Back

Protect backup systems and restoration systems at the alternate facility.


CONTROL ID
04883
CONTROL TYPE
Systems Continuity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Prepare the alternate facility for an emergency offsite relocation., CC ID: 00744

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. The ICT systems shall be securely protected from any unauthorised access or ICT corruption and allow for the timely restoration of services … (Art. 12.3. ¶ 1, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The data to be backed up is transmitted to a remote site (e. g. another data centre of the cloud provider) or transported to a remote site on backup media. If the backup of the data is transmitted to the remote site via a network, this is carried out in an encrypted form that conforms to the state o… (Section 5.6 RB-09 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process, CIS Controls, V8)
  • Protect the confidentiality of backup CUI at storage locations. (RE.2.138, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Protect the confidentiality of backup CUI at storage locations. (RE.2.138, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Protect the confidentiality of backup CUI at storage locations. (RE.2.138, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Protect the confidentiality of backup CUI at storage locations. (RE.2.138, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Protect the confidentiality of backup CUI at storage locations. (MP.L2-3.8.9 Protect Backups, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The organization must have procedures to assure the backup software, backup hardware, backup firmware, restoration software, restoration hardware, and restoration firmware are physically protected and technically protected. (COBR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Applications; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 2 Sub-Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Protect the confidentiality of backup CUI at storage locations. (3.8.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Protect the confidentiality of backup CUI at storage locations. (3.8.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Protect the confidentiality of backup CUI at storage locations. (3.8.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should protect backup and restoration hardware, backup and restoration software, and backup and restoration firmware. (App F § CP-10(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization protects backup and restoration hardware, firmware, and software. (CP-10(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization protects backup and restoration hardware, firmware, and software. (CP-10(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Protect system components used for recovery and reconstitution. (CP-10(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Synchronize the following duplicate systems or system components: [Assignment: organization-defined duplicate systems or system components]. (SC-36(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Protect system components used for recovery and reconstitution. (CP-10(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Synchronize the following duplicate systems or system components: [Assignment: organization-defined duplicate systems or system components]. (SC-36(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)