Back

Lead or manage business continuity and system continuity, as necessary.


CONTROL ID
12240
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

This Control has the following implementation support Control(s):
  • Allocate financial resources to implement the continuity plan, as necessary., CC ID: 12993
  • Allocate personnel to implement the continuity plan, as necessary., CC ID: 12992


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT service… (3.7.2 80, Final Report EBA Guidelines on ICT and security risk management)
  • Have measureable business continuity (BC) objectives been established, documented and communicated throughout the organization with a plan to achieve them? (Planning ¶ 3, ISO 22301: Self-assessment questionnaire)
  • A set of indicators to management that will aid them in selecting an appropriate level of response bringing into effect the related policies discussed in section 4.4—for the organization. There should be a graduated level of response related to the WHO pandemic alert level or other authoritative i… (4.5, Pandemic Response Planning Policy)
  • Ensure enterprise architects are including pandemic contingency in planning (4.10(a), Pandemic Response Planning Policy)
  • - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes… (§ 5.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, respo… (§ 5.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the BCMS. (§ 7.1 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • directing and supporting persons to contribute to the effectiveness of the BCMS; (§ 5.1 ¶ 1 f), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Bas… (Business Continuity Plan Development, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Board expectations for overall business continuity capabilities, including guidelines to achieve defined business continuity objectives. (VII Action Summary ¶ 2 Bullet 11, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the BCP includes procedures for coordination with the first responders and local and state government agencies, when appropriate. (App A Objective 8:6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Coordination with regulatory agencies, local and state officials, law enforcement, and first responders. (App A Objective 8:13a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • These steps represent key elements in a comprehensive information system contingency planning capability. Developing contingency planning policy and performing system BIA(s) are accomplished early in the SDLC (see Appendix F) and before the systems are categorized in accordance with the RMF. Six of … (§ 3 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • To be effective and to ensure that personnel fully understand the organization's contingency planning requirements, the contingency plan must be based on a clearly defined policy. The contingency planning policy statement should define the organization's overall contingency objectives and establish … (§ 3.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • For most systems, a management team is necessary for providing overall guidance following a major system disruption or emergency. The team is responsible for activating the contingency plan and supervising the execution of contingency operations. The management team also facilitates communications a… (§ 3.4.6 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Each team is led by a team leader who directs overall team operations, acts as the team's representative to management, and liaises with other team leaders. The team leader disseminates information to team members and approves any decisions that must be made within the team. Team leaders should have… (§ 3.4.6 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))