Back

Include restoration procedures in the continuity plan.


CONTROL ID
01169
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

This Control has the following implementation support Control(s):
  • Include risk prioritized recovery procedures for each business unit in the recovery plan., CC ID: 01166
  • Include the recovery plan in the continuity plan., CC ID: 01377
  • Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties., CC ID: 12758


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • the process for overseeing the recovery and restoration efforts of the affected facilities and the business services. (4.2.2 Bullet 7, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Recovery procedures and structures must be defined and assessed. The feasibility of the recovery procedures and structures must be verified by persons in charge of the user and operations departments. This is a control item that constitutes a greater risk to financial information. This is an IT gene… (App 2-1 Item Number VI.7.4(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O63: The organization shall establish measures to recover computer systems after a failure and/or disaster. These measures should correspond to the contingency plans. O65.3(6): When developing contingency plans, the organization shall develop a procedures manual that defines procedures for controlli… (O63, O65.3(6), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • A data restoration process, and supporting data restoration procedures, is developed and implemented. (Security Control: 1548; Revision: 0, Australian Government Information Security Manual)
  • The organization should develop a Disaster Recovery Plan. (Control: 0914, Australian Government Information Security Manual: Controls)
  • The organization should rebuild the affected machine or restore compromised systems from a good known backup, whenever malicious code is detected. (Control: 0917 Bullet 9, Australian Government Information Security Manual: Controls)
  • Pg 50, Pg 51 requires that an organization assign procedures for restoration. Such procedures should not be spelled out as action steps, but rather through the use of guidance, particularly because it's easy for specific steps to become dated or fall out of context. Good restoration guidance include… (Pg 50, Pg 51, Pg 55, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The organization should develop a formal recovery plan. (Attach B ¶ 4, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recove… (3.7.3 83, Final Report EBA Guidelines on ICT and security risk management)
  • Restoration procedures, manual temporary solutions and reference information (by taking the prioritisation into account for the recovery of cloud infrastructure components and services as well as orienting to customers) (Section 5.14 BCM-03 Basic requirement ¶ 1 Bullet 5, Cloud Computing Compliance Controls Catalogue (C5))
  • Processes are defined in order to be able to roll back required changes as a result of errors or security concerns and restore affected systems or services into its previous state. (Section 5.11 BEI-08 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Are there documented plans/procedures for restoring business operations after an incident? Do they reflect the needs of those who will use them and contain all the essential information they need? (Operation ¶ 26, ISO 22301: Self-assessment questionnaire)
  • When electronic means are damaged, suitable measures will be implemented to ensure data access is restored within 7 days. (Annex B.23, Italy Personal Data Protection Code)
  • ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and (§ 66(2)(c), UK Data Protection Act 2018 Chapter 12)
  • Define and implement procedures for backup and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan. (DS11.5 Backup and Restoration, CobiT, Version 4.1)
  • The resources that will be required to resume services should be estimated by the organization. The resources may include the following: the numbers, skills, and knowledge of required staff; required facilities and work sites; any supporting plant and equipment technology; external suppliers and ser… (§ 6.4, § 7.2.1, BS 25999-1, Business continuity management. Code of practice, 2006)
  • Detailed procedures on how to recover each IT component should be developed. The procedures should be as comprehensive as possible and should be modified whenever the system changes. A full fail-back plan should be developed, with detailed procedures listed, with the same quality and documentation s… (§ 8.4.2 ¶ 1(c), PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The organization must develop a plan to transition back to a normal state once recovery solutions have been successful. All manually collected data must be entered into the restored systems, financial and regulatory exceptions must be resolved, and product exchanges must be replenished or paid for. … (§ 5.4.D ¶ 1, § 5.5.A, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The organization should include the actions and procedures that are required for recovering critical activities within the target time period and required resources when it develops the incident prevention, preparedness, and response procedures. (§ 4.4.7 ¶ 3(t), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The service continuity plan shall include procedures for returning to normal working conditions. (§ 6.3.2 ¶ 2(d), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • be effective in minimizing consequences through implementation of appropriate mitigation strategies. (§ 8.4.1 ¶ 3 f), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The continuity plan should assign roles for restoring the system. (§ 14.1.4, ISO 27002 Code of practice for information security management, 2005)
  • procedures to be implemented in the event of a major loss of service; (§ 8.7.2 ¶ 2(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • procedures for returning to normal working conditions. (§ 8.7.2 ¶ 2(e), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Procedures should be put in place to allow for restoration of data processing operations within a specified, documented period after a disruptive event. (§ 12.3.1 ¶ 6, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • There should be a procedure for, and a log of, data restoration efforts. (§ A.10.3 ¶ 2, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Procedures should be put in place to allow for restoration of data processing operations within a specified, documented period after a disruptive event. (§ 12.3.1 ¶ 5, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • There should be a procedure for, and a log of, data restoration efforts. (§ A.10.3 ¶ 2, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The entity's system availability and related security policies include recovering and continuing service in accordance with customer commitments or other agreements. (Availability Prin. and Critieria Table § 1.2 n, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to provide for the restoration and Disaster Recovery of the system consistent with the processing integrity policies. (Processing Integrity Prin. and Criteria Table § 3.20, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Finally, the ISSP should contain a Member's procedures to restore compromised systems and data, communicate with appropriate stakeholders and regulatory authorities and incorporate lessons learned into the ISSP. (Information Security Program Bullet 4 Response and Recovery from Events that Threaten the Security of the Electronic Systems ¶ 2, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Procedures shall be developed (and implemented as needed) to restore lost data. (§ 164.308(a)(7)(ii)(B), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • An access point shall be restored to the latest security setting when the reset function is executed to ensure factory default settings are not used. (§ 5.5.7.1(7), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Recovery of data (e.g. backlogged transactions, reconciliation procedures); and (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Establish procedures to recover critical networks and systems, including: (App A Objective 6:3e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Procedures for restoring backlogged activity or lost transactions to identify how transaction records will be brought current within expected recovery time frames. (App A Objective 8:11b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Is familiar with procedures to protect sensitive information, restores normal operations, and notifies the information security officer when necessary. (App A Objective 3:6h Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Restoration and follow-up strategies. (App A Objective 8.6.i, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The adequacy of corporate contingency planning and business resumption for data centers, networks, service providers, and business units. Consider the adequacy of offsite data and program backup and the adequacy of business resumption testing. (TIER II OBJECTIVES AND PROCEDURES C.1. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • The continuity plan should describe the procedures employees should use to recover from a disaster. (Pg 14, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Based on the volume and importance of ACH activity, evaluate whether the plan is reasonable and whether it provides for a reasonable recovery period. (App A Tier 2 Objectives and Procedures L.2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • (SC-3.1, SC-2.3, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The service provider must define the circumstances that can inhibit recovery and reconstitution to a known state in accordance with the contingency plan. (Column F: CP-10(3), FedRAMP Baseline Security Controls)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • After the contingency plan has been activated, personnel have been notified, and appropriate teams have been mobilized, the recovery process begins. This phase focuses on restoring system capabilities, repairing damage, and resuming operational capabilities at the original or new permanent site. (§ 4.3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. (CP-10 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; (CP-2a.5., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. (CP-10 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; (CP-2a.5., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; (CP-2a.5., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. (CP-10 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; (CP-2a.5., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The contingency plan should be examined to ensure it has procedures for restoring information and the system in accordance with NIST Special Publication 800-34. (CP-2.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures for operating the ICS in manual mode with all external electronic connections severed until secure conditions can be restored. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 1 Bullet 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Contingency plans should cover the full range of failures or problems that could be caused by cyber incidents. Contingency plans should include procedures for restoring systems from known valid backups, separating systems from all non-essential interferences and connections that could permit cyberse… (§ 6.2.6 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Recovery Actions. The results of the intrusion could be minor, or the intrusion could cause many problems in the ICS. Risk analysis should be conducted to determine the sensitivity of the physical system being controlled to failure modes in the ICS. In each case, step-by-step recovery actions should… (§ 6.2.8 ICS-specific Recommendations and Guidance ¶ 3 Bullet 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The Continuity of Operations plan must define the roles and responsibilities of assigned individuals, along with their contact information, and their duties to restore the system after a disruption or failure. (SG.CP-2 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop a contingency plan and it must include procedures for obtaining full system restoration absent any deterioration of the security measures. (App F § CP-2.a Bullet 5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should consider restoring system state variables as part of the restoration process for an Industrial Control System. (App I § CP-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented. (CP-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented. (CP-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented. (CP-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented. (CP-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. (CP-2(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. (CP-2(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; (CP-2a.5., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. (CP-10 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The system rules shall define restoration priorities for the system. (§ A.3.a.2.a, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • As part of the licensee's information security program, a licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in the licensee's p… (26.1-02.2-03. 8., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control, TX-RAMP Security Controls Baseline Level 1)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5., TX-RAMP Security Controls Baseline Level 1)
  • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (CP-2a.5., TX-RAMP Security Controls Baseline Level 2)
  • The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. (CP-10 Control, TX-RAMP Security Controls Baseline Level 2)