Back

Document all supporting information in the continuity plan, such as purpose, scope, and requirements.


CONTROL ID
01371
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

This Control has the following implementation support Control(s):
  • Include notifications to alternate facilities in the continuity plan., CC ID: 13220
  • Approve the continuity plan requirements before documenting the continuity plan., CC ID: 12778


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O7.3(2): The organization shall routinely provide the organizational chart to relevant personnel and routinely conduct a review of the organization, and when there are changes in personnel, that affect personnel responsible for disaster prevention, a revised organizational chart shall be provided. O… (O7.3(2), O65.5, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Talks about factors that may limit the recovery process. These factors include people, facilities, telecommunications, information systems and business processes and resources. With people problems may include not having enough staff and staff that don't know how to recover from an event. With facil… (Pg 82, Pg 83, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • A financial institution should consider a range of different scenarios in its BCP, including extreme but plausible ones to which it might be exposed, including a cyber-attack scenario, and it should assess the potential impact that such scenarios might have. Based on these scenarios, a financial ins… (3.7.2 82, Final Report EBA Guidelines on ICT and security risk management)
  • The top management (and/or a member of the top management) is specified as the process owner of the business continuity and contingency management and bears the responsibility for the establishment of the process in the company and compliance with the policies. They must ensure that adequate resourc… (Section 5.14 BCM-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Defined purpose and scope by taking the relevant dependencies into account (Section 5.14 BCM-03 Basic requirement ¶ 1 Bullet 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Based on the business impact analysis, a uniform framework for planning the business continuity and business plan is introduced, documented and applied in order to ensure that all plans (e. g. of the different sites of the cloud provider) are consistent. The planning depends on established standards… (Section 5.14 BCM-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The counter-terrorist contingency plan must include procedures for responding to specific threats, events, or items. (Mandatory Requirement 67.b, HMG Security Policy Framework, Version 6.0 May 2011)
  • Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recove… (DS4.2 IT Continuity Plans, CobiT, Version 4.1)
  • The business continuity plan should define the scope, be agreed upon by top management, and understood by everyone who has responsibility. If the plan is related to other documents, the other documents should be clearly referenced, along with how to access and obtain these documents. The plan should… (§ 8.3.2, § 8.7.5 ¶ 1, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The plan must have a defined scope and purpose; be accessible and understood by all personnel who use it; be owned and reviewed, updated, and approved by the owner; and be aligned with relevant external contingency arrangements. (§ 4.3.3.2, BS 25999-2, Business continuity management. Specification, 2007)
  • The IT and information management systems recovery strategies should be described in the disaster recovery document. (§ 5.5 ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The Business Continuity Management team should maintain a central inventory for each individual business environment, which includes other important documents, such as Business Continuity Awareness and Training material, incident management plans, contracts, and test schedules. (CF.20.02.06e, The Standard of Good Practice for Information Security)
  • The Business Continuity Management team should maintain a central inventory for each individual business environment, which includes other important documents, such as Business Continuity Awareness and Training material, incident management plans, contracts, and test schedules. (CF.20.02.06e, The Standard of Good Practice for Information Security, 2013)
  • Develop, identify, and acquire documentation that is relevant to support the business continuity and operational resilience programs. Make the documentation available to authorized stakeholders and review periodically. (BCR-05, Cloud Controls Matrix, v4.0)
  • The service provider shall identify and agree on the service continuity requirements and availability requirements with customers and interested parties. (§ 6.3.1 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The availability requirements and service continuity requirements shall include the end-to-end availability of services. (§ 6.3.1 ¶ 2(c), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service continuity plan shall include the recovery requirements. (§ 6.3.2 ¶ 2(c), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The availability plan shall include the availability requirements and targets. (§ 6.3.2 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • define the purpose of the BCMS. (§ 4.1 ¶ 4 4), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The scope shall be available as documented information. (§ 4.3.1 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsib… (§ 8.4.4 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The scope shall be available as documented information. (§ 4.3.1 ¶ 3, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • supporting information needed to activate (including activation criteria), operate, coordinate and communicate the team's actions; (§ 8.4.4.3 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the purpose, scope and objectives; (§ 8.4.4.3 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • service recovery requirements; (§ 8.7.2 ¶ 2(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization defines objectives for resumption of critical operations. (PR.IP-9.2, CRI Profile, v1.2)
  • The organization defines objectives for resumption of critical operations. (PR.IP-9.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • (R 3510(c), NASD Manual)
  • The Medicare IT systems contingency plan shall include attachments for materials that are too big for the body of the plan and shall be referenced in the plan. The attachments shall be a part of the system security profile. The information in the attachments are usually bulky and relates to the enti… (App A § 10, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization should have the provision for redundant systems and should have manual operating procedures included in the continuity plan. (Pg E-6, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should ensure it maintains an updated list of names and telephone numbers for the service provider and the procedures for staying in contact with the service provider in case there is an emergency. (Pg 28, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Identify the scope, resource requirements, training, testing, plan maintenance and backup requirements of the contingency plan. (§ 4.7.1 Bullet 3, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The supporting information portion of the contingency plan includes an introduction and a concept of operations section. This provides contextual information or essential background that makes the contingency plan more understandable and easier to implement and maintain. These details help explain h… (§ 4.1 ¶ 1 thru 2, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Identify potentially applicable techniques or approaches. If the set of potentially applicable techniques and approaches has already been identified, it can be narrowed by identifying the set of techniques and approaches related to prioritized objectives using Appendix D, Table D-13 or to potentiall… (3.2.3.3 ¶ 2 Bullet 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • When evaluating the choices, the ISCP Coordinator should consider that purchasing equipment when needed is cost-effective but can add significant overhead time to recovery while waiting for shipment and setup; conversely, storing unused equipment is costly, but allows recovery operations to begin mo… (§ 3.4.4 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • If conditions require the system to be recovered at an alternate site, certain materials will need to be transferred or procured. These items may include shipment of data backup media from offsite storage, hardware, copies of the recovery plan, and software programs. Procedures should designate the … (§ 4.3.1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must develop a contingency plan and it must identify the necessary missions and business functions and the associated contingency requirements. (App F § CP-2.a Bullet 1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • identify documents, data, facilities, infrastructure, services, personnel and competencies essential to the continued operations of the covered entity's business; (§ 500.16 Incident Response and Business Continuity Management (a)(2)(i), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)