures address the following: (App A Objective 8:11, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Business continuity and disaster recovery plans. (App A Objective 10:2 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The recovery objectives should be used to determine which technologies, data, communications systems, facilities, and vital records must be recovered and list which personnel are essential for recovery. The continuity plan should include specific procedures for recovering each business function. (Pg 9, Pg 14, Exam Tier I Obj 5.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The continuity plan should include recovery targets for each retail product the organization offers. (Pg 35, Exam Tier II Obj 5.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization plans for the resumption of all missions and business functions within [FedRAMP Assignment: time period defined in service provider and organization SLA] of contingency plan activation. (CP-2(4) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Plan for the resumption of [FedRAMP Assignment: all] mission and business functions within [FedRAMP Assignment: time period defined in service provider and organization SLA] of contingency plan activation. (CP-2(3) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Plan for the resumption of [FedRAMP Assignment: all] mission and business functions within [FedRAMP Assignment: time period defined in service provider and organization SLA] of contingency plan activation. (CP-2(3) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • The continuity plan must address allowable outage times and associated priorities. (§ 4.7.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(4) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Plan, execute, and verify data redundancy and system recovery procedures. (T0186, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Capture and integrate essential system capabilities or business functions required for partial or full system restoration after a catastrophic failure event. (T0440, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • In addition, other stakeholders may have their own risk management strategies or may be represented by an official within these entities (e.g., a system security officer to represent the security concerns of program managers whose proprietary information is handled by the system of interest) with a … (3.2.1.1 ¶ 4, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Restate and prioritize cyber resiliency objectives and sub-objectives. Identify, restate, and prioritize capabilities or activities that are needed to achieve relevant sub-objectives based on the identified threat context. These constructs are restated in terms that are meaningful in the architectur… (3.2.1.5 ¶ 1 Bullet 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • The identification of potential areas of improvement typically relies on the interpretation and prioritization of cyber resiliency constructs performed earlier. Potential cyber resiliency techniques or implementation approaches can be identified in system-specific terms, mapped to system elements or… (3.2.3.3 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Identify recovery priorities for system resources. Based upon the results from the previous activities, system resources can be linked more clearly to critical mission/business processes and functions. Priority levels can be established for sequencing recovery activities and resources. (§ 3.2 ¶ 2 (3), NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Developing recovery priorities is the last step of the BIA process. Recovery priorities can be effectively established taking into consideration mission/business process criticality, outage impacts, tolerable downtime, and system resources. The result is an information system recovery priority hiera… (§ 3.2.3 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Several alternative approaches should be considered when developing and comparing strategies, including cost, maximum downtimes, security, recovery priorities, and integration with larger, organization-level contingency plans. Table is an example that can assist in identifying the linkage of FIPS 19… (§ 3.4.1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Obtaining and loading backup media; (§ 4.3.2 ¶ 2 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Recovery procedures should be written in a straightforward, step-by-step style. To prevent difficulty or confusion in an emergency, no procedural steps should be assumed or omitted. A checklist format is useful for documenting the sequential recovery procedures and for troubleshooting problems if th… (§ 4.3.2 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • When recovering a complex system, such as a wide area network (WAN) or virtual local area network (VLAN) involving multiple independent components, recovery procedures should reflect system priorities identified in the BIA. The sequence of activities should reflect the system's MTD to avoid signific… (§ 4.3.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Use results from the BIA. Impacts and priorities discovered through the BIA of associated LANs and/or WANs should be reviewed to determine recovery requirements and priorities. (§ 5.2.1 ¶ 3 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Utilize results from the BIA. Impacts and priorities identified through the BIA of associated systems supporting organizational critical mission/business processes should be reviewed to determine recovery requirements and priorities. (§ 5.4.1 ¶ 1 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Determine mission/business processes and recovery criticality. Mission/Business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum time that … (§ 3.2 ¶ 2 (1), NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Backup and recovery methods and strategies are a means to restore system operations quickly and effectively following a service disruption. The methods and strategies should address disruption impacts and allowable downtimes identified in the BIA and should be integrated into the system architecture… (§ 3.4.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Development/Acquisition Phase. As initial concepts evolve into information system development, specific contingency solutions may be determined. As in the Initiation phase, technical contingency planning considerations in this phase should reflect system and operational requirements. The design shou… (Appendix F ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must develop and implement a Continuity of Operations plan that includes the issue of maintaining or reestablishing operations when there is an interruption. (SG.CP-2 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must provide the capability for the system to be recovered and reconstituted to a known secure state after a failure, compromise, or disruption. A known secure state means that security-critical patches are reinstalled; system parameters are set to secure values; documentation and o… (SG.CP-10 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should provide the necessary compensating security controls for any circumstances that inhibit recovery to a known, secure state. (SG.CP-10 Requirement Enhancements 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should plan for the resumption of essential missions and business functions in a predefined time period of the contingency plan being activated. (App F § CP-2(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should plan to fully resume the missions and business functions in a predefined period of time of the contingency plan being activated. (App F § CP-2(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Capture and integrate essential system capabilities or business functions required for partial or full system restoration after a catastrophic failure event. (T0440, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization plans for the resumption of essential missions and business functions within {organizationally documented time period} of contingency plan activation. (CP-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization plans for the resumption of all missions and business functions within {organizationally documented time period} of contingency plan activation. (CP-2(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization plans for the resumption of essential missions and business functions within {organizationally documented time period} of contingency plan activation. (CP-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization plans for the resumption of all missions and business functions within {organizationally documented time period} of contingency plan activation. (CP-2(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization plans for the resumption of essential missions and business functions within {organizationally documented time period} of contingency plan activation. (CP-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Recovery actions are selected, scoped, prioritized, and performed (RC.RP-02, The NIST Cybersecurity Framework, v2.0)
  • The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. (CP-2(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)