Back

Include telecommunications continuity procedures in the continuity plan.


CONTROL ID
11691
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Alternate sites for technology recovery (i.e. back-up data centres), which may be separate from the alternate business site, should have sufficient technical equipment (e.g. workstations, servers, printers, etc.) of appropriate model, size and capacity to meet recovery requirements as specified by A… (5.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • It is necessary to provide standbys for important communication devices. (P86.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is recommended to provide multiple lines between sites (outside the premises) for important lines or to secure backup lines for important lines. Note that when multiple lines are provided, it is recommended that routes be physically separated (that is, passing through different exchange facilitie… (P87.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Member States shall ensure that each CSIRT has at its disposal an appropriate, secure, and resilient communication and information infrastructure through which to exchange information with essential and important entities and other relevant stakeholders. To that end, Member States shall ensure that … (Article 10 3., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Precautions against the failure of supply services such as power, cooling or network connections are taken by means of suitable safeguards and redundancies in coordination with safeguards for operational reliability. Power and telecommunication supply lines which transport data or supply information… (Section 5.5 PS-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Verification of the ability for significantly increased telecommuting including bandwidth, VPN concentrator capacity/licensing, ability to offer voice over IP and laptop/remote desktop availability (4.10(b), Pandemic Response Planning Policy)
  • Procedures and resources should be implemented to assist organizations with negotiating and bringing in telecommunications service providers in order to meet the minimum standards for redundancy, security, reliability, and quality. (§ 6.7.2, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Telecommunications; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Disruption of telephony and electronic messaging due to the convergence of voice and data services on the same network; and (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Disruption of data and voice communications between facilities and service providers. (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:4 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether management documented and implemented, as appropriate, the following resilience measures for telecommunications: (App A Objective 6:6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Secure telecommunication options if employees work from an alternate location. (App A Objective 6:4e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Evaluating communications and resilience needs to ensure branch communications. (App A Objective 6:6h, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Establishing redundant telecommunications links with each of the entity's third-party service providers through a contractual arrangement that allows either party to switch its connection to an alternate communication path. (App A Objective 6:6c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Network equipment, connectivity, and communication needs, including entity-owned and personal mobile devices. (App A Objective 8:1h, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Implements redundant telecommunications services and establishes work-around procedures for situations where needed. (App A Objective 13:3q, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The telecommunications architecture should have resiliency and redundancy built in. The telecommunications services should have an alternate path available in case the primary path is blocked. (Pg 28, Exam Tier I Obj 8.3, Exam Tier II Q D.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Evaluate the adequacy of the ACH contingency plan; determine whether the financial institution has tested it and whether it includes provisions for partial or complete failure of the system or communication lines between the institution, ACH operators, customers, and associated data centers. (App A Tier 2 Objectives and Procedures L.1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • LANs and WANs are two types of telecommunications systems. Considerations provided in section 5.2.1 regarding client/server systems should be used by the Information System Contingency Plan Coordinator, along with the following practices, to develop the telecommunications recovery strategy: document… (§ 5.3, § 5.3.1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • While similar contingencies exist for both LAN and WAN telecommunications systems, there are different strategies and solutions the ISCP Coordinator should consider when determining an overall telecommunications recovery strategy. Differences in solutions primarily exist due to geographic and connec… (§ 5.3.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • When developing the telecommunications recovery strategy, the ISCP Coordinator should apply considerations that were provided in Section 5.2.1 regarding client/server systems. In addition, the following practices should be considered: (§ 5.3.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Contingency planning also should consider network-connecting devices, such as hubs, switches, routers, and bridges. The BIA should characterize the roles that each device serves in the network, and a contingency solution should be developed for each device based on its BIA criticality. As an example… (§ 5.3.2 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Use results from the BIA. Impacts and priorities discovered through the BIA of associated systems should be reviewed to determine telecommunications recovery priorities. The BIA should identify the high-availability FIPS 199 impact levels for any data networks and email that support COOP Mission, Pr… (§ 5.3.1 ¶ 1 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))