Back

Include scenario analyses of various contingency scenarios in the continuity plan.


CONTROL ID
13057
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested; (5.2.3 (e), Guidelines on Outsourcing)
  • The institution should consider worst case scenarios in its business continuity plans. Some examples of these scenarios are unavailability of service provider due to unexpected termination of the outsourcing agreement, liquidation of the service provider and wide-area disruptions that result in coll… (5.7.4, Guidelines on Outsourcing)
  • In formulating and constructing a rapid recovery plan, the FI should include a scenario analysis to identify and address various types of contingency scenarios. The FI should consider scenarios such as major system outages which may be caused by system faults, hardware malfunction, operating errors … (§ 8.2.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • A financial institution should consider a range of different scenarios in its BCP, including extreme but plausible ones to which it might be exposed, including a cyber-attack scenario, and it should assess the potential impact that such scenarios might have. Based on these scenarios, a financial ins… (3.7.2 82, Final Report EBA Guidelines on ICT and security risk management)
  • Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures o… (4.9 49, Final Report on EBA Guidelines on outsourcing arrangements)
  • The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by… (4.12.2 65, Final Report on EBA Guidelines on outsourcing arrangements)
  • the potential impact of the insolvency or other failure of the service provider or the failure of the service (see Chapter 10); and (§ 4.12 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • Use COVID-19 outbreak to test/learn from existing plans, systems and lesson-learning exercises to inform future preparedness and response activities (Pillar 1 Step 3 Action 3, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Recent and wide-scale cyber attack scenarios; (RS.IM-2.1(3), CRI Profile, v1.2)
  • Recent and wide-scale cyber attack scenarios; (RC.IM-2.1(3), CRI Profile, v1.2)
  • Recent and wide-scale cyber attack scenarios; (RS.IM-2.1(3), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the poten… (A1.3 Implements Business Continuity Plan Testing, Trust Services Criteria)
  • Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the poten… (A1.3 ¶ 2 Bullet 1 Implements Business Continuity Plan Testing, Trust Services Criteria, (includes March 2020 updates))
  • Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Bas… (Business Continuity Plan Development, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that a large number of the institution's staff are unavailable for prolonged periods. Such procedures could include social distancing to minim… (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Solutions to various types of foreseeable disruptions, including those emanating from cyber threats. (App A Objective 8:1b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • A threat model can also include potential threat scenarios related to non-adversarial threat sources. For these threat sources, the scope or scale of effects, duration or time frame, and types of assets affected are identified. If possible, provide a reference to a publicly available description of … (3.2.1.4 ¶ 3, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Each alternative can be assessed or characterized in terms of the evaluation criteria. To support assessments, the adversarial analysis can be revisited for each alternative. Due to synergies or other interactions between cyber resiliency techniques, changes in scores, heat maps, or coverage maps mu… (3.2.5.2 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Although major disruptions with long-term effects may be rare, they should be accounted for in the contingency plan. Thus, for all FIPS 199 moderate- or high-impact systems, the plan should include a strategy to recover and perform system operations at an alternate facility for an extended period. O… (§ 3.4.3 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • When evaluating the choices, the ISCP Coordinator should consider that purchasing equipment when needed is cost-effective but can add significant overhead time to recovery while waiting for shipment and setup; conversely, storing unused equipment is costly, but allows recovery operations to begin mo… (§ 3.4.4 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Personnel should be chosen to staff these teams based on their skills and knowledge. Ideally, teams are staffed with personnel responsible for the same or similar functions under normal conditions. For example, server recovery team members should include the server administrators. Team members must … (§ 3.4.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))