Back

Establish, implement, and maintain the organization's call tree.


CONTROL ID
01167
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The incident management plan should contain or provide a reference to essential contact information for all key stakeholders. (§ 8.3.6, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The organization should include a list of contact details for all key personnel and aid agencies when it develops its incident prevention, preparedness, and response procedures. (§ 4.4.7 ¶ 3(p), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • A list of emergency telephone numbers for key personnel should be maintained and updated regularly. (Revised Volume 3 Pg 1-I-21, Protection of Assets Manual, ASIS International)
  • The disaster recovery plan should include around-the-clock contact information for all key personnel. The call tree should be tested annually. A copy of the call tree should be stored at an off-site location, and incident response professionals should carry contact information with them at all times… (Action 1.3.4, Action 1.4.2, Action 1.4.3, SANS Computer Security Incident Handling, Version 2.3.1)
  • (R 3520, NASD Manual)
  • When there are dependancies upon critical service providers, does the Business Continuity and Disaster Recovery program include contact information for key personnel which is updated at least annually? (§ K.2.15.1, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; (Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The continuity plan should have a current list of all critical personnel. The organization should ensure the contact information for all employees is continually updated and maintained. (Pg 14, Pg 33, Exam Tier I Obj 5.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The contingency plan should contain notification procedures for disruptions that occur with or without prior notice. The procedures should describe methods for how recovery personnel will be notified during business and non-business hours. The notifications can be accomplished via various methods, e… (§ 4.2.2, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • The notification strategy should define procedures to be followed in the event that specific personnel cannot be contacted. Notification procedures should be documented clearly in the contingency plan. Copies of the procedures can be made and located securely at alternate locations. A common manual … (§ 4.2.2 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))