Back

Document the Recovery Point Objective for triggering backup operations and restoration operations.


CONTROL ID
01259
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform backup procedures for in scope systems., CC ID: 11692

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Back-ups should be related to control points in live processes (e.g., by using time-stamps). (CF.07.05.03e, The Standard of Good Practice for Information Security)
  • Critical timescales for data to be backed up should be identified (e.g., based on the availability requirements of information). (CF.07.05.04, The Standard of Good Practice for Information Security)
  • Critical timescales for data to be backed up should be identified (e.g., based on the availability requirements of information). (CF.07.05.05, The Standard of Good Practice for Information Security, 2013)
  • Back-ups should be related to control points in live processes (e.g., by using time-stamps). (CF.07.05.03d, The Standard of Good Practice for Information Security, 2013)
  • Maintenance error. An organization should implement safeguards to prevent maintenance error. If maintenance is not done regularly or mistakes are made during the maintenance process, the integrity of all related information is threatened. Safeguards to protect integrity in this case are listed below… (¶ 10.3.2, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. The specifications should include the following information, as appropriate: – scope and schedule of backups; – backup methods and data formats, including encryption, if relevan… (§ 12.3.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. (PR.IP-4.3, CRI Profile, v1.2)
  • The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. (PR.IP-4.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact… (Business Impact Analysis, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., FedRAMP Security Controls High Baseline, Version 5)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The methods and strategies used for back-up and recovery operations should address the allowable downtimes and disruption impacts that were identified during the Business Impact Analysis (BIA) and should be integrated into the system architecture during the SDLC Acquisition/Development phase. The ch… (§ 3.4.1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., TX-RAMP Security Controls Baseline Level 1)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., TX-RAMP Security Controls Baseline Level 2)