Back

Define the executive vision of the continuity planning process.


CONTROL ID
01243
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish and maintain a system continuity plan philosophy., CC ID: 00734

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Approval by top management should be obtained for contingency plans and the review of contingency plans of significant importance. (O65.6, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Says a business continuity plan should contain objectives, scope and boundaries. Team roles and responsibilities should be established and relevant reference material for the plan should be collected. The plan should also: • document project objectives • define and document the project's scope a… (Pg 31, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The top management (and/or a member of the top management) is specified as the process owner of the business continuity and contingency management and bears the responsibility for the establishment of the process in the company and compliance with the policies. They must ensure that adequate resourc… (Section 5.14 BCM-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The business continuity management policies scope should clearly define any exclusions or limitations that apply to the organization. (§ 4.3 ¶ 5, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The scope of the business continuity management system must be defined and business continuity objectives set, keeping in mind the business continuity requirements; the organization's objectives and obligations; acceptable risk levels; regulatory, statutory, and contractual duties; and key stakehold… (§ 3.2.1.1, BS 25999-2, Business continuity management. Specification, 2007)
  • Information Technology Service Continuity (ITSC) management should have significant sway on the information technology strategy to identify the information services and systems that will require high levels of availability, capacity, and resilience. The ITSC strategy should be agreed upon at the Boa… (§ 4 ¶ 2, § 5.1 ¶ 2, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • An organization's business continuity management strategy works best when its vision, direction and parameters are given from the top of the organization. Pg 12 BCM Policy describes the BCM policy. The policy is to include: • The organization's definition of BCM • A documented set of BCM Princip… (Stage 2.1 Introduction, Pg 12 BCM Policy, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • Continuity strategies for the scope of operations must be approved by the business continuity management sponsor and an appropriate team of managers. These individuals must own the continuity strategies for their team and ensure the business continuity and recovery solutions are implemented, if nece… (§ 5.4.D ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • In defining the scope of the organizational resilience management system, the organization must develop the organizational resilience management requirements, keeping in mind the mission of the organization, external and internal obligations, goals, and legal responsibilities. (§ 4.1.1 ¶ 2(b), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Management should consider the following when putting together a business continuity plan: identifying all assets; ensuring all risks are understood; ensuring the impact interruptions will have on the organization is understood; purchasing insurance; identifying additional controls; ensuring the saf… (§ 14.1.1, ISO 27002 Code of practice for information security management, 2005)
  • The organization must have a documented program for program management that includes the executive policy. The executive policy must include a mission statement, vision, roles and responsibilities, and the enabling authority. The strategic plan must include definitions for the program's mission, vis… (§ 4.1(1), § 5.8.3.3, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Contingency plans should be straight to the point and should not contain more information than necessary. Users should not get bogged down in details. The contingency plan should be a "user's manual" and be easy to understand and implement. (App A § 3 ¶ 7, CMS Business Partners Systems Security Manual, Rev. 10)
  • Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitorin… (TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery … (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Define the organization's overall contingency plan objectives. (§ 4.7.1 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • A contingency plan must have a clearly defined policy to ensure it is effective and that all personnel fully understand the organization's requirements for contingency planning. The policy statement must reflect the FIPS 199 impact levels and the controls for each of the levels. The key policy eleme… (§ 3.1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)