Back

Include system continuity procedures in the continuity plan.


CONTROL ID
01268
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Handling of terminal devices (P24.3. ¶ 1(1), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Note that the manuals must be consistent with the contingency plans. It is also necessary to regularly review the manuals under organizational management so as to keep them up-to-date. It is advisable to make the descriptions in the manuals, including operating procedures, clear, so that even less e… (P24.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Says system treatments for information systems should be made a part of the BCP. Treatments to consider are: use of secure and fireproof in-house storage facilities agreements and activities required to transfer processing to other locations provision for backup processing facilities (electronic and… (Pg 42 Information, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Verify that all data expected for processing are received and processed completely, accurately and in a timely manner, and all output is delivered in accordance with business requirements. Support restart and reprocessing needs. (DS11.1 Business Requirements for Data Management, CobiT, Version 4.1)
  • All equipment should be fully monitored to alert personnel of possible failures. If possible, the monitoring should be done in real time. (Annex E.2.3, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • (§ 7.1, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • Cyber resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations). (DM.BE-3.1, CRI Profile, v1.2)
  • Resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations). (DM.BE-3, CRI Profile, v1.2)
  • Determine whether management has reviewed all interrelated components of each mission critical application and the underlying continuity strategy to determine "single point of failure" exposure. (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Operational processes (e.g., vulnerability and patch management). (App A Objective 8:2f Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • (SC-2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • (§ 395C.05, GAO/PCIE Financial Audit Manual (FAM))
  • Assess the relative criticality of specific applications and data in support of contingency plan components. (§ 4.7.2 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The problem of providing sufficient cyber resiliency properties and behaviors is inherently situated in a programmatic, operational, architectural, and threat context. This step is intended to ensure that the context is sufficiently understood and that cyber resiliency constructs can be interpreted … (3.2.1 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Each alternative can also be described in terms of the issues it resolves, the gaps it fills, or whether it provides improved protection for critical resources, reduced fragility, or the ability to address threats more effectively. Finally, each alternative can be assessed or described in terms of i… (3.2.5.2 ¶ 2, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • HA can be implemented at a single site, with all system redundancy resident at that site. This will keep the system running at an HA level as long as there is no interruption of the facility housing the system. However, when implementing HA products or services in a system, the ISCP Coordinator shou… (§ 5.1.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • For information system contingency planning, the ISCP Coordinator should consider technical measures from two perspectives when planning a system recovery strategy: (§ 5.5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Contingency solutions are technically based and are used to implement the contingency strategy. (§ 5.5 ¶ 1 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Disposal Phase. Contingency considerations should not be neglected because an information system is retired and another system replaces it. Until the new system is operational and fully tested (including its contingency capabilities), the original system's ISCP should be maintained in a ready state … (Appendix F ¶ 11, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))