Back

Test each restored system for media integrity and information integrity.


CONTROL ID
01920
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform backup procedures for in scope systems., CC ID: 11692

This Control has the following implementation support Control(s):
  • Include stakeholders when testing restored systems, as necessary., CC ID: 13066


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should ensure that there is no single point of failure in the systems/infrastructure components (e.g. through proper implementation of high availability server clusters, multiple network connections, redundancy of critical hardware or equipment), nor unnecessary connections or dependency upon le… (§ 9.4.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • recovery of vital records should be certified as part of the testing. (6.1.3 Bullet 6, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The backup methods and procedures must be assessed and confirmed by the person responsible in the operations department. This is a control item that constitutes a greater risk to financial information. (App 2-1 Item Number VI.7.3(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The FI should periodically test the restoration of its system and data backups to validate the effectiveness of its backup restoration procedures. (§ 8.4.3, Technology Risk Management Guidelines, January 2021)
  • The organization should test the restore processes on a regular basis to verify its effectiveness. (Control: 0119 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization should test the restore capability of backup media on a regular basis. (Attach B ¶ 12, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • System backups should be tested on a regular basis to ensure the backups can be restored effectively. (§ 2.8.14, Australian Government ICT Security Manual (ACSI 33))
  • The ability to restore the data from backup tapes should be checked during validation and monitored periodically. (¶ 7.2, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • The processing of personal data by electronic means will only be allowed if the following minimum security measure is implemented with the technical specifications stated in Annex B of this Code: implementing procedures for safekeeping of backups, restoring data, and system availability. (§ 34.1(f), Italy Personal Data Protection Code)
  • Procedures need to be implemented to validate the recovery of original data and information after backup, media transfer, transcription, archiving, or system failure. (¶ 19.3 Bullet 9, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization should regularly test the backup media by restoring the data to verify it is working properly. (Critical Control 8.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The testing team should take a random sample of system backups and try to restore them to the test bed environment once a quarter or whenever new backup equipment is bought to verify that the backup information is functional and intact. (Procedures and Tools to Implement and Automate this Control (Control 8), Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The procedures for restoring the backup media should be tested regularly to ensure the media is effective and that the restore process can be completed in the time required for recovery. (§ 10.5.1, ISO 27002 Code of practice for information security management, 2005)
  • Does the policy or process for the backup of production data include a Requirement to test backup media and restoration procedures at least annually? (§ G.8.1.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the Business Continuity and Disaster Recovery tests conducted at least annually include assessment of the ability to retrieve vital records? (§ K.1.4.12, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • The organization must use select backup information to restore the system as part of the contingency plan testing. (CSR 5.4.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Incremental and complete restorations must be tested on an annual basis. (§ 8-603.c, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Management responsibility to document, maintain, and test the plan and backup systems periodically according to risk. (App A Objective 12:9 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The restore system should be tested periodically to ensure it functions correctly. (Pg 30, FFIEC IT Examination Handbook - Management)
  • The organization should periodically test the back-up copies by using them to restore programs and data. (Pg 30, FFIEC IT Examination Handbook - Operations, July 2004)
  • Determine whether the center has established and tested procedures to recover and restore data under various contingency scenarios. (Exam Tier II Obj 12.5, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Is the backup recovery of the firewall tested at least annually? (IT - Firewalls Q 28, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Testing system functionality including security controls; (§ 4.3.2 ¶ 2 Bullet 8, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The Reconstitution Phase is the third and final phase of ISCP implementation and defines the actions taken to test and validate system capability and functionality. During Reconstitution, recovery activities are completed and normal system operations are resumed. If the original facility is unrecove… (§ 4.4 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • At the successful completion of the validation testing, ISCP personnel will be prepared to declare that reconstitution efforts are complete and that the system is operating normally. This declaration may be made in a recovery/reconstitution log or other documentation of reconstitution activities. Th… (§ 4.4 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Validation Data Testing. Data testing is the process of testing and validating recovered data to ensure that data files or databases have been recovered completely and are current to the last available backup. (§ 4.4 ¶ 1 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization should use the backup information on a selective basis in restoring system functions as part of the Continuity Of Operations testing. (SG.IR-10 Requirement Enhancements 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed (RC.RP-05, The NIST Cybersecurity Framework, v2.0)