Back

Allocate personnel to implement the continuity plan, as necessary.


CONTROL ID
12992
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Lead or manage business continuity and system continuity, as necessary., CC ID: 12240

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • CSIRTs shall be adequately staffed to ensure availability at all times. (ANNEX I ¶ 1(1)(c)(ii), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Is there an Incident Response Structure (IRS) which details the management structure and trained personnel in place to respond to a disruptive incident? (Operation ¶ 19, ISO 22301: Self-assessment questionnaire)
  • people; (§ 8.3.4 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financ… (Board and Senior Management Responsibilities, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Back-up site employees are independent of the staff located at the primary site, at the time of disruption; and (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Trained employees are located at the back-up site at the time of disruption; (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 6 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavaila… (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Staff members at primary sites, who are located at both data centers and operations facilities, are unavailable for an extended period; (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The accessibility, rotation, and cross training of staff necessary to support critical business operations; (TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the strategy addresses staffing considerations, including: (TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Alternate staff; and (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:3 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Allocating knowledgeable personnel and sufficient financial resources. (App A Objective 2:5b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Appropriate personnel and skillsets to carry out the functions. (App A Objective 6:1a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Personnel at alternate sites, including arrangements for those permanently located at the alternate facility. (App A Objective 8:1i, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify whether management designates key personnel from applicable departments to act during a crisis or emergency situation. Key personnel may include: (App A Objective 8:12, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Trained employees are located at the backup sites at the time of disruption. (App A Objective 10:24c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Backup site employees are independent of the staff located at the primary site at the time of disruption. (App A Objective 10:24d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Whether personnel at primary sites, who are located at both data centers and operations facilities, are unavailable for an extended period. (App A Objective 10:25b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The ISCP Coordinator should ensure that the strategy chosen can be implemented effectively with available personnel and financial resources. The cost of each type of alternate site, equipment replacement, and storage option under consideration should be weighed against budget limitations. The coordi… (§ 3.4.5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Personnel should be chosen to staff these teams based on their skills and knowledge. Ideally, teams are staffed with personnel responsible for the same or similar functions under normal conditions. For example, server recovery team members should include the server administrators. Team members must … (§ 3.4.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))