Back

Activate the continuity plan if the damage assessment report indicates the activation criterion has been met.


CONTROL ID
01373
CONTROL TYPE
Systems Continuity
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

This Control has the following implementation support Control(s):
  • Maintain normal security levels when an emergency occurs., CC ID: 06377
  • Execute fail-safe procedures when an emergency occurs., CC ID: 07108


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • clear criteria for activation of the BCP and/or alternate sites; (4.2.2 Bullet 4, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Business continuity and disaster recovery plans are enacted when required. (R3:, Australian Government Information Security Manual)
  • The business continuity plan should be activated whenever a risk event occurs that has a business interruption consequence, referred to as an outage. The plan should be activated as close to the start of the outage as possible to minimize time to recover. (Pg 13 Underlying ¶ 1 thru ¶ 3, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The method to activate the business continuity plan should be clearly documented. The process should allow plans to be activated in the shortest possible time after the business disruption. Clear guidelines and criteria should be established for who has the authority to activate a plan and when. The… (§ 8.3.4, § 8.7.2(a), § 8.7.2(b), BS 25999-1, Business continuity management. Code of practice, 2006)
  • The incident response structure must provide for the personnel to confirm the incident's extent and nature; trigger a business continuity response; have procedures, processes, and plans for activating, operating, coordinating, and communicating the incident response; have resources to support the ma… (§ 4.3.2.2, BS 25999-2, Business continuity management. Specification, 2007)
  • Business continuity plans should identify acceptable response and recovery times. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization should include the mitigation and response procedures for different types of incidents and emergency situations when it develops its incident prevention, preparedness, and response procedures. (§ 4.4.7 ¶ 3(l), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The emergency plan should provide procedures for notifying all personnel of an emergency situation. (Revised Volume 3 Pg 1-I-28, Protection of Assets Manual, ASIS International)
  • A consistent unified framework for business continuity planning and plan development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business… (BCR-01, Cloud Controls Matrix, v3.0)
  • respond to actual emergency situations; (§ 8.2 ¶ 2 b), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • activate an appropriate business continuity response, (§ 8.4.2 ¶ 2 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • a process for activating the response, (§ 8.4.4 ¶ 2 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsib… (§ 8.4.4 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • have processes, and procedures for the activation, operation, coordination, and communication of the response, (§ 8.4.2 ¶ 2 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • activate an appropriate business continuity response; (§ 8.4.2.3 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • reference to the pre-defined threshold(s) and process for activating the response; (§ 8.4.4.2 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • supporting information needed to activate (including activation criteria), operate, coordinate and communicate the team's actions; (§ 8.4.4.3 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • documented procedures to guide their actions (see 8.4.4), including those for the activation, operation, coordination and communication of the response. (§ 8.4.2.4 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • activate the business continuity solutions; (§ 8.4.2.3 g), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall implement and maintain a response structure that will enable timely warning and communication to relevant interested parties. It shall provide plans and procedures to manage the organization during a disruption. The plans and procedures shall be used when required to activate … (§ 8.4.1 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The conditions and procedures to invoke and deactivate disaster recovery services should be established between service providers and organizations. The service agreements that are made with the organization should include the following procedures for activating subscribed services: informing the ma… (§ 5.8.1, § 5.8.4, § 7.2 ¶ 6(a), § 7.12, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The continuity plan should include the conditions for activating the plan and the procedures to follow. (§ 14.1.4, ISO 27002 Code of practice for information security management, 2005)
  • criteria and responsibilities for invoking service continuity; (§ 8.7.2 ¶ 2(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Tools and processes are in place to ensure timely detection, alert, and activation of the incident response program. (RS.AN-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • (R 3510(c)(6), NASD Manual)
  • Conditions for activation of the recovery plan(s). (CIP-009-6 Table R1 Part 1.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Does the Business Continuity and Disaster Recovery program include conditions for activating the plan? (§ K.1.2.4, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • The airport operator must implement the contingency plan when directed by the Transportation Security Administration. (§ 1542.301(a)(1), 49 CFR Part 1542, Airport Security)
  • Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Bas… (Business Continuity Plan Development, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Define the conditions under which the back-up site would be used; (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the BCP includes event management procedures that detail reasonably foreseeable event types, and those procedures include threshold metrics and response methods. (App A Objective 8:3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The continuity plan should state how to activate the plan and should describe different events that could trigger the activation. The crisis management team should be responsible for declaring a disaster. The crisis management team should be tested on initiating the continuity plan. Events that will… (Pg 14, Pg 31, Pg D-7, Pg H-4, Pg H-5, Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Management should ensure it knows the procedures for activating the continuity plan, including who can activate the plan and initiate processing at the recovery site. (Pg 28, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Has the Credit Union ever implemented the Disaster Recovery Plan? (IT - Business Continuity Q 9, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • If one or more of the activation criteria are met, the contingency plan should be activated by the designated authority. The management team is responsible for activating the plan and supervising its execution. A senior management official, such as the CIO, has the ultimate authority to activate the… (§ 3.4.6 ¶ 5, § 4.2.1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Recovery plan is executed during or after a cybersecurity incident (RC.RP-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Recovery plan is executed during or after an event. (RC.RP-1, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • The smart grid Information System should save the information state during a failure. (SG.CP-11 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The Industrial Control System must execute predetermined procedures when there is a loss of processing inside the Industrial Control System or a loss of communications with the operational facilities. (App I § CP-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)