Back

Establish and maintain a core supply inventory required to support critical business functions.


CONTROL ID
04890
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a critical resource list., CC ID: 00740

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • It is recommended to establish a system that can secure the necessary standbys (capability margin) depending on the purpose and importance of the system. (P86.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to provide standbys or substitute functions for important peripherals. (P85.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to provide a standby for the important main unit that constitutes the core of computer systems. (P84.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Sufficient spares of critical ICT equipment are sourced and kept in reserve. (Control: ISM-1789; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Sufficient spares of critical ICT equipment are sourced and kept in reserve. (Control: ISM-1789; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Has the organization determined and provided the resources needed for the establishment, implementation, maintenance and continual improvement of the BCMS (including people, infrastructure and environment for the operation of processes)? (Support ¶ 1, ISO 22301: Self-assessment questionnaire)
  • Does the IRS and associated procedures include thresholds, assessment, activation, resource provision and communication? (Operation ¶ 20, ISO 22301: Self-assessment questionnaire)
  • An inventory of core supplies that are required to support critical activities should be identified and maintained. Some strategies for this include: storing supplies at other sites; arranging for suppliers to deliver after short notice; diverting just-in-time deliveries to other sites; holding the … (§ 7.7, BS 25999-1, Business continuity management. Code of practice, 2006)
  • During the business impact analysis, identified risks may include suppliers critical to the overall supply chain of the organization. To ensure key suppliers meet their obligations, the organization can use contractual terms. If the primary supplier fails, alternative suppliers should be identified.… (§ 5.4.B ¶ 2, § 5.4.B ¶ 3, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Critical infrastructure security controls should include methods of storing spares on-site for critical components (often referred to as critical spares) or obtaining such spares at short notice. (CF.08.03.07d, The Standard of Good Practice for Information Security)
  • Alternative (contingency) arrangements based on the results of a risk assessment should be established to ensure that the organization's business processes can continue in the event that the external supplier is not available (e.g., due to contract termination, a disaster, a dispute with the externa… (CF.16.01.09, The Standard of Good Practice for Information Security)
  • The resilience of technical infrastructure should be improved by applying standard servicing and maintenance disciplines, which include maintaining an adequate supply of system consumables (e.g., data storage media, printer ink cartridges, and stationery). (CF.20.03.08d, The Standard of Good Practice for Information Security)
  • Critical infrastructure security controls should include methods of storing spares on-site for critical components (often referred to as critical spares) or obtaining such spares at short notice. (CF.08.03.07d, The Standard of Good Practice for Information Security, 2013)
  • The resilience of technical infrastructure should be improved by applying standard servicing and maintenance disciplines, which include maintaining an adequate supply of system consumables (e.g., data storage media, printer ink cartridges, and stationery). (CF.20.03.08d, The Standard of Good Practice for Information Security, 2013)
  • Alternative (contingency) arrangements based on the results of a risk assessment should be established to ensure that the organization's business processes can continue in the event that the external supplier is not available (e.g., due to contract termination, a disaster, a dispute with the externa… (CF.16.01.13, The Standard of Good Practice for Information Security, 2013)
  • A list of supplies to be kept on hand or pre-contracted for supply, such as face masks, hand sanitizer, fuel, food and water. (4.9, Pandemic Response Planning Policy)
  • There shall be a defined and documented method for determining the impact of any disruption to the organization that must incorporate the following: - Identify critical products and services - Identify all dependencies, including processes, applications, business partners, and third party service … (BCR-09, Cloud Controls Matrix, v3.0)
  • have resources available to support the processes and procedures to manage a disruptive incident in order to minimize impact, and (§ 8.4.2 ¶ 2 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Train and equip rapid-response teams to investigate cases and clusters early in the outbreak, and conduct contact tracing within 24 hours (Pillar 3 Step 2 Action 4, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Disseminate latest disease information, standard operating procedures, equip and train staff in appropriate actions to manage ill passenger(s) (Pillar 4 Step 2 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Map available resources and supply systems in health and other sectors; conduct in-country inventory review of supplies based on WHO's a) Disease Commodity Package (DCP) and b) COVID-19 patient kit, and develop a central stock reserve for COVID-19 case management (Pillar 8 Step 1 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Does the Business Continuity and Disaster Recovery program include identification of supplies? (§ K.1.2.9, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Identify activities and material involving ePHI that are critical to business operations. (§ 4.7.2 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • When evaluating the choices, the ISCP Coordinator should consider that purchasing equipment when needed is cost-effective but can add significant overhead time to recovery while waiting for shipment and setup; conversely, storing unused equipment is costly, but allows recovery operations to begin mo… (§ 3.4.4 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • While the OEP provides guidance on facility evacuation, it may be safer to remain within the facility in response to certain emergency situations. Shelter-in-place plans provide instruction to personnel on how to take refuge indoors in response to unsafe environment outside of the facility or contam… (Appendix D Subsection 1 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must ensure required equipment and supplies are available at the alternate site or contracts are in place to support delivery in time to resume operations in the predefined time period. (App F § CP-7.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization ensures that software and data employed during information system component and service refreshes are obtained from {organizationally documented trusted sources}. (SI-14(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)