Back

Include Wide Area Network continuity procedures in the continuity plan.


CONTROL ID
01294
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include Internet Service Provider continuity procedures in the continuity plan., CC ID: 00743

This Control has the following implementation support Control(s):
  • Include priority-of-service provisions in the telecommunications Service Level Agreements., CC ID: 01396
  • Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers., CC ID: 01397
  • Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards., CC ID: 01399
  • Require telecommunications service providers to have adequate continuity plans., CC ID: 01400


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should use different Internet service providers to provide multiple Internet links. (Control: 1190, Australian Government Information Security Manual: Controls)
  • Telephone exchanges should be protected by having duplicate processors, function cards, and exchange lines, as well as an emergency bypass. (§ 1.4.4, ISF Security Audit of Networks)
  • The likelihood of critical business applications and technical infrastructure malfunctioning should be reduced by using Telecommunication Network links, and services that are proven to be robust and resilient. (CF.20.03.02d, The Standard of Good Practice for Information Security)
  • The likelihood of critical business applications and technical infrastructure malfunctioning should be reduced by using Telecommunication Network links, and services that are proven to be robust and resilient. (CF.20.03.02d, The Standard of Good Practice for Information Security, 2013)
  • Service providers should ensure they can provide telecommunications links that have sufficient connectivity and capacity for organizations to connect internationally and to key information services and feed providers without undue transmission delays and limitations. (§ 6.7.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the … (CP-8 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the … (CP-8 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the … (CP-8 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Does the pandemic plan include specific "social distancing" criteria/techniques (work from home)? (§ K.2.5, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • The organization must arrange for alternate telecommunication services. (CSR 5.10.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether ▪ A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; ▪ Existing controls comp… (Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • The availability of telecommunications services should be coordinated to ensure the resumption of services in a timely manner. The organization should have diversity in the telecommunications systems. (Pg 34, Pg E-2, Exam Tier I Obj 4.1, Exam Tier I Obj 10.7 (Testing Strategies), Exam Tier II Obj 2.3 (Scenarios), FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should have at least one back-up telecommunications provider in case the primary provider cannot deliver the required services. For large and complex data centers, the organization should have multiple primary and secondary providers. (Pg 28, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should ensure the alternate site has enough telecommunications capacity for all of its clients. The continuity plan should contain procedures on how communications from the organization to the recovery site will be established. (Pg 28, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the… (CP-8 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the… (CP-8 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capa… (CP-8 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capa… (CP-8 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Differences in the solutions for LANs and WANs exist primarily due to geographic and connectivity ownership. The contingency solutions for WANs include all the solutions listed for LANs and client/server systems, plus when deciding the WAN solutions, the communications links connecting the systems s… (§ 5.3.2 ¶ 7 thru 9, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capa… (CP-8 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capa… (CP-8 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capa… (CP-8 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capa… (CP-8 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Alternate telecommunications service agreements should provide for the resumption of telecommunications services within a predefined period of time, if the primary telecommunications services are unavailable. Service agreements should be examined to ensure they are approved and then reviewed on a re… (CP-8, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the … (CP-8 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the … (CP-8 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • WAN contingency solutions include all of the measures discussed for client/server systems and LANs. In addition, WAN contingency planning must consider the communications links that connect the disparate systems. WAN contingency strategies are influenced by the type of data routed on the network. A … (§ 5.3.2 ¶ 8, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must identify all alternate telecommunication services and start the necessary agreements to allow operations to be resumed inside a defined period. (SG.CP-8 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The information system provides the capability to employ {organizationally documented alternative communications protocols} in support of maintaining continuity of operations. (CP-11 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the … (CP-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the … (CP-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the … (CP-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capa… (CP-8 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capa… (CP-8 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the … (CP-8 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the … (CP-8 Control, TX-RAMP Security Controls Baseline Level 2)