Back

Include emergency power continuity procedures in the continuity plan.


CONTROL ID
01254
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The control system shall provide the capability to switch to and from an emergency power supply without affecting the existing security state or a documented degraded mode. (11.7.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The data center should have some form of backup uninterruptible power supply (UPS). It should be sized according to the number of systems it will need to support and how long it needs to keep the systems running after a power failure. (Annex E.2.1, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Having uninterruptible power supplies and back-up generators available can greatly improve site resilience. UPSes and back-up generators can protect buildings and equipment from power failures. If the organization chooses to use these items, they need to be maintained and tested regularly to ensure … (Stage 2, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The organization should include critical infrastructure, such as electricity, that could be affected during an emergency or disruptive incident when it develops the incident prevention, preparedness, and response procedures. (§ 4.4.7 ¶ 3(r ), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Communications should be considered when establishing an emergency operating site. (Revised Volume 3 Pg 1-I-33, Protection of Assets Manual, ASIS International)
  • Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is consider… (¶ 8.1.7(6), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Alternative power supplies should be implemented for recovery sites to be used on a temporary basis and capable of powering all organizational recovery needs until normal power supplies have resumed. The necessary number of power generators should be made available and installed to prevent major pow… (§ 6.8.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The organization must have an uninterruptible power supply or a backup generator to shut down the system in an orderly manner. In the case of an extended primary power source loss, the organization must have a redundant and parallel power cabling path or a long-term alternate power supply that can p… (CSR 5.1.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Alternate power supplies (e.g. uninterruptible power source, back-up generators); (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Utilities; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Power single points of failure. (App A Objective 4:3d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The availability of power should be coordinated to ensure the resumption of services in a timely manner. (Pg 34, Exam Tier I Obj 4.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Assess whether the identified environmental controls and monitoring capabilities can detect and prevent disruptions to the operations environment and determine whether: ▪ Sufficient back-up electrical power is available (e.g. separate power feed, UPS, generator); ▪ Sufficient back-up telecommuni… (Exam Tier II Q D.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • (SC-2.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Organizational records, documents, and the facility should be examined to ensure an Uninterruptible Power Supply (UPS) is installed to provide for the shutting down of the system when power is lost; tests have been performed on the UPS to ensure it functions; a secondary power system is available fo… (PE-11, PE-11(1), PE-11(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)