Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan.
CONTROL ID 01374
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain system continuity plan strategies., CC ID: 00735
This Control has the following implementation support Control(s):
Establish, implement, and maintain at-risk structure removal or relocation procedures., CC ID: 01247
Establish, implement, and maintain physical hazard segregation or removal procedures., CC ID: 01248
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
O65.3(5): When developing contingency plans, the organization shall develop a procedures manual that defines procedures for temporarily continuing business operations under emergency situations when normal business operations are difficult to attain.
T22: In the event of a failure, the organization … (O65.3(5), T22, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
However, if no backup centers are established, it is necessary to consolidate a business continuity system by use of another alternative method carefully considering the impact on society due to failures, and management should approve the system. (P74.1. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
The organization should include actions to secure vital information, facilities, people, and information systems and to minimize physical and environmental damage and human casualties when it develops its incident prevention, preparedness, and response procedures. (§ 4.4.7 ¶ 3(j), § 4.4.7 ¶ 3(k), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
The emergency plan should have procedures for equipment shutdown. Shutdown crews should be kept to a minimum, because they may be the last ones to leave the facility. (Revised Volume 3 Pg 1-I-30, Protection of Assets Manual, ASIS International)
The availability of critical business processes should be improved by providing alternative locations from which business applications, Information Systems, networks and voice facilities can be run and administered. (CF.20.03.03b, The Standard of Good Practice for Information Security)
The availability of critical business processes should be improved by providing alternative locations from which business applications, Information Systems, networks and voice facilities can be run and administered. (CF.20.03.03b, The Standard of Good Practice for Information Security, 2013)
recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: â alerting interested parties potentially impacted by an actual or impending disruptive incident; â assuring the interoperability of m… (§ 8.4.3 ¶ 1 g), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
Arrangements should be implemented to address the loss of the ICT disaster recovery service providers' facilities and service capabilities. (§ 9.5.2, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
Components shall provide the capability to maintain essential functions when operating in a degraded mode as the result of a DoS event. (11.3.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
Components may be subjected to different forms of DoS situations. When these occur the component should be designed in such a manner that it maintains essential functions necessary for continued safe operations while in a degraded mode. (11.3.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. (CP-2(5) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entityâs availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
Manual operating procedures. (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
Verify that the BCP lists alternatives for core operations, facilities, infrastructure systems, suppliers, utilities, interdependent business partners, and key personnel. (App A Objective 8:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
The organization should implement alternate security measures to protect the physical and logical assets in case of a disaster at the primary facility. (Pg C-2, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. (CP-2(5) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Plan for the continuance of [FedRAMP Assignment: essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. (CP-2(5) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. (CP-2(5) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. (CP-2(5) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization must develop a contingency plan and it must include procedures for maintaining essential mission and business functions during a system disruption, compromise, or failure. (App F § CP-2.a Bullet 4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should plan for continuing all essential missions and business functions with little or no loss of operational continuity until the primary processing and/or storage sites are fully restored. (App F § CP-2(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization develops a contingency plan for the information system that addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure. (CP-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. (CP-2(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization plans and prepares for circumstances that preclude returning to the primary processing site. (CP-7(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization develops a contingency plan for the information system that addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure. (CP-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. (CP-2(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops a contingency plan for the information system that addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure. (CP-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops a contingency plan for the information system that addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure. (CP-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. (CP-2(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. (CP-2(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
The organization plans and prepares for circumstances that preclude returning to the primary processing site. (CP-7(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Plan and prepare for circumstances that preclude returning to the primary processing site. (CP-7(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. (CP-2(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Plan and prepare for circumstances that preclude returning to the primary processing site. (CP-7(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. (CP-2(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
