Back

Establish, implement, and maintain Recovery Time Objectives for all in scope services.


CONTROL ID
12241
CONTROL TYPE
Systems Continuity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When selecting the storage site, it is recommended not to share risk factors (fires, earthquakes, power failure, etc.) with the production file storage site (where the current system is holding data files) and to judge comprehensively, considering the time that must be taken to transfer data files t… (P39.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Determine that the service provider has in place satisfactory business continuity plans ("BCP") that are commensurate with the nature, scope and complexity of the outsourcing arrangement. Outsourcing agreements should contain BCP requirements on the service provider, in particular, recovery time obj… (5.7.2 (a), Guidelines on Outsourcing)
  • In determining the recovery time and recovery point objectives for each function, financial entities shall take into account whether it is a critical or important function and the potential overall impact on market efficiency. Such time objectives shall ensure that, in extreme scenarios, the agreed … (Art. 12.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Plan the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites, initiation of alternative processing, customer and stakeholder communication, and resumption procedures. Ensure that the business understands IT recovery times and th… (DS4.8 IT Services Recovery and Resumption, CobiT, Version 4.1)
  • There shall be a defined and documented method for determining the impact of any disruption to the organization that must incorporate the following: - Identify critical products and services - Identify all dependencies, including processes, applications, business partners, and third party service … (BCR-09, Cloud Controls Matrix, v3.0)
  • be monitored and updated as appropriate. (§ 6.2 ¶ 2 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • shorten the period of disruption; (§ 8.3.2 ¶ 1 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery … (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Financial institutions and their TSPs should develop, implement, and test appropriate disaster recovery and business continuity plans capable of maintaining acceptable retail payment-related customer service levels. For financial institutions and service providers with complex retail payment operati… (Business Continuity Planning, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Estimated time to restore normal services. (§ 4.2.3 ¶ 1 Bullet 7, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))