Back

Maintain contact information for key third parties in a readily accessible manner.


CONTROL ID
12764
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include emergency communications procedures in the continuity plan., CC ID: 00750

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The BCP should clearly indicate who can speak to the media, and have pre-arrangements for redirecting external communications to designated staff during a disaster. AIs may find it helpful to prepare draft press releases as part of their BCP. This will save the CMTs’ time in determining the main m… (4.7.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents. (Security Control: 1433; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail. (Security Control: 1434; Revision: 2, Australian Government Information Security Manual, March 2021)
  • CSIRTs shall ensure a high level of availability of their communications services by avoiding single points of failure, and shall have several means for being contacted and for contacting others at all times. Furthermore, the communication channels shall be clearly specified and well known to the co… (ANNEX I ¶ 1(1)(a), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Maintain points of contact for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities. (SEF-08, Cloud Controls Matrix, v4.0)
  • a list of key personnel and aid agencies, including contact details, e.g. fire department and spillage clean-up services; (8.2 ¶ 4 Bullet 10, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The person who sends the commercial electronic message and the person — if different — on whose behalf the commercial electronic message is sent must ensure that the contact information referred to in paragraph (2)(b) is valid for a minimum of 60 days after the message has been sent. (Section 6(3), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
  • set out information enabling the person to whom the message is sent to readily contact one of the persons referred to in paragraph (a); and (Section 6(2)(b), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
  • Law enforcement contact and coordination information. (B. R5. 5.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • Law enforcement contact and coordination information. (B. R5. 5.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • For each security-based swap account, a record of the unique identification code of such counterparty, the name and address of such counterparty, and a record of the authorization of each person the counterparty has granted authority to transact business in the security-based swap account. (§ 240.17a-3 (a)(9)(iv), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • Communication with employees, emergency personnel, regulators, vendors/ suppliers, customers, and the media; (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Critical service providers; (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Key financial correspondents; (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:6 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; (Tier I Objectives and Procedures Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Contact information for law enforcement and the regulator(s) is maintained and updated regularly. (Domain 2: Assessment Factor: Information Sharing, INFORMATION SHARING Baseline 1 ¶ 2, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Notifications also should be sent to POCs of external organizations or interconnected system partners that may be adversely affected if they are unaware of the situation. Depending on the type of outage or disruption, the POC may have recovery responsibilities. For each system interconnection with a… (§ 4.2.2 ¶ 6, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Document system configurations and vendor information. Well-documented system configurations ease recovery. Similarly, vendor names and emergency contact information for vendors that supply essential hardware, software, and other components should be listed in the contingency plan so that replacemen… (§ 5.2.1 ¶ 1 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • System configuration and vendor information documentation. Document configurations of network connective devices that facilitate telecommunication (e.g., circuits, switches, bridges, and hubs) to ease recovery. Vendors and their contact information should be documented in the contingency plan to pro… (§ 5.3.1 ¶ 1 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • A relationship should be built with local fire and police departments in order to achieve a thorough understanding of the first response procedures and to achieve a trust relationship so that the organization is not first meeting local fire and police departments in a disaster. Fire and police offic… (Appendix D Subsection 4 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))