Back

Include a system acquisition process for critical systems in the emergency mode operation plan.


CONTROL ID
01369
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include emergency operating procedures in the continuity plan., CC ID: 11694

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Systems should be configured to have the spare capacity necessary standing by in accordance with the system's importance or purpose, and systems with long uninterrupted operations should be configured with spare capacity necessary standing by in accordance with its functions and restrictions. (T2.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Business continuity plans should identify equipment and network infrastructure availability. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Relevant risks should be assessed and then adequate steps taken to ensure critical equipment and services can be provided by vendors, which could include original equipment manufacturers and/or suppliers, within predetermined and agreed upon timeframes. Organizations that use their own equipment at … (§ 5.5.1, § 5.5.2, § 5.5.3, § 5.5.4, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Three strategies exist for equipment replacement. They are vendor agreements, equipment inventory, and existing compatible equipment. Vendor agreements are made between the organization and the hardware, software, and support vendors for emergency maintenance service by a service level agreement (SL… (§ 3.4.4, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • If the information system is damaged or destroyed or the primary site is unavailable, necessary hardware and software will need to be activated or procured quickly and delivered to the alternate location. Three basic strategies exist to prepare for equipment replacement. (§ 3.4.4 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • If conditions require the system to be recovered at an alternate site, certain materials will need to be transferred or procured. These items may include shipment of data backup media from offsite storage, hardware, copies of the recovery plan, and software programs. Procedures should designate the … (§ 4.3.1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Obtaining and installing necessary hardware components; (§ 4.3.2 ¶ 2 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must ensure required equipment and supplies are available at the alternate site or contracts are in place to support delivery in time to resume operations in the predefined time period. (App F § CP-7.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)