Back

Evaluate all possible continuity risks and impacts as a part of the continuity framework.


CONTROL ID
06374
CONTROL TYPE
Systems Continuity
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity framework., CC ID: 00732

This Control has the following implementation support Control(s):
  • Assess risks related to fault tolerance and redundancy of critical assets., CC ID: 13053


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Each "inherent risk level" is mapped to an expected "maturity level" of cyber resilience. (II. ¶ 1, Hong Kong Monetary Authority The Cyber Resilience Assessment Framework, Cybersecurity Summit 2016)
  • In developing contingency plans, the organization shall evaluate all possible impacts of emergencies on individual facilities and business activities. (O65.3(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event t… (Critical components of information security 29) ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An institution should ensure that its business continuity is not compromised by outsourcing arrangements, in particular, of the operation of its critical systems as stipulated under the Technology Risk Management Notice. An institution should adopt the sound practices and standards contained in the … (5.7.1, Guidelines on Outsourcing)
  • APRA-regulated entities could consider low likelihood scenarios, which could result in an extreme impact to the regulated entity (i.e. plausible worst case). Extreme impacts can be financial or non-financial (e.g. reputational or regulatory), potentially threatening the ongoing ability of the APRA-r… (44., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT service… (3.7.2 80, Final Report EBA Guidelines on ICT and security risk management)
  • Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures o… (4.9 49, Final Report on EBA Guidelines on outsourcing arrangements)
  • material risks arising for the appropriate and continuous application of the function. (4.15 106(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by… (4.12.2 65, Final Report on EBA Guidelines on outsourcing arrangements)
  • estimate preliminary impacts, damages and losses; (Art. 11.2.(d), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Have the risks and opportunities that need to be addressed to ensure the BCMS can achieve its intended result(s) been established? (Planning ¶ 1, ISO 22301: Self-assessment questionnaire)
  • Do the plans consider the management of the immediate consequences of a disruption, in particular the welfare of individuals, options for response and further loss prevention? (Operation ¶ 28, ISO 22301: Self-assessment questionnaire)
  • Is the BC strategy based on the outputs of the BIA and risk assessment? (Operation ¶ 10, ISO 22301: Self-assessment questionnaire)
  • the possibility that the quality of the provision of material outsourced services deteriorates to unacceptable levels; (§ 4.12 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • where relevant, political and other risks in the service provider's jurisdiction. (§ 4.12 Bullet 3, SS2/21 Outsourcing and third party risk management, March 2021)
  • the requirements for both parties to implement and test business contingency plans. For the firm, these should take account of their impact tolerances for important business services. Where appropriate, both parties should commit to take reasonable steps to support the testing of such plans; (§ 6.4 Bullet 12, SS2/21 Outsourcing and third party risk management, March 2021)
  • early intervention, recovery and resolution planning, OCIR, and resolvability. (Table 5 Column 2 Row 7 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including the changes to threats the organization faces (e.g., hacktivism, corporate espionage, and Denial of Service attacks). (CF.20.01.04b, The Standard of Good Practice for Information Security)
  • The Business Continuity program should require Business Continuity risk assessments to be performed for each individual business environment (which include the assessment of potential business impacts, threats and vulnerabilities) to identify the availability requirements. (CF.20.02.04b, The Standard of Good Practice for Information Security)
  • Each Business Continuity Plan should be based on the results of a risk assessment (e.g., using the Information Security Forum's information risk analysis methodology). (CF.20.05.02, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including the changes to threats the organization faces (e.g., hacktivism, corporate espionage, and Denial of Service attacks). (CF.20.01.04b, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity program should require Business Continuity risk assessments to be performed for each individual business environment (which include the assessment of potential business impacts, threats and vulnerabilities) to identify the availability requirements. (CF.20.02.04b, The Standard of Good Practice for Information Security, 2013)
  • Each Business Continuity Plan should be based on the results of a risk assessment (e.g., using the Information Security Forum's information risk analysis methodology). (CF.20.05.02, The Standard of Good Practice for Information Security, 2013)
  • There shall be a defined and documented method for determining the impact of any disruption to the organization that must incorporate the following: - Identify critical products and services - Identify all dependencies, including processes, applications, business partners, and third party service … (BCR-09, Cloud Controls Matrix, v3.0)
  • Determine the impact of business disruptions and risks to establish criteria for developing business continuity and operational resilience strategies and capabilities. (BCR-02, Cloud Controls Matrix, v4.0)
  • The service provider shall assess and document the risks to the availability of services and service continuity. (§ 6.3.1 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • When planning for the BCMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: (§ 6.1.1 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the impact on the environment. (§ 8.4.4.2 d) 3), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the organization's strengths, weaknesses, competitive positioning and operational resilience; (§ 6.3.3.1.1 ¶ 2 i), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. (§ 8.7.2 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The entity shall discuss measures to address business continuity risks, including an identification of critical business operations and redundancies or other measures implemented to enhance resilience of the system or to reduce impact, including insurance against loss. (TC-TL-550a.2. 2, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • Management identifies threats to data recoverability (for example, ransomware attacks) that could impair the availability of the system and related data and implements mitigation procedures. (A1.2 ¶ 2 Bullet 11 Considers Data Recoverability, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The risk assessment is the second step in the business continuity planning process. It should include: - Evaluating the BIA assumptions using various threat scenarios; - Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves; - Prioritizing pote… (Risk Assessment, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business conti… (Business Continuity Planning Process, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitorin… (TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Bas… (Business Continuity Plan Development, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing prog… (Principles of the Business Continuity Testing Program, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the BCP incorporates management's analysis of the impact on operations if essential functions or services provided by outside parties are disrupted during a pandemic. (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Any other internal or external factors that could affect the business continuity process. (TTIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Identification and analysis of disruptive events. (III.A Action Summary ¶ 2 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Address critical business risks in the operating environment (e.g., mitigate specific or unique threats, such as cyber threats or loss of critical third-party service providers). (IV Action Summary ¶ 2 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management developed an appropriate and repeatable BIA process that identifies all business functions and prioritizes them in order of criticality, analyzes related interdependencies, and assesses a disruption's impact. (III.A, "Business Impact Analysis") (App A Objective 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Evaluating continuity risk. (App A Objective 2:2a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Assessing continuity risk. (App A Objective 2:3a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Review risk assessment(s) to determine whether management has identified all reasonably foreseeable hazards and threats to the continuity and resilience of the entity. Examples of risks can include: (App A Objective 5:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management identifies BCM risks and coordinates risk identification efforts throughout the entity to identify systemic threats. (App A Objective 5:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Review newly identified threats and vulnerabilities to the continuity of operations. Consider the following: (App A Objective 1:4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Business continuity and disaster recovery plans. (App A Objective 10:2 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Contingency and resiliency planning. (App A Objective 12:12 i., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Specific retail payment instruments introduce risks that require effective internal controls and adherence to the relevant clearing house, association, interchange, and regulatory requirements. Financial institutions should address these risks in their information security and business continuity pl… (Retail Payment Instrument Specific Risk Management Controls, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Financial institutions engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and… (Retail Payment Systems Risk Management, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • BCP. (App A Tier 2 Objectives and Procedures N.2 Bullet 3 Sub-Bullet 6, Sub-Sub Bullet 10, Sub-Sub-Sub Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Business resilience and recovery capabilities. Operations moved to cloud computing environments should have resilience and recovery capabilities commensurate with the risk of the service or operation for the financial institution. Management should review and assess the resilience capabilities and s… (Risk Management Resilience and Recovery Bullet 1, FFIEC Security in a Cloud Computing Environment)
  • A recommended plan of action resulting from a cyber resiliency analysis can take the form of a set of selected alternatives to be implemented in successive phases. For each phase, the costs, benefits, and risk management approaches can be identified, accompanied by the identification of circumstance… (3.2.5.3 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • The BIA is a key step in implementing the CP controls in NIST SP 800-53 and in the contingency planning process overall. The BIA enables the ISCP Coordinator to characterize the system components, supported mission/business processes, and interdependencies. The BIA purpose is to correlate the system… (§ 3.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • To be effective and to ensure that personnel fully understand the organization's contingency planning requirements, the contingency plan must be based on a clearly defined policy. The contingency planning policy statement should define the organization's overall contingency objectives and establish … (§ 3.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The ISCP Coordinator should look at information provided in the BIA to determine what critical mission/business processes a system supports, the MTD, and the impact loss of the system would have on the business to establish what type of recovery site is needed. An information system recovery strateg… (§ 5.1.5 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • When developing an ISCP for a LAN, the ISCP Coordinator should identify single points of failure that affect critical systems or processes outlined in the BIA. This analysis could include threats to the cabling system, such as cable cuts, electromagnetic and radio frequency interference, and damage … (§ 5.3.2 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))