Back

Establish, implement, and maintain damage assessment procedures.


CONTROL ID
01267
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A security administration function and a set of formal procedures should be established for administering the allocation of access rights to system resources and application systems, and monitoring the use of system resources to detect any unusual or unauthorized activities. In particular, the funct… (3.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • When developing contingency plans, the organization shall develop a procedures manual that defines procedures for identifying damaged conditions. (O65.3(4), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Calls for the development of disaster assessment guidelines. This checklist helps ensure a good set of guidelines. Check yes or no for each item: The BCP clearly identifies the people involved in the disaster assessment The notification process for those involved in the disaster assessment is clearl… (Pg 81, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • the potential impact of such changes on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures. (Art. 5.2. ¶ 2(i)(iii), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Does the IRS and associated procedures include thresholds, assessment, activation, resource provision and communication? (Operation ¶ 20, ISO 22301: Self-assessment questionnaire)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to triage security-related events and ensure timely and thorough incident management, as per established IT service management policies and procedures. (SEF-02, Cloud Controls Matrix, v3.0)
  • assess the nature and extent of a disruptive incident and its potential impact, (§ 8.4.2 ¶ 2 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results. (§ 9.1.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. (§ 8.7.3.3 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Principle: Firms should establish policies and procedures, as well as roles and responsibilities for escalating and responding to cybersecurity incidents. Effective practices for incident response include: - preparation of incident responses for those types of incidents to which the firm is most lik… (Incident Response Planning, Report on Cybersecurity Practices)
  • Procedures must be implemented to conduct a situation analysis that includes a damage assessment to support the response and recovery operations. (§ 5.11.4, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • The nature and extent of a disruption must be determined in order to implement the contingency plan. The assessment should be completed as quickly as possible, and the safety of personnel must remain the number one priority. The following areas should be addressed, at a minimum, during an outage ass… (§ 4.2.3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Status of physical infrastructure (e.g., structural integrity of computer room, condition of electric power, telecommunications, and heating, ventilation and air-conditioning [HVAC]); (§ 4.2.3 ¶ 1 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Type of damage to system equipment or data (e.g., water, fire and heat, physical impact, electrical surge); (§ 4.2.3 ¶ 1 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Inventory and functional status of system equipment (e.g., fully functional, partially functional, nonfunctional); (§ 4.2.3 ¶ 1 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • To determine how the ISCP will be implemented following a system disruption or outage, it is essential to assess the nature and extent of the disruption. The outage assessment should be completed as quickly as the given conditions permit, with personnel safety remaining the highest priority. When po… (§ 4.2.3 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))