Back

Include information security continuity in the scope of the continuity framework.


CONTROL ID
12009
CONTROL TYPE
Systems Continuity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish and maintain the scope of the continuity framework., CC ID: 11908

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • In order to ensure that appropriate contingency procedures can be effectively executed when cybersecurity situations occur, a licensed or registered person should make all reasonable efforts to cover possible cyber-attack scenarios such as distributed denial-of-service (DDoS) attacks and total loss … (2.9. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • In the event of failure or disaster, restoration of normal operation to systems or switching to backup sites can cause degradation in security control level. Even in the event of any failure or disaster, the security level should be kept at equivalent level as in the normal operating conditions. (P73.6., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Integrating information security incident response plans with the organization's disaster recovery and business continuity plan (Critical components of information security 10) (ii) f., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event t… (Critical components of information security 29) ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Interfaces with the security incident management (Section 5.14 BCM-03 Basic requirement ¶ 1 Bullet 8, Cloud Computing Compliance Controls Catalogue (C5))
  • Consideration of information security in Business Continuity Management. (3.1.2 Requirements (should) Bullet 7, Information Security Assessment, Version 5.1)
  • Pursuant to federal statutory authority, including the Federal Information Security Modernisation Act of 2014, the OMB and the National Institute of Standards and Technology (NIST) have developed standards which are binding on federal agencies (including criminal law enforcement authorities) and tha… (3.1.1.2 (104), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsib… (§ 8.4.4 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Security; (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine that the BCP includes appropriate security procedures. (TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Security; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Trainin… (Other Policies, Standards and Processes, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether management considers, plans for, and prepares multiple mechanisms to communicate with personnel and other stakeholders while maintaining appropriate controls to safeguard customer information. Other stakeholders could include: (App A Objective 7:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Solutions to various types of foreseeable disruptions, including those emanating from cyber threats. (App A Objective 8:1b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Fraud identification and suspicious activity reporting. (App A Objective 8:4c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Addresses resilience in operations to prevent data loss, protect sensitive customer information from unauthorized disclosure or manipulation, minimize disruption to service delivery, and prevent the loss of situational awareness of the entity's operations. Evaluate whether this operational resilienc… (App A Objective 8:2f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management effectively manages the following information security considerations related to business continuity planning. Review management's ability to do the following: (App A Objective 6.34, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Define information security needs for backup sites and alternate communication networks. (App A Objective 6.34.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should do the following: - Identify personnel who will have critical information security roles during a disaster, and train personnel in those roles. - Define information security needs for backup sites and alternate communication networks. - Establish and maintain policies that addre… (II.C.21 Business Continuity Considerations, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Developing and implementing processes to identify, protect against, detect, respond to, and recover from security events and incidents. (App A Objective 12:8 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether ACH activities are considered in the institution's overall business continuity plans and insurance program. (App A Tier 1 Objectives and Procedures Objective 8:14, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Contingency plans should cover the full range of failures or problems that could be caused by cyber incidents. Contingency plans should include procedures for restoring systems from known valid backups, separating systems from all non-essential interferences and connections that could permit cyberse… (§ 6.2.6 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensure that cybersecurity requirements are integrated into the continuity planning for that system and/or organization(s). (T0092, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Information system security plans; (§ 3.1 ¶ 2 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Several alternative approaches should be considered when developing and comparing strategies, including cost, maximum downtimes, security, recovery priorities, and integration with larger, organization-level contingency plans. Table is an example that can assist in identifying the linkage of FIPS 19… (§ 3.4.1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Security requirements; (§ 3.6 ¶ 2 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Coordinate with security policies and system security controls. Client/server contingency solutions should be coordinated with security policies and system security controls. In choosing the appropriate technical contingency solution, similar security controls and security-related activities (e.g., … (§ 5.2.1 ¶ 1 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Coordinate with security policies and security controls. Telecommunications contingency solution(s) should be coordinated with network security policies to protect against threats that could disrupt the network. Therefore, in choosing the appropriate technical telecommunications contingency solution… (§ 5.3.1 ¶ 1 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Coordinate with security policies and security controls. Server contingency solution(s) should be coordinated with network security policies where similar security controls and security-related activities (e.g., risk assessment, vulnerability scanning) in the production environment should be impleme… (§ 5.2.1 ¶ 3 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Coordinate with network security policy and system security controls. Mainframe contingency solutions should include duplicating interfaces and telecommunications infrastructure as well as coordinating with network security policies, such as stringent access controls. (§ 5.4.1 ¶ 1 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Ensure that cybersecurity requirements are integrated into the continuity planning for that system and/or organization(s). (T0092, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)