Back

Document and use the lessons learned to update the continuity plan.


CONTROL ID
10037
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once … (Technology Risk Management ¶ 6, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Amendment 2018)
  • A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once … (Technology Risk Management ¶ 6, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02)
  • Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. (3.7.4 90, Final Report EBA Guidelines on ICT and security risk management)
  • are planned, formalised and documented, and the test results used to strengthen the effectiveness of the ICT availability and continuity solutions; (Title 3 3.3.4(a) 54.c(i), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Financial entities shall regularly review their ICT business continuity policy and ICT response and recovery plans, taking into account the results of tests carried out in accordance with the first subparagraph and recommendations stemming from audit checks or supervisory reviews. (Art. 11.6. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The business impact analysis as well as the business continuity plans and contingency plans are verified, updated and tested at regular intervals (at least once a year) or after essential organisational or environment-related changes. The tests also involve affected customers (tenants) and relevant … (Section 5.14 BCM-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Have formal post-exercise reports been produced for the tests and outcomes reviewed to ensure they lead to improvement? (Operation ¶ 32, ISO 22301: Self-assessment questionnaire)
  • Have any actions identified been implemented and reviewed for effectiveness and given rise to improvements to the BCMS? (Improvement ¶ 3, ISO 22301: Self-assessment questionnaire)
  • Consistent with the EBA ICT GL, firms should also update their business continuity and exit plans with lessons learned from these tests, including with new risks and threats identified and changed recovery objectives and priorities (if any). (§ 10.21, SS2/21 Outsourcing and third party risk management, March 2021)
  • Incident management and system recovery testing is performed on a periodic basis to make sure the entity continues to be able to identify, evaluate and respond to critical incidents. Testing includes: 1) the development and use of test scenarios based on the likelihood and magnitude of potential thr… (S7.5 Implements incident management and recovery testing, Privacy Management Framework, Updated March 1, 2020)
  • The entity periodically tests the effectiveness of its business continuity and resiliency plans, procedures and capabilities to make sure that they continue to protect the entity from the adverse effects of unplanned system outages or damages that render systems and information assets unavailable or… (S7.5 Implements business continuity plan testing, Privacy Management Framework, Updated March 1, 2020)
  • A review shall be conducted after each service continuity plan test and after the plan has been invoked. (§ 6.3.3 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall take actions when deficiencies are found during the review of test results and report on any actions that are taken. (§ 6.3.3 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. (§ 5.3 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall - communicate the results of management review to relevant interested parties, and - take appropriate action relating to those results. (§ 9.3 ¶ 6, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • making changes to the BCMS, if necessary. (§ 10.1 ¶ 1 c) 7, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results. (§ 9.1.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • improvement of the effectiveness of the BCMS; (§ 9.3 ¶ 4 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of ke… (§ 9.3 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • output from the evaluation of business continuity documentation and capabilities (see 8.6); (§ 9.3.2 ¶ 1 h), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • lessons learned and actions arising from near-misses and disruptions; (§ 9.3.2 ¶ 1 j), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • evaluating performance and, as necessary, revising the planned response, including after testing and, in particular, after the occurrence of emergency situations; (§ 8.2 ¶ 1 d), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. (§ 8.7.2 ¶ 5, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • It is critical to communicate to the public what is known about COVID-19, what is unknown, what is being done, and actions to be taken on a regular basis. Preparedness and response activities should be conducted in a participatory, community-based way that are informed and continually optimized acco… (Pillar 2: Risk communication and community engagement, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Evaluate implementation and effectiveness of case management procedures and protocols (including for pregnant women, children, immunocompromised), and adjust guidance and/or address implementation gaps as necessary (Pillar 7 Step 3 Action 3, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Monitor and evaluate diagnostics, data quality and staff performance, and incorporate findings into strategic review of national laboratory plan and share lessons learned (Pillar 5 Step 3 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Business continuity plan testing is performed on a periodic basis to test the entity's ability to respond to, recover from, and resume operations through significant disruptions. Testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of syst… (A1.3 ¶ 2 Bullet 1 Implements Business Continuity Plan Testing, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the po… (CC7.5 ¶ 2 Bullet 6 Implements Incident-Recovery Plan Testing, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Recovery plans incorporate lessons learned. (RC.IM-1, CRI Profile, v1.2)
  • Initiates corrective actions, if needed. (CP-4c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Initiates corrective actions, if needed. (CP-4c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Initiates corrective actions, if needed. (CP-4c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Initiates corrective actions, if needed. (CP-4c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the poten… (A1.3 Implements Business Continuity Plan Testing, Trust Services Criteria)
  • Incident recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the po… (CC7.5 Implements Incident Recovery Plan Testing, Trust Services Criteria)
  • Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the po… (CC7.5 ¶ 2 Bullet 6 Implements Incident-Recovery Plan Testing, Trust Services Criteria, (includes March 2020 updates))
  • Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the poten… (A1.3 ¶ 2 Bullet 1 Implements Business Continuity Plan Testing, Trust Services Criteria, (includes March 2020 updates))
  • A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financ… (Board and Senior Management Responsibilities, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business conti… (Business Continuity Planning Process, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations. (TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Document conclusions related to the quality and effectiveness of the business continuity process. (TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Adjusting programs and operations in response to test results and actual events. (App A Objective 2:2e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Incorporating lessons learned from testing and events. (App A Objective 2:3d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management has documented, analyzed, and reviewed lessons learned from adverse events. Documented procedures for incorporating lessons learned may include: (App A Objective 11:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Document recommendations for future exercise and tests. (App A Objective 10:28g, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that test results are used to update the business continuity processes, enhance future testing, and evaluate whether risk mitigation strategies should be adjusted. (App A Objective 10:30, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Evaluate whether management integrates the entity's AIO functions into the entity's BCM program to mitigate threats, respond to and recover from disruptions, and incorporate lessons learned to strengthen the entity's resilience. (App A Objective 8:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Initiates corrective actions, if needed. (CP-4c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Initiates corrective actions, if needed. (CP-4c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Initiates corrective actions, if needed. (CP-4c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Initiate corrective actions, if needed. (CP-4c., FedRAMP Security Controls High Baseline, Version 5)
  • Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and (CP-2g., FedRAMP Security Controls High Baseline, Version 5)
  • Initiate corrective actions, if needed. (CP-4c., FedRAMP Security Controls Low Baseline, Version 5)
  • Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and (CP-2g., FedRAMP Security Controls Low Baseline, Version 5)
  • Initiate corrective actions, if needed. (CP-4c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and (CP-2g., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Initiate corrective actions, if needed. (CP-4c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and (CP-2g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Initiate corrective actions, if needed. (CP-4c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and (CP-2g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Initiate corrective actions, if needed. (CP-4c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and (CP-2g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and (CP-2g., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Initiate corrective actions, if needed. (CP-4c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Initiate corrective actions, if needed. (CP-4c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and (CP-2g., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Initiate corrective actions, if needed. (CP-4c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and (CP-2g., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Recovery planning and processes are improved by incorporating lessons learned into future activities. (RC.IM Improvements, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Recovery plans incorporate lessons learned (RC.IM-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Recovery planning and processes are improved by incorporating lessons learned into future activities. (RC.IM Improvements, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Recovery plans incorporate lessons learned (RC.IM-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Recovery plans are updated with lessons learned. (RC.IM-1, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Initiates corrective actions, if needed. (CP-4c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Initiates corrective actions, if needed. (CP-4c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Initiates corrective actions, if needed. (CP-4c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A TT&E program provides an overall framework for determining, scheduling, and setting objectives for TT&E activities. Guidance on establishing an effective ISCP TT&E program and the various methods and approaches for conducting TT&E activities is provided in NIST SP 800-84. The depth and rigor of IS… (§ 3.5.4 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • For each TT&E activity conducted, results are documented in an after-action report, and Lessons Learned corrective actions are captured for updating information in the ISCP. While NIST SP 800-84 provides detailed information on how to plan and conduct TT&E activities for information systems, the fol… (§ 3.5 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Event Documentation. All recovery and reconstitution events should be well documented, including actions taken and problems encountered during the recovery and reconstitution efforts. An after-action report with lessons learned should be documented and included for updating the ISCP. (§ 4.4 ¶ 3 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Operation/Maintenance Phase. When the information system is operational, users, administrators, and managers should maintain a test, training, and exercise program which continually validates the contingency plan procedures and technical recovery strategy. Exercises and tests should be conducted on … (Appendix F ¶ 9, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization initiates corrective actions, if needed. (CP-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization initiates corrective actions, if needed. (CP-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization initiates corrective actions, if needed. (CP-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization initiates corrective actions, if needed. (CP-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Initiates corrective actions, if needed. (CP-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Initiates corrective actions, if needed. (CP-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Initiates corrective actions, if needed. (CP-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Initiates corrective actions, if needed. (CP-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Initiate corrective actions, if needed. (CP-4c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and (CP-2g., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Initiate corrective actions, if needed. (CP-4c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and (CP-2g., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Initiates corrective actions, if needed. (CP-4c., TX-RAMP Security Controls Baseline Level 1)
  • Initiates corrective actions, if needed. (CP-4c., TX-RAMP Security Controls Baseline Level 2)