Back

Test the continuity plan at the alternate facility.


CONTROL ID
01174
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Test the continuity plan, as necessary., CC ID: 00755

This Control has the following implementation support Control(s):
  • Include predefined goals and realistic conditions during off-site testing., CC ID: 01175
  • Coordinate testing the continuity plan with all applicable business units and critical business functions., CC ID: 01388
  • Automate the off-site testing to more thoroughly test the continuity plan., CC ID: 01389
  • Document the continuity plan test results and provide them to interested personnel and affected parties., CC ID: 06548
  • Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results., CC ID: 06553


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • the alternate sites for business and technology recovery should be activated; (6.1.3 Bullet 2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The FI should endeavour to operate from its recovery, secondary or alternate site periodically so as to have the assurance that its infrastructure and systems at these sites are able to support business needs for an extended period of time when production systems failover from the primary or product… (§ 8.2.4, Technology Risk Management Guidelines, January 2021)
  • The organization should implement a multi-year testing schedule to verify recovery operations at all locations, including offsite locations. (Attach B ¶ 9, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that e… (4.15 107(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • Users must test alternative office space solutions to ensure they can log on to the system. Volume (performance) testing must be done to verify that the desired number of users can be supported at the alternate office space. (§ 5.4.C ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • To familiarize contingency personnel with the facility and available resources; and (CP-4(2)(a), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization tests the contingency plan at the alternate processing site: (CP-4(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • To evaluate the capabilities of the alternate processing site to support contingency operations. (CP-4(2)(b), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Do the Business Continuity and Disaster Recovery tests conducted at least annually include recovery site tests? (§ K.1.4.11, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Are sites switched over as part of normal operations or as part of a test? (§ V.1.64, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are sites never switched over as part of normal operations or as part of a test? (§ V.1.64.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are sites switched over on a weekly basis as part of the normal operations or as part of a test? (§ V.1.64.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are sites switched over on a monthly basis as part of normal operations or as part of a test? (§ V.1.64.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are sites switched over on an annual basis as part of normal operations or as part of a test? (§ V.1.64.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are sites switched over dependent on a change as part of normal operations or as part of a test? (§ V.1.64.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are sites switched over continuously as part of normal operations or as part of a test? (§ V.1.64.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Contingency plans must be tested at data centers that serve multiple contractors. Before testing, the organization must understand how contractor data is protected and/or kept separate. (App A § 6.2, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization must test the contingency plan at the alternate processing site. (CSR 5.7.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • From the institution's alternative location to the TSPs' alternative location. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • From the institution's alternative location to the TSPs' primary location; and (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • From the institution's primary location to the TSPs' alternative location; (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:1 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The involvement of staff, technology, and facilities; (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the significant firm's external testing strategy includes testing from the significant firm's back-up sites to the core firms' back-up sites. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 10, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether core and significant firm's strategies and plans address wide-scale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guid… (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Exercise and test policies, expectations, and strategies that demonstrate the entity's ability to utilize alternate facilities. (VII Action Summary ¶ 2 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the exercise and test strategies allow management to demonstrate the entity's ability to support connectivity, functionality, volume, and capacity using alternate facilities. Strategies may include the following: (App A Objective 10:9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Conducting activities at alternate locations or facilities. (App A Objective 10:17f, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Conducting activities at alternate locations or facilities. (App A Objective 10:16g, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The test scenarios should include testing alternate facilities and third-party providers. The recovery site should be tested at least annually and when equipment or software changes. (Pg 21, Pg G-11, Exam Tier II Obj 2.3 (Scenarios), FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The service provider should test the continuity plan at least once a year at the alternate site. (Pg 27, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The organization tests the contingency plan at the alternate processing site: (CP-4(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • To familiarize contingency personnel with the facility and available resources; and (CP-4(2)(a) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • To evaluate the capabilities of the alternate processing site to support contingency operations. (CP-4(2)(b) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • To familiarize contingency personnel with the facility and available resources; and (CP-4(2) ¶ 1(a), FedRAMP Security Controls High Baseline, Version 5)
  • To evaluate the capabilities of the alternate processing site to support contingency operations. (CP-4(2) ¶ 1(b), FedRAMP Security Controls High Baseline, Version 5)
  • Test the contingency plan at the alternate processing site: (CP-4(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • To familiarize contingency personnel with the facility and available resources; and (CP-4(2) ¶ 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Test the contingency plan at the alternate processing site: (CP-4(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • To evaluate the capabilities of the alternate processing site to support contingency operations. (CP-4(2) ¶ 1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure contingency plan testing is also accomplished at the alternate site. This will give involved personnel familiarity with the alternate site and ensure the site is capable of supporting operations during an emergency. (CP-4(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization tests the contingency plan at the alternate processing site: (CP-4(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • To evaluate the capabilities of the alternate processing site to support contingency operations. (CP-4(2) ¶ 1(b) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • To familiarize contingency personnel with the facility and available resources; and (CP-4(2) ¶ 1(a) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • For high-impact systems, a full-scale functional exercise at an organization-defined frequency should be conducted. The full-scale functional exercise should include a system failover to the alternate location. This could include additional activities such as full notification and response of key pe… (§ 3.5.4 ¶ 2 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization should test and exercise the Continuity of Operations plan at the alternate processing site. (SG.CP-5 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should test the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site's capabilities to support contingency operations. (App F § CP-4(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization tests the contingency plan at the alternate processing site. (CP-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization tests the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources. (CP-4(2)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization tests the contingency plan at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations. (CP-4(2)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization tests the contingency plan at the alternate processing site. (CP-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization tests the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources. (CP-4(2)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization tests the contingency plan at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations. (CP-4(2)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • To familiarize contingency personnel with the facility and available resources; and (CP-4(2)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization tests the contingency plan at the alternate processing site: (CP-4(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • To evaluate the capabilities of the alternate processing site to support contingency operations. (CP-4(2)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • To evaluate the capabilities of the alternate processing site to support contingency operations. (CP-4(2)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization tests the contingency plan at the alternate processing site: (CP-4(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • To familiarize contingency personnel with the facility and available resources; and (CP-4(2)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • To familiarize contingency personnel with the facility and available resources; and (CP-4(2) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • To evaluate the capabilities of the alternate processing site to support contingency operations. (CP-4(2) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Test the contingency plan at the alternate processing site: (CP-4(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • To familiarize contingency personnel with the facility and available resources; and (CP-4(2) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • To evaluate the capabilities of the alternate processing site to support contingency operations. (CP-4(2) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Test the contingency plan at the alternate processing site: (CP-4(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)