Back

Coordinate continuity planning with other business units responsible for related continuity plans.


CONTROL ID
01386
CONTROL TYPE
Systems Continuity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity framework., CC ID: 00732

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization shall develop and maintain an independent disaster prevention unit for the computer center when it is located in a shared building. (O7.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The counter-terrorist contingency plan must include liaison with emergency services and any multi-agency contingency plans. (Mandatory Requirement 67.g, HMG Security Policy Framework, Version 6.0 May 2011)
  • Emergency management policies must be aligned to ensure crisis management, emergency response (ER), and business continuity management will work together during a disaster. If the business continuity (BC) and ER program coordination is included in the audit plan, consider the following questions: Ho… (§ 5.1, § 6 ¶ 5, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The organization must define the scope of the organizational resilience management system in terms of preserving and protecting its relationships with key suppliers, outsourcing partners, and other stakeholders. (§ 4.1.1 ¶ 3, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Representatives from each department/division should be appointed to help the coordinator develop the emergency plan. (Revised Volume 3 Pg 1-I-16, Protection of Assets Manual, ASIS International)
  • The Business Continuity program should apply across the organization and require each individual business environment to follow the organization's central crisis management process (sometimes referred to as an emergency response process) at a local level. (CF.20.02.05a, The Standard of Good Practice for Information Security)
  • The Business Continuity program should apply across the organization and require each individual business environment to maintain links with the organization's central Crisis Management Team. (CF.20.02.05b, The Standard of Good Practice for Information Security)
  • An individual Business Continuity Plan should be created for each individual business environment across all parts of the organization, and form part of a wider Business Continuity program. (CF.20.05.01, The Standard of Good Practice for Information Security)
  • The Business Continuity program should apply across the organization and require each individual business environment to follow the organization's central crisis management process (sometimes referred to as an emergency response process) at a local level. (CF.20.02.05a, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity program should apply across the organization and require each individual business environment to maintain links with the organization's central Crisis Management Team. (CF.20.02.05b, The Standard of Good Practice for Information Security, 2013)
  • An individual Business Continuity Plan should be created for each individual business environment across all parts of the organization, and form part of a wider Business Continuity program. (CF.20.05.01, The Standard of Good Practice for Information Security, 2013)
  • The disaster recovery plan should include incident handling procedures. (Action 1.3.4, SANS Computer Security Incident Handling, Version 2.3.1)
  • have processes, and procedures for the activation, operation, coordination, and communication of the response, (§ 8.4.2 ¶ 2 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Service providers should check the organization's disaster recovery status before contracts are signed, unless the contract clearly states there is no service provider liability for incidents that might occur because of deficiencies in the organization's disaster recovery planning. The service provi… (§ 7.2, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • App A § 3 ¶ 12: Contingency planning shall include a coordinated contingency policy to fully recover and reconstitute operations. App A § 4.2: If a CMS business partner's data center is linked to other CMS business partners in order to transmit Medicare data, the contingency planning shall includ… (App A § 3 ¶ 12, App A § 4.2, CMS Business Partners Systems Security Manual, Rev. 10)
  • Verify that the organization coordinates contingency plan testing with organizational elements responsible for related plans. (COED-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Aligning plans between business units across the enterprise. (App A Objective 2:5j, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that business line management retains ownership for testing its specific business processes and coordinates with personnel involved in the enterprise-wide BCM process and support areas. (App A Objective 10:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Disaster recovery plans interface between the data center, customers, and users; (TIER II OBJECTIVES AND PROCEDURES F.1. Bullet 4, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether audit procedures for outsourcing activities adequately cover the risks when IT service is provided to external users. Evaluate whether ▪ Formal procedures are in effect and staff is assigned to provide interface with users/customers to control data center-related issues (i.e., pr… (Exam Tier II Obj F.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • The continuity plan should address the internal and external components needed to interact with each other to make the activation and restoration a success. Internal components include interdependencies between the different departments and functions. External components include the interdependencie… (Pg 15, Pg 34, Exam Tier I Obj 2.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should require service providers to test their continuity plans annually and to report their results to the organization. Service providers should be required to notify the organization if any changes are made to their continuity plans. (Pg 25, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The organization should establish continuity procedures with other organizations to ensure services are available in case of a failure. (Pg 41, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Did the Credit Union incorporate the service provider's contingency plan into the Credit Union's Disaster Recovery Plan? (IT - General Q 51, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Business Continuity Plan or the Disaster Recovery Plan consider the services that are furnished by outsourced vendors? (IT - Business Continuity Q 11, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The continuity plan must be adaptable to the existing operating environment. (§ 4.7.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Due to the relationship between information systems and the business processes they support, coordination should exist between plans while they are being developed and while they are being updated to ensure that the strategies for recovery and any supporting resources are not negated by another plan… (§ 2.2, § 3.1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Coordinate contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Coordinate contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Coordinate contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. (RC.CO Communications, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Organizational records and documents should be examined to ensure the contingency plan is coordinated and supports the requirements in other related plans, such as continuity plans, disaster recovery plans, continuity of operations plans, business recovery plans, and incident response plans. Intervi… (CP-2.3, CP-2(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Contingency plans should cover the full range of failures or problems that could be caused by cyber incidents. Contingency plans should include procedures for restoring systems from known valid backups, separating systems from all non-essential interferences and connections that could permit cyberse… (§ 6.2.6 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provide enterprise cybersecurity and supply chain risk management guidance for development of the Continuity of Operations Plans. (T0199, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must integrate the Continuity Of Operations procedures and the incident handling procedures. (SG.IR-5 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must coordinate the Contingency Planning activities with the incident handling activities. (App F § CP-2.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should coordinate Contingency Planning between elements who are responsible for related plans. (App F § CP-2(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must coordinate the incident handling procedures with the Contingency Planning procedures. (App F § IR-4.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Provide enterprise cybersecurity and supply chain risk management guidance for development of the Continuity of Operations Plans. (T0199, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. (CP-2(7), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Coordinate contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • The organization coordinates contingency plan development with organizational elements responsible for related plans. (CP-2(1) ¶ 1, TX-RAMP Security Controls Baseline Level 2)