Back

Validate information security continuity controls regularly.


CONTROL ID
12008
CONTROL TYPE
Systems Continuity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Moreover, AIs should implement adequate controls to promptly detect and respond to the threats posed by distributed denial-of-service (DDoS) or other cyber attacks that could directly or indirectly cause disruptions to e-banking systems. These controls should be validated (e.g. testing at point of s… (§ 9.5.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • Moreover, AIs should implement adequate controls to promptly detect and respond to the threats posed by distributed denial-of-service (DDoS) or other cyber attacks that could directly or indirectly cause disruptions to e-banking systems. These controls should be validated (e.g. testing at point of s… (§ 9.5.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once … (Technology Risk Management ¶ 6, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Amendment 2018)
  • A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once … (Technology Risk Management ¶ 6, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02)
  • ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; (4.13.3 93(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. (A.17.1.3 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. (§ 17.1.3 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • SL 1 – Ensure that the component operates reliably under normal production conditions and prevents denial-of-service situations caused by the casual or coincidental actions of an entity. (11.1 ¶ 1 Bullet 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank holding company's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those tha… (§ III.C(3), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements. (RE.5.140, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Security controls and protocols, including physical and logical. (App A Objective 8:11a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Cyber events. (App A Objective 10:23f, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Regularly validate that technical controls comply with the organization's cybersecurity policies, plans and procedures, and report results to senior management. (Table 2: Protective Technology Baseline Security Measures Cell 2, Pipeline Security Guidelines)