Include business continuity procedures in the Incident Response program.
CONTROL ID 06433
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain an Incident Response program., CC ID: 00579
This Control has the following implementation support Control(s):
Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures., CC ID: 06432
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
It is necessary to review measures to prevent, detect, and respond to cyber attacks and to establish a framework to combat cyber attacks in order to prevent system interruption and illegal fund transfers caused by cyber attacks. (C5.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
system contingency measures or a reference to such details if they are located in a separate document. (Security Control: 0043; Revision: 3; Bullet 8, Australian Government Information Security Manual, March 2021)
how capabilities can be maintained during a denial of service (Security Control: 1019; Revision: 7; Bullet 3, Australian Government Information Security Manual, March 2021)
system contingency measures or a reference to such details if they are located in a separate document. (Control: ISM-0043; Revision: 4; Bullet 8, Australian Government Information Security Manual, June 2023)
how capabilities can be maintained during a denial-of-service attack (Control: ISM-1805; Revision: 0; Bullet 3, Australian Government Information Security Manual, June 2023)
how capabilities can be maintained during a denial-of-service attack (Control: ISM-1805; Revision: 0; Bullet 3, Australian Government Information Security Manual, September 2023)
system contingency measures or a reference to such details if they are located in a separate document. (Control: ISM-0043; Revision: 5; Bullet 8, Australian Government Information Security Manual, September 2023)
In APRA's view, a regulated entity would benefit from clear linkages between information security response plans and business continuity processes, including crisis management, continuity plans and recovery plans. This could involve integration with third party and related party plans and processes. (77., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
business continuity, such as backup management and disaster recovery, and crisis management; (Article 21 2(c), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
Policies and instructions with technical and organisational safeguards are documented, communicated and provided according to SA-01 in order to ensure a fast, effective and proper response to all known security incidents. On the part of the cloud provider, at least the roles listed in OIS-03 must be… (Section 5.13 SIM-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
There are well-defined and tested incident management processes in place, that aim to ensure continuity of essential functions in the event of system or service failure. Mitigation activities designed to contain or limit the impact of compromise are also in place. (D1. ¶ 1, NCSC CAF guidance, 3.1)
Verify the incident response plan includes procedures for business recovery and continuity. (§ 12.9.1.a Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
The incident response plan must include business recovery and continuity procedures. (PCI DSS Requirements § 12.10.1 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
- Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
- Spec… (12.10.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
- Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
- Spec… (12.10.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
- Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
- Spec… (12.10.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Does the plan address the following, at a minimum:
- Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum?
- Specific incident response procedures?
- Business recovery and continuity procedures?
- Da… (12.10.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
Business recovery and continuity procedures? (12.10.1(b)(3), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Business recovery and continuity procedures? (12.10.1 (b)(3), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
Business recovery and continuity procedures? (12.10.1(b)(3), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Does the plan address the following, at a minimum:
- Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum?
- Specific incident response procedures?
- Business recovery and continuity procedures?
- … (12.10.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Does the plan address the following, at a minimum:
- Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum?
- Specific incident response procedures?
- Business recovery and continuity procedures?
- … (12.10.1(b)(3), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Business recovery and continuity procedures? (12.10.1 (b) Bullet 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Business recovery and continuity procedures? (12.10.1(b)(3), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Verify that the incident response plan includes:
- Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum
- Specific incident response procedures
- Business recovery and continuity procedures
- Data backup process… (12.10.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Business recovery and continuity procedures. (12.10.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Does the incident response plan address the business recovery and continuity procedures? (PCI DSS Question 12.10.1(b) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Does the incident response plan address the business recovery and continuity procedures? (PCI DSS Question 12.10.1(b) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Business recovery and continuity procedures. (12.10.1 Bullet 3, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
Business recovery and continuity procedures. (12.10.1 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Business recovery and continuity procedures. (12.10.1 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
Business recovery and continuity procedures. (12.10.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Business recovery and continuity procedures. (12.10.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis. (§ 8.4.1 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
be flexible to respond to unanticipated threats and changing internal and external conditions, (§ 8.4.1 ¶ 3 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
The organization is resilient and able to operate while experiencing a cyber attack. (Resilience (DM.RS), CRI Profile, v1.2)
Coordinates contingency planning activities with incident handling activities; (CP-2c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Coordinates contingency planning activities with incident handling activities; (CP-2c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Coordinates contingency planning activities with incident handling activities; (CP-2c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Coordinates contingency planning activities with incident handling activities; (CP-2c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Incident response; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
The following policies, standards, and processes should be integrated into the business continuity planning process:
- Security Standards;
- Project Management;
- Change Control Policies;
- Data Synchronization Procedures;
- Crises Management;
- Incident Response;
- Remote Access;
- Employee Trainin… (Other Policies, Standards and Processes, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
Determine whether the BCP includes event management procedures that detail reasonably foreseeable event types, and those procedures include threshold metrics and response methods. (App A Objective 8:3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
The institution has policies commensurate with its risk and complexity that address the concepts of incident response and resilience. (Domain 1: Assessment Factor: Governance, STRATEGY/POLICIES Baseline 2 ¶ 6, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident. (Domain 5: Assessment Factor: Resillience Planning and Strategy, PLANNING Baseline 1 ¶ 6, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
Determine whether the institution has risk monitoring and reporting processes that address changing threat conditions in both the institution and the greater financial industry. Determine whether these processes address information security events faced by the institution, the effectiveness of manag… (App A Objective 7.1, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Coordinates contingency planning activities with incident handling activities; (CP-2c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Coordinate contingency planning activities with incident handling activities; (CP-2c., FedRAMP Security Controls High Baseline, Version 5)
Coordinate contingency planning activities with incident handling activities; (CP-2c., FedRAMP Security Controls Low Baseline, Version 5)
Coordinate contingency planning activities with incident handling activities; (CP-2c., FedRAMP Security Controls Moderate Baseline, Version 5)
Coordinate contingency planning activities with incident handling activities; (CP-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Coordinate contingency planning activities with incident handling activities; (CP-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Coordinate contingency planning activities with incident handling activities; (CP-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Coordinate contingency planning activities with incident handling activities; (CP-2c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Coordinate contingency planning activities with incident handling activities; (CP-2c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Coordinate contingency planning activities with incident handling activities; (CP-2c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Coordinates contingency planning activities with incident handling activities; (CP-2c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Coordinates contingency planning activities with incident handling activities; (CP-2c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Coordinates contingency planning activities with incident handling activities; (CP-2c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization coordinates contingency planning activities with incident handling activities. (CP-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization coordinates incident handling activities with contingency planning activities. (IR-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization coordinates contingency planning activities with incident handling activities. (CP-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization coordinates incident handling activities with contingency planning activities. (IR-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization coordinates contingency planning activities with incident handling activities. (CP-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization coordinates incident handling activities with contingency planning activities. (IR-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization coordinates incident handling activities with contingency planning activities. (IR-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization coordinates contingency planning activities with incident handling activities. (CP-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
Coordinates contingency planning activities with incident handling activities; (CP-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Coordinates contingency planning activities with incident handling activities; (CP-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Coordinates contingency planning activities with incident handling activities; (CP-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Coordinates contingency planning activities with incident handling activities; (CP-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Coordinate contingency planning activities with incident handling activities; (CP-2c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Coordinate contingency planning activities with incident handling activities; (CP-2c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Coordinates contingency planning activities with incident handling activities; (CP-2c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents (Incident Recovery Plan Execution (RC.RP), The NIST Cybersecurity Framework, v2.0)
