Back

Include system continuity procedures in the continuity plan.


CONTROL ID
01268
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Says system treatments for information systems should be made a part of the BCP. Treatments to consider are: use of secure and fireproof in-house storage facilities agreements and activities required to transfer processing to other locations provision for backup processing facilities (electronic and… (Pg 42 Information, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Verify that all data expected for processing are received and processed completely, accurately and in a timely manner, and all output is delivered in accordance with business requirements. Support restart and reprocessing needs. (DS11.1 Business Requirements for Data Management, CobiT, Version 4.1)
  • All equipment should be fully monitored to alert personnel of possible failures. If possible, the monitoring should be done in real time. (Annex E.2.3, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • (§ 7.1, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • Cyber resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations). (DM.BE-3.1, CRI Profile, v1.2)
  • Resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations). (DM.BE-3, CRI Profile, v1.2)
  • Determine whether management has reviewed all interrelated components of each mission critical application and the underlying continuity strategy to determine "single point of failure" exposure. (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Operational processes (e.g., vulnerability and patch management). (App A Objective 8:2f Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • (SC-2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • (§ 395C.05, GAO/PCIE Financial Audit Manual (FAM))
  • Assess the relative criticality of specific applications and data in support of contingency plan components. (§ 4.7.2 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The problem of providing sufficient cyber resiliency properties and behaviors is inherently situated in a programmatic, operational, architectural, and threat context. This step is intended to ensure that the context is sufficiently understood and that cyber resiliency constructs can be interpreted … (3.2.1 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Each alternative can also be described in terms of the issues it resolves, the gaps it fills, or whether it provides improved protection for critical resources, reduced fragility, or the ability to address threats more effectively. Finally, each alternative can be assessed or described in terms of i… (3.2.5.2 ¶ 2, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)