Include technical preparation considerations for backup operations in the continuity plan.

Establish/Maintain Documentation


This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain backup procedures for in scope systems., CC ID: 01258
  • Perform backup procedures for in scope systems., CC ID: 11692


  • O27.1: The organization shall establish backup, storage, and management methods that are consistent with the contingency plans. O63.2(2): The organization should consider requiring switching to a backup system in developing failure/disaster recovery routines. T24.4: The organization shall provide fo… (O27.1, O63.2(2), T24.4, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event t… (Critical components of information security 29) ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure. (Security Control: 0455; Revision: 2, Australian Government Information Security Manual)
  • Indicates that preparing for recovery is about putting place controls that will mitigate the consequences of a business interruption should it occur. Controls that are critical are back-up processes, records management and formal contingency arrangements with external parties. Back up procedures sho… (Pg 45 thru Pg 48, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The provisions governing the data backup procedures (excluding data archiving) shall be set out in writing in a data backup strategy. The requirements contained in the data backup strategy for the availability, readability and timeliness of the customer and business data as well as for the IT system… (II.7.51, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions. (§ 66(2)(d), UK Data Protection Act 2018 Chapter 12)
  • Are system back-ups and redundant servers in place in the event of a system failure or attack? (Table Row XII.15, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization have procedures and processes for securely switching to and from back-up systems, including expiring or short-term access privileges? (Table Row XII.23, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Strategies should be documented to recover any information that was not copied or backed up to another site, including both hardcopy and electronic formats. (§ 7.6 ¶ 3, BS 25999-1, Business continuity management. Code of practice, 2006)
  • An overview of methods that can be used to protect and recover data can be found in Annex F. (Annex F, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • 2.2 Process offers a specific set of procedures to bring critical business processes back on line after an interruption. These are: Create an overall process level BCM strategy within the parameters of the corporate recovery strategy From the business impact analysis and risk assessment identify bus… (Stage 2.2 Process, Stage 2.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • Business continuity plans should identify locations and storage mechanisms for backups and data back up frequency. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obl… (BCR-12, Cloud Controls Matrix, v3.0)
  • Critical records should be "protected and recovered as needed" but do not require the use of an offsite media storage location. (§ 7.1, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. The specifications should include the following information, as appropriate: – scope and schedule of backups; – backup methods and data formats, including encryption, if relevan… (§ 12.3.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Procedures exist to provide for backup, restoration, offsite storage, and Disaster Recovery consistent with the system availability and related security policies. (Availability Prin. and Criteria Table § 3.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must implement and monitor the status of backup and recovery controls. (PE 15.k, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • One or more processes for the backup and storage of information required to recover BES Cyber System functionality. (CIP-009-6 Table R1 Part 1.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • The organization must store standalone computer workstation backup data, software, and current operating procedures in accordance with the contingency plan. (CSR 5.11.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization will conduct system backups daily that are stored in a safe that is fireproof and only accessible to the IT Manager and senior executives. Additional backups will be stored off site weekly with a bonded provider. (Pg 47, C-TPAT Supply Chain Security Best Practices Catalog)
  • The disaster recovery plan must include the procedures for backing up essential software and information on a regular basis. (§ 8-615, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Technology issues (hardware, software, network, data processing equipment, telecommunications, remote computing, vital records, electronic banking systems, telephone banking systems, utilities); (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the BCP includes appropriate hardware back-up and recovery. (TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Integration with disaster recovery services to protect against data destruction. (IV.A Action Summary ¶ 3 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the BCP lists alternatives for core operations, facilities, infrastructure systems, suppliers, utilities, interdependent business partners, and key personnel. (App A Objective 8:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • A formal backup and recovery plan exists for all critical business lines. (Domain 5: Assessment Factor: Resillience Planning and Strategy, PLANNING Baseline 1 ¶ 5, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Verify that appropriate policies, standards, and processes address business continuity planning issues including: ▪ Security; ▪ Project management; ▪ Change control process; ▪ Data synchronization, back-up, and recovery; ▪ Crises management (responsibility for disaster declaration and deal… (Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The service provider contract should address the requirements for backing up and storing data. (Pg 14, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Review the institution's policies and procedures regarding back-up systems. Assess whether: ▪ The institution maintains adequate back-up procedures and supplies for events such as equipment failures and line malfunctions. ▪ Supervisory personnel approve the acquisition and use of back-up equipme… (Exam Tier II Obj 10.2, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Backup files should be be created on a prescribed basis and rotated offsite often enough to avoid disruption if current files are lost or damaged. System application documentation should be maintained at the offsite location. The backup storage site should be geographically removed from the primary … (SC-2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Records should be protected against physical harm, and procedures should be established ensuring that current files can be recovered in the event of a computer failure. (§ 395C.05, GAO/PCIE Financial Audit Manual (FAM))
  • Has backup policies and procedures been established to ensure the timely restoration of critical services? (IT - Business Continuity Q 12, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • A key component of contingency planning is to maintain the integrity and security of system software and data. Data integrity keeps the data safe and accurate on the primary storage devices, and data security protects the on-site and off-site data against unauthorized access or use. Encryption is a … (§ 5.1.2 ¶ 1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • The security plan should define a comprehensive backup and restore policy. In formulating this policy, the following should be considered: (§ ICS-specific Recommendations and Guidance ¶ 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Valuable data stored on a handheld device should be backed up regularly. If the data is backed up on a memory card, the memory card should be stored away from the device. (§ 4.1.3, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Establish alternative processing, exploitation and dissemination pathways to address identified issues or problems. (T0681, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must protect the backup information's integrity and confidentiality at the storage location. (SG.IR-10 Requirement 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use a redundant secondary system for system backup that is not collocated with the primary system and should be able to be activated absent loss of information or disruption to operations. (App F § CP-9(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Define appropriate levels of system availability based on critical system functions and ensure that system requirements identify appropriate disaster recovery and continuity of operations requirements to include any appropriate fail-over/alternate site requirements, backup requirements, and material… (T0051, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. (CP-9(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Bank systems should reduce bank vulnerability to system failures, unauthorized intrusions, and other problems. Back-up systems should be maintained and tested on a regular basis to minimize the risk of system failures and unauthorized intrusions. System failures and unauthorized intrusions may resul… (¶ 38, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)