Back

Validate the emergency communications procedures during continuity plan tests.


CONTROL ID
12777
CONTROL TYPE
Testing
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Test the continuity plan, as necessary., CC ID: 00755

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • staff evacuation and communication arrangements (e.g. call-out trees) should be validated; (6.1.3 Bullet 1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The FI should carry out regular scenario-based cyber exercises to validate its response and recovery, as well as communication plans against cyber threats. These exercises could include social engineering, table-top, or cyber range exercises. (§ 13.3.1, Technology Risk Management Guidelines, January 2021)
  • be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans; and (3.7.4 89(b), Final Report EBA Guidelines on ICT and security risk management)
  • test the crisis communication plans established in accordance with Article 14. (Art. 11.6. ¶ 1(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Is there a procedure for issuing alerts and warnings and is this communication regularly exercised and records kept of the results? (Operation ¶ 25, ISO 22301: Self-assessment questionnaire)
  • Internal and external communications processes and links; (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Notification procedures to follow for internal and external contacts. (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The ability to communicate with key internal and external stakeholders; (TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Validating communication protocols. (App A Objective 10:16f, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The organization tests alternate telecommunication services [Assignment: organization-defined frequency]. (CP-8(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Test alternate telecommunication services [Assignment: organization-defined frequency]. (CP-8(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Test alternate telecommunication services [Assignment: organization-defined frequency]. (CP-8(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)