Back

Store an up-to-date copy of the continuity plan at the alternate facility.


CONTROL ID
01171
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Disseminate and communicate the continuity plan to interested personnel and affected parties., CC ID: 00760

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Copies of the BCP document should be stored at locations separate from the primary sites. A summary of key steps to take in an emergency should be made available to senior management and other key personnel and kept by them in multiple locations (e.g. office, home, briefcase or AI’s website). (6.2.5, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Essential sections of contingency plans should be kept in the disaster headquarters, individual sites, and backup sites, and the essential sections should be accessible to every employee at any time. (P73.5., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The organization should store copies of the recovery plan at an off-site location that is away from the primary site. (Attach B ¶ 13, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • All components required to enact the recovery plans would typically be located at a sufficient distance from the operational site(s) so that they are not impacted by the same disaster. This includes: recovery sites and hardware; backups of data/information and software; and copies of the recovery pl… (Attachment B ¶ 13, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The service continuity plans, contact lists, and the Configuration Management Database shall be accessible, even when access to normal service locations is not possible. (§ 6.3.2 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Duplicate disaster recovery plans, procedures, and other essential information should be kept off site at an easily accessible location. (§ 5.3.4, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. (§ 8.7.2 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Copies of the contingency plan shall be stored off-site. (App A § 5 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization must store several copies of the contingency plan off-site at different locations, including the homes of key staff members. (CSR 5.7.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Contact information for the continuity plan should be maintained at an offsite location. The continuity plan and the recovery procedures should be maintained at the alternate site and the offsite storage locations. (Pg 33, Pg G-11, Exam Tier I Obj 4.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (SC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Are the Business Continuity plans and the recovery procedures maintained in a secure way at the alternate site and the offsite storage location? (IT- Business Continuity Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • A copy of the contingency plan should be stored at the alternate site and with back-up media. (§ 3.6 ¶ 3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Because the ISCP contains potentially sensitive operational and personnel information, its distribution should be marked accordingly and controlled. Typically, copies of the plan are provided to recovery personnel for storage. A copy should also be stored at the alternate site and with the backup me… (§ 3.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))