Back

Establish, implement, and maintain Recovery Time Objectives for all in scope systems.


CONTROL ID
11688
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

This Control has the following implementation support Control(s):
  • Reconfigure restored systems to meet the Recovery Time Objectives., CC ID: 11693


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When selecting the storage site, it is recommended not to share risk factors (fires, earthquakes, power failure, etc.) with the production file storage site (where the current system is holding document files) and to judge comprehensively, considering the document transfer time to the current system… (P45.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • When selecting the storage site, it is recommended not to share risk factors (fires, earthquakes, power failure, etc.) with the production file storage site (where the current system is holding data files) and to judge comprehensively, considering the time that must be taken to transfer data files t… (P41.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Confirm the recovery time, including the movement and transfer time of personnel, data, goods, etc. at the time of the disaster. (P74.3. ¶ 1(2), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once … (Technology Risk Management ¶ 6, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Amendment 2018)
  • A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once … (Technology Risk Management ¶ 6, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02)
  • The FI should define system recovery and business resumption priorities and establish specific recovery objectives including RTO and recovery point objective (RPO) for IT systems and applications. RTO is the duration of time, from the point of disruption, within which a system should be restored. RP… (§ 8.2.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should establish systems' recovery time objectives (RTO) and recovery point objectives (RPO) that are aligned to its business resumption and system recovery priorities. (§ 8.2.1, Technology Risk Management Guidelines, January 2021)
  • The architecture of the network is documented comprehensibly and currently (e. g. in the form of diagrams) in order to avoid errors in the management during live operation and ensure timely restoration according to the contractual duties in the event of damage. Different environments (e. g. administ… (Section 5.9 KOS-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Determination of time-limited targets for the maximum acceptable period of time during which data is lost and cannot be restored (recovery point objective, RPO) (Section 5.14 BCM-02 Basic requirement ¶ 2 Bullet 9, Cloud Computing Compliance Controls Catalogue (C5))
  • Determination of time-limited targets for the recovery of critical products and services within the maximum acceptable period of time (recovery time objective, RTO) (Section 5.14 BCM-02 Basic requirement ¶ 2 Bullet 8, Cloud Computing Compliance Controls Catalogue (C5))
  • Does the BIA enable prioritization of timeframes for resuming each activity (Recovery Time Objectives) and have minimum levels for resuming activities that have been identified? (Operation ¶ 8, ISO 22301: Self-assessment questionnaire)
  • There are activities that should be carried out initially and on an ongoing basis. Some of these activities may include: defining the roles, responsibilities, and scope; appointing an individual or team to manage the ongoing needs; keeping the business continuity program up to date; promoting the bu… (§ 5.4.2, § 7.5.3, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The organization must define an incident response structure that is documented, predefined, and has a fit-for-purpose structure to enable an effective response and recovery; determine how critical activities will be recovered within the recovery time objective and the business continuity management … (§ 4.2, BS 25999-2, Business continuity management. Specification, 2007)
  • The Information Technology Service Continuity (ITSC) strategy should define the high-level methods and direction in order to meet the information technology service level objectives and should ensure the business is never compromised because of a lack of information technology availability that is b… (§ 5.1, Annex B, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and (§ 8.2.2 ¶ 2 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The determination of strategy shall include approving prioritized time frames for the resumption of activities. (§ 8.3.1 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, respo… (§ 5.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. (§ 8.4.4 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • set prioritized time frames within the time identified in d) for resuming disrupted activities at a specified minimum acceptable capacity; (§ 8.2.2 ¶ 1 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The recovery plan includes a minimum recovery time for the sector critical systems. (RC.RP-1.3, CRI Profile, v1.2)
  • The recovery plan includes a minimum recovery time for the sector critical systems. (RC.RP-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact… (Business Impact Analysis, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institution's recovery and resumption objectives (e.g. sustainability … (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity); (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The service provider must define a time period for recovery to an alternate processing site that is consistent with the Recovery Time Objectives and Business Impact Analysis. (Column F: CP-7a, FedRAMP Baseline Security Controls)
  • The speed at which data or the system must be restored. This requirement may justify the need for a redundant system, spare offline computer, or valid file system backups. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 3 Bullet 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Because the RTO must ensure that the MTD is not exceeded, the RTO must normally be shorter than the MTD. For example, a system outage may prevent a particular process from being completed, and because it takes time to reprocess the data, that additional processing time must be added to the RTO to st… (§ 3.2.1 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • When recovering a complex system, such as a wide area network (WAN) or virtual local area network (VLAN) involving multiple independent components, recovery procedures should reflect system priorities identified in the BIA. The sequence of activities should reflect the system's MTD to avoid signific… (§ 4.3.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Determine mission/business processes and recovery criticality. Mission/Business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum time that … (§ 3.2 ¶ 2 (1), NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Backup and recovery methods and strategies are a means to restore system operations quickly and effectively following a service disruption. The methods and strategies should address disruption impacts and allowable downtimes identified in the BIA and should be integrated into the system architecture… (§ 3.4.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • recovery time objectives; and (§ 500.13 Asset Management and Data Retention Requirements (a)(1(v), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)