Back

Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs.


CONTROL ID
01391
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Designate an alternate facility in the continuity plan., CC ID: 00742

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Other than the establishment of alternate sites, AIs should also pay particular attention to the transportation logistics for relocation of operations to alternate sites. Consideration should be given to the impact a disaster may have on the transportation system (e.g. closures of roads or tunnels).… (5.1.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • O65.3(7): When developing contingency plans, the organization shall define the routes and means for transporting personnel and other materials in an emergency. T25.3: When establishing backup sites, the organization should ensure personnel can reach the site within a certain amount of time. (O65.3(7), T25.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Therefore, it is recommended to specify individual factors randomly for the natural environment and community environment settings around the site of the computer center, examine on a regular basis the possibility of occurrence of disasters and failures due to the changing environmental settings, an… (F2.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • If the staff is being moved to the alternate site, the site should be close enough for the staff to travel to it, but far enough so that it would not be affected by the same incident. (§ 7.4 Note 1, BS 25999-1, Business continuity management. Code of practice, 2006)
  • During a disaster, non-critical staff should be instructed not to log on, so the resources are available to critical staff. (§ 5.4.C ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Disruptions of the transportation system can affect personnel travel and safety to/from the recovery center. Recovery sites should have good accessibility, meaning organizational staff and equipment should be able to move into the recovery site without undue delay. Accessibility should be measured b… (§ 5.2, § 6.2.5, § 6.2.6, § 6.13.3, § 6.13.4, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization must configure the backup storage and alternate processing sites to facilitate timely and effective recovery operations. The organization must identify potential accessibility problems in case of an area-wide disaster or disruption and explicit actions to mitigate this must be docum… (CSR 5.10.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Disruptions not confined to a single event, facility, or geographic area. (App A Objective 8:13b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • The contingency plan should be examined to ensure it identifies any potential accessibility issues if an area-wide disaster occurs and what steps should be taken if this accessibility issue does occur. (CP-7(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Alternate sites may be owned and operated by the organization (internal recovery), or commercial sites may be available under contract. If contracting for the site with a commercial vendor, adequate testing time, work space, security requirements, hardware requirements, telecommunications requiremen… (§ 3.4.3 ¶ 7, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • When evaluating the choices, the ISCP Coordinator should consider that purchasing equipment when needed is cost-effective but can add significant overhead time to recovery while waiting for shipment and setup; conversely, storing unused equipment is costly, but allows recovery operations to begin mo… (§ 3.4.4 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization should identify accessibility issues to the alternate control center and develop mitigation actions. (SG.CP-9 Requirement Enhancements 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should identify potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and should outline explicit mitigation actions. (App F § CP-7(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (CP-7(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)