Back

Include the recovery plan in the continuity plan.


CONTROL ID
01377
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include restoration procedures in the continuity plan., CC ID: 01169

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Recovery procedures and structures must be defined and assessed. The feasibility of the recovery procedures and structures must be verified by persons in charge of the user and operations departments. This is a control item that constitutes a greater risk to financial information. This is an IT gene… (App 2-1 Item Number VI.7.4(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • T4.1: Routers that contain network configuration information shall have recovery procedures. T24: The organization shall provide failure recovery functions to quickly restore systems back to normal operations and restart business operations. T24.2: The organization shall establish recovery procedur… (T4.1, T24, T24.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In order to shorten recovering time in the event of failure and to reduce the influence on operations, recovery functions should be provided. (P106.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The FI should also put in place a contingency plan based on credible worst-case scenarios for service disruptions to prepare for the possibility that its current service provider may not be able to continue operations or render the services required. The plan should incorporate identification of via… (§ 5.1.10, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The organization should develop procedures to recover from a logical compromise to the information technology security in one data center that could spread to other data centers, e.g., data corruption, malware, failed change. (Attach B ¶ 6, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Recovery plans should include procedures for responding to a material disruption to the services. (Attach B ¶ 7(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Recovery plans should include the procedures for recovering and restoring critical services in the required timeframe and to the correct service level. (Attach B ¶ 7(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • an IT business continuity plan. This documentation would typically be focused on operational processes and procedures the IT unit would follow while operating from an alternate site. (Attachment B ¶ 7(g), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recove… (3.7.3 83, Final Report EBA Guidelines on ICT and security risk management)
  • focus on the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of financial institutions and on the financial system, including on payment systems and on payment service users, a… (3.7.3 84(a), Final Report EBA Guidelines on ICT and security risk management)
  • ICT system backup and recovery procedures for critical software and data, that ensure that these backups are stored in a secure and sufficiently remote location, so that an incident or disaster cannot destroy or corrupt these critical data; (Title 3 3.3.4(a) 54.b(ii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • A full fail-back plan should be developed, with detailed procedures listed, with the same quality and documentation standard that the fail-over plan uses. (§ 8.4.7, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Covers the key steps of a Business Unit Resumption Plan: Appoint a person to be responsible for development of the plans overall and a representative within each business unit to develop their plan Define the objective and scope of the plans Develop a planning process and time tabled program. Where … (Stage 3.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The disaster recovery plan should include detailed recovery instructions. These instructions may include references to procedures, vendors, system diagrams, and other recovery materials. (§ 5.5 ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The organization must establish and maintain a recovery strategic program to ensure resources, processes, and capabilities are re-established to meet the organization's ongoing operational objectives within a specified time period. (§ 4.3.3 ¶ 5(e), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The emergency plan should include the procedures for recovering the systems after an emergency. (Revised Volume 3 Pg 1-I-30, Protection of Assets Manual, ASIS International)
  • Business Continuity plans should clearly state the services / activities and information to be recovered, timescales in which services / activities and information need to be recovered, and order in which services / activities and information should be recovered. (CF.20.05.06, The Standard of Good Practice for Information Security)
  • Business Continuity plans should clearly state the services / activities and information to be recovered, timescales in which services / activities and information need to be recovered, and order in which services / activities and information should be recovered. (CF.20.05.06, The Standard of Good Practice for Information Security, 2013)
  • A consistent unified framework for business continuity planning and plan development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business… (BCR-01, Cloud Controls Matrix, v3.0)
  • Establish strategies to reduce the impact of, withstand, and recover from business disruptions within risk appetite. (BCR-03, Cloud Controls Matrix, v4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain a disaster response plan to recover from natural and man-made disasters. Update the plan at least annually or upon significant changes. (BCR-09, Cloud Controls Matrix, v4.0)
  • The system should be able to start up, either manually or automatically, without being compromised, after a discontinuity of operations. A list of failures or service discontinuities (e.g., power failure, full audit storage, any failure) that will cause the system to enter maintenance mode should be… (§ 15.8, § J.8, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • The organization shall document and maintain business continuity plans and procedures. The business continuity plans shall provide guidance and information to assist teams to respond to a disruption and to assist the organization with response and recovery. (§ 8.4.4.1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Principle: Firms should establish policies and procedures, as well as roles and responsibilities for escalating and responding to cybersecurity incidents. Effective practices for incident response include: - preparation of incident responses for those types of incidents to which the firm is most lik… (Incident Response Planning, Report on Cybersecurity Practices)
  • Each Responsible Entity shall have one or more documented recovery plan(s) that collectively include each of the applicable requirement parts in CIP-009-6 Table R1 – Recovery Plan Specifications. [Violation Risk Factor: Medium] [Time Horizon: Long Term Planning]. (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Recovery plans for BES Cyber Systems (CIP-009); (B. R1. 1.1 1.1.6., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Recovery plans for BES Cyber Systems (CIP-009); (B. R1. 1.1 1.1.6., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Does the Business Continuity and Disaster Recovery program include resumption procedures to return to normal business operations? (§ K.1.2.13, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • The contingency plan must include detailed instructions for restoring operations. (CSR 5.2.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The Disaster Recovery Plan must include procedures for the partial resumption of business or mission essential functions in 5 days of activating the plan. (CODP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Trusted recovery must be accomplished in a secure and verifiable way. (COTR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The organization must document and develop mitigating procedures for all circumstances that can inhibit a trusted recovery. (COTR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The Disaster Recovery Plan must include procedures for the resumption of business or mission essential functions in 24 hours of activating the plan. (CODP-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The Disaster Recovery Plan must include procedures for transferring all business or mission essential functions to an alternate site with little or no loss of continuity. (CODP-3, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Procedures must be in place to ensure systems are recovered in a controlled manner. (§ 8-612, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business conti… (Business Continuity Planning Process, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Addresses the recovery of each business unit/department/function/application: (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Bas… (Business Continuity Plan Development, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Considering interdependencies among systems; and (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 1 Sub-Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Data synchronization, back-up, and recovery; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Communications protocols, event management, business continuity, and disaster recovery. (V Action Summary ¶ 2 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • IT contingency planning and business recovery. (App A Objective 4:1 g., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The recovery objectives should be used to determine which technologies, data, communications systems, facilities, and vital records must be recovered and list which personnel are essential for recovery. (Pg 9, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Exam Tier I Obj 4.1 Determine whether adequate risk mitigation strategies have been considered for: ▪ Alternate locations and capacity for: - Data centers and computer operations; - Back-room operations; - Work locations for business functions; and - Telecommunications and remote computing. ▪ Ba… (Exam Tier I Obj 4.1, Exam Tier I Obj 10.1 (Execution, Evaluation, and Re-Testing), FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The continuity plan should include timeframes for the restoration and recovery of images. (Pg 32, FFIEC IT Examination Handbook - Operations, July 2004)
  • The continuity plan should include timeframes for the restoration of service. (Pg 35, Exam Tier II Obj 5.1, Exam Tier II Obj 12.2, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., FedRAMP Security Controls High Baseline, Version 5)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Does the Credit Union Information Technology policy include backup procedures and recovery procedures? (IT - Policy Checklist Q 19, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.7.2 Bullet 5: Identify each cost-effective strategy for recovering business critical services or processes. § 4.7.4 Bullet 1: Complete the contingency plan procedures for all identified impacts, including emergency mode operation. (§ 4.7.2 Bullet 5, § 4.7.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The recovery procedures should reflect the system priorities that were identified during the Business Impact Analysis. The activity sequence should reflect the system's maximum tolerable downtime to avoid any significant impacts to applications and systems. The restoration procedures should be writt… (§ 4.3.1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • The contingency plan should include procedures to restore the system or components to a known state. The procedures should be assigned to the appropriate team and should address the following actions: obtaining authorization to gain access to the damaged facilities and/or the geographic area; obtain… (§ 4.3.2, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Several alternative approaches should be considered when developing and comparing strategies, including cost, maximum downtimes, security, recovery priorities, and integration with larger, organization-level contingency plans. Table is an example that can assist in identifying the linkage of FIPS 19… (§ 3.4.1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Organizations are required to adequately mitigate the risk arising from use of information and information systems in the execution of mission/business processes. The challenge for organizations is in implementing the right set of security controls. Guided by the RMF and in accordance with FIPS 199 … (§ 3.4 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Development/Acquisition Phase. As initial concepts evolve into information system development, specific contingency solutions may be determined. As in the Initiation phase, technical contingency planning considerations in this phase should reflect system and operational requirements. The design shou… (Appendix F ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establish a plan for the recovery and reconstitution of pipeline cyber assets within a timeframe to align with the organization's safety and business continuity objectives. (Table 2: Recovery Planning Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., TX-RAMP Security Controls Baseline Level 1)
  • Provides recovery objectives, restoration priorities, and metrics; (CP-2a.2., TX-RAMP Security Controls Baseline Level 2)