Back

Include emergency operating procedures in the continuity plan.


CONTROL ID
11694
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

This Control has the following implementation support Control(s):
  • Include a system acquisition process for critical systems in the emergency mode operation plan., CC ID: 01369


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The procedures should be clearly defined for temporary processing and exceptional processing in response to any troubles that may arise. When executing the processing, it is necessary to pay attention to the schedules considering the influence on other processing. (P36.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In addition, it is necessary to define countermeasures in preparation for cases in which abnormal conditions and unauthorized use of systems are detected. (P46.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • contingency planning and maintenance of business activities in an emergency (business continuity), (§ 8.1 Subsection 5 ¶ 2 Bullet 13, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Emergency plans are defined and reviewed regularly. (3.1.2 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • What operational procedures may need to be altered, amended, or suspended, such as those over facilities, visitors, and non-essential activities and events (4.4(g), Pandemic Response Planning Policy)
  • Emergency Operation Centers (EOCs) should be provided by the service provider at the recovery sites to allow organizations to supervise and maintain communications with their business units and external parties during a failure or disaster. Basic equipment and supplies should be provided to operate … (§ 6.11, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The organization shall maintain and retain documented information on the process(es) and on the plans for responding to potential emergency situations. (§ 8.2 ¶ 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • Support access to water and sanitation for health (WASH) services in public places and community spaces most at risk (Pillar 6 Step 2 Action 5, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Prepare rapid health assessment/isolation facilities to manage ill passenger(s) and to safely transport them to designated health facilities (Pillar 4 Step 2 Action 2, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Interfaces capable of human user access are local user interfaces such as touchscreens, push buttons, keyboards, etc. as well as network protocols designed for human user interactions such as hypertext transfer protocol (HTTP), HTTP secure (HTTPS), file transfer protocol (FTP), secure FTP (SFTP), pr… (5.3.2 ¶ 2, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • § 5.10 The organization must develop a communications system and test it regularly to support the disaster/emergency management and business continuity program. The organization must develop communications procedures and exercise them regularly to support the program. The capability to alert offici… (§ 5.10, § 5.12.1, Annex A.5.12.1, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Explain actions to be taken in specific emergencies; (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Alternatives for payment systems, facilities and infrastructure, data center(s), and branch relocation during a disaster. (V Action Summary ¶ 2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Operating alternate equipment successfully. (§ 4.3.2 ¶ 2 Bullet 10, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Plans should be formatted to provide quick and clear directions in the event that personnel unfamiliar with the plan or the systems are called on to perform recovery operations. Plans should be clear, concise, and easy to implement in an emergency. Where possible, checklists and step-by-step procedu… (§ 4 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))