Back

Configure the alternate facility to meet the least needed operational capabilities.


CONTROL ID
01395
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Prepare the alternate facility for an emergency offsite relocation., CC ID: 00744

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Alternate sites for technology recovery (i.e. back-up data centres), which may be separate from the alternate business site, should have sufficient technical equipment (e.g. workstations, servers, printers, etc.) of appropriate model, size and capacity to meet recovery requirements as specified by A… (5.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • If CMT members need to be evacuated from their primary business locations, AIs should set up command centres to provide the necessary workspace and facilities for the CMT. Command centres should be sufficiently distanced from AIs’ primary business locations to avoid being affected by the same disa… (4.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • AIs’ alternate sites should be readily accessible and available for occupancy (i.e. 24 hours a day, 7 days a week) within the time requirement specified in their BCPs. Should the BCPs so require, the alternate sites should have pre-installed workstations, power, telephones and ventilation, and suf… (5.1.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • In particular, it is necessary to have a backup site in principle for important systems that conduct funds settlement, etc. (P74.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In cases where backup operations are contracted out to outsourcees, the priorities for backup, minimum guaranteed extent, and other available services should be identified and reviewed on a regular basis to accommodate changing volumes of office work for a possibility that several outsourcees of bac… (P74.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • capable of ensuring the continuity of critical or important functions identically to the primary site, or providing the level of services necessary to ensure that the financial entity performs its critical operations within the recovery objectives; (Art. 12.5. ¶ 2(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Are disaster-recovery processes, systems and facilities implemented with the same security controls as production environments? (Appendix D, Maintain an Information Security Policy Bullet 10, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Outsourced service providers should ensure several organizations can be provided recovery services at the recovery facilities simultaneously and each organization can operate its subscribed services in a manner independent of each other. Services and supporting resources that are offered during simu… (§ 7.7, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Any connections to outside each security zone should occur through managed interfaces consisting of appropriate boundary protection devices (for example, proxies, gateways, routers, firewalls, unidirectional gateways, guards and encrypted tunnels) arranged in an effective architecture (for example, … (15.12.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site. (CP-7c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site. (CP-7c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site. (CP-7c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • How many separate datacenters is the live cloud platform running on at any one time? (§ V.1.59, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is the live cloud platform running on 1 datacenter at any one time? (§ V.1.59.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are there more than 1 and less than 2 separate datacenters running on the live cloud platform at any one time? (§ V.1.59.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are there more than 2 separate datacenters running on the live cloud platform at any one time? (§ V.1.59.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Which availability mode is the critical cloud computing infrastructure running? (§ V.1.60, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is the critical cloud computing infrastructure running in the cold standby availability mode? (§ V.1.60.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is the critical cloud computing infrastructure running in a warm standby availability mode?. (§ V.1.60.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is the critical cloud computing infrastructure running in an active, active availability mode? (§ V.1.60.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is the critical infrastructure running active/active at 2 sites or more? (§ V.1.63, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • An alternate site is identified that permits the partial restoration of mission or business essential functions. (COAS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The alternate site's enclave boundary defense must provide equivalent security measures to the primary site. (COEB-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The alternate site's enclave boundary defense must be configured identically to the primary site. (COEB-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Identify a current inventory of items needed for off-site processing; (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Provides sufficient processing time for the anticipated workload based on emergency priorities; and (TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • If the organization is relying on in-house systems at separate physical locations for recovery, verify that the equipment is capable of independently processing all critical applications. (TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Has the ability to process the required volume; (TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine how the recovery facility's customers would be accommodated if simultaneous disaster conditions were to occur to several customers during the same period of time. (TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine that back-up sites are able to support typical payment and settlement volumes for an extended period. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the organization ensures that when any changes (e.g. hardware or software upgrades or modifications) in the production environment occur that a process is in place to make or verify a similar change in each alternate recovery location. (TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The service provider's continuity plan should ensure the alternate site can process the organization's critical data applications. (Pg 26, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. (CP-7c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. (CP-7c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; (PE-17b., FedRAMP Security Controls High Baseline, Version 5)
  • Provide controls at the alternate processing site that are equivalent to those at the primary site. (CP-7c., FedRAMP Security Controls High Baseline, Version 5)
  • Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; (PE-17b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Provide controls at the alternate processing site that are equivalent to those at the primary site. (CP-7c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Is security at the alternate site adequately addressed? (IT - Business Continuity Q 14, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Provide controls at the alternate processing site that are equivalent to those at the primary site. (CP-7c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; (PE-17b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Provide controls at the alternate processing site that are equivalent to those at the primary site. (CP-7c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; (PE-17b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provide controls at the alternate processing site that are equivalent to those at the primary site. (CP-7c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; (PE-17b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Provide controls at the alternate processing site that are equivalent to those at the primary site. (CP-7c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • The alternate processing site agreements should be examined to ensure they specify the minimum requirements needed for the organization to operate at the alternate site. Test the alternate processing site to ensure they can meet the minimum requirements of the organization and is ready to go operati… (CP-7(4), CP-7.11, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site. (CP-7c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site. (CP-7c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Define appropriate levels of system availability based on critical system functions and ensure that system requirements identify appropriate disaster recovery and continuity of operations requirements to include any appropriate fail-over/alternate site requirements, backup requirements, and material… (T0051, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Regardless of the type of alternate site chosen, the facility must be able to support system operations as defined in the contingency plan. The three alternate site types commonly categorized in terms of their operational readiness are cold sites, warm sites, or hot sites. Other variations or combin… (§ 3.4.3 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Hot Sites. Hot sites are locations with fully operational equipment and capacity to quickly take over system operations after loss of the primary system facility. A hot site has sufficient equipment and the most current version of production software installed, and adequate storage for the productio… (§ 5.1.5 ¶ 2 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Maintaining the integrity and security of system data and software is a key component in contingency planning. Data integrity involves keeping data safe and accurate on the system's primary storage devices. There are several methods available to maintain the integrity of stored data. These methods u… (§ 5.1.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Warm Sites. Warm sites are locations that have the basic infrastructure of cold sites, but also have sufficient computer and telecommunications equipment installed and available to operate the system at the site. However, the equipment is not loaded with the software or data required to operate the … (§ 5.1.5 ¶ 2 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • HA can be implemented at a single site, with all system redundancy resident at that site. This will keep the system running at an HA level as long as there is no interruption of the facility housing the system. However, when implementing HA products or services in a system, the ISCP Coordinator shou… (§ 5.1.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • If encrypted data is sent offsite for storage, there should be a cryptographic key management system in place to make sure the data is readable if it needs to be recovered onto a new or replaced system. The cryptographic key and the encryption software both need to be on the new system, along with t… (§ 5.2.2 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization should configure the alternate control center and the telecommunications so that it is ready to be fully operational and supports a minimum required operational capability. (SG.CP-9 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should ensure the alternate processing site has the same security measures as the primary processing site. (SG.CP-9 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must implement the appropriate operational security measures, technical security measures, and management security measures at the alternate processing site. (SG.PE-11 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system boundary protection devices that are used at alternate processing sites or alternate control sites should provide the same level of protection as the primary site. (SG.SC-7 Additional Considerations A5, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should provide Information Security measures at the alternate processing site that is equivalent to the primary site. (App F § CP-7(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Define appropriate levels of system availability based on critical system functions and ensure that system requirements identify appropriate disaster recovery and continuity of operations requirements to include any appropriate fail-over/alternate site requirements, backup requirements, and material… (T0051, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. (CP-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizationally documented security controls} at alternate work sites. (PE-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. (CP-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizationally documented security controls} at alternate work sites. (PE-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizationally documented security controls} at alternate work sites. (PE-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site. (CP-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site. (CP-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site. (CP-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; (PE-17b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide controls at the alternate processing site that are equivalent to those at the primary site. (CP-7c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; (PE-17b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide controls at the alternate processing site that are equivalent to those at the primary site. (CP-7c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. (CP-7c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site. (CP-7c., TX-RAMP Security Controls Baseline Level 2)
  • Employs [Assignment: organization-defined security controls] at alternate work sites; (PE-17a., TX-RAMP Security Controls Baseline Level 2)