Back

Establish, implement, and maintain a business continuity program.


CONTROL ID
13210
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational and Systems Continuity, CC ID: 00731

This Control has the following implementation support Control(s):
  • Involve auditors in reviewing and testing the business continuity program., CC ID: 13211
  • Establish, implement, and maintain a business continuity policy., CC ID: 12405
  • Establish, implement, and maintain a business continuity testing policy., CC ID: 13235
  • Establish, implement, and maintain a continuity framework., CC ID: 00732
  • Establish, implement, and maintain a continuity plan., CC ID: 00752
  • Establish, implement, and maintain organizational facility continuity plans., CC ID: 02224
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735
  • Disseminate and communicate the continuity plan to interested personnel and affected parties., CC ID: 00760


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • An institution should ensure that its business continuity is not compromised by outsourcing arrangements, in particular, of the operation of its critical systems as stipulated under the Technology Risk Management Notice. An institution should adopt the sound practices and standards contained in the … (5.7.1, Guidelines on Outsourcing)
  • Financial institutions should establish a sound business continuity management (BCM) process to maximise their abilities to provide services on an ongoing basis and to limit losses in the event of severe business disruption in line with Article 85(2) of Directive 2013/36/EU and Title VI of the EBA G… (3.7 77, Final Report EBA Guidelines on ICT and security risk management)
  • business continuity management; (Art. 16.1(c), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Ensuring proper regular operations including appropriate safeguards for planning and monitoring the capacity, protection against malware, logging and monitoring events as well as handling vulnerabilities, malfunctions and errors. (Section 5.6 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • Develop, identify, and acquire documentation that is relevant to support the business continuity and operational resilience programs. Make the documentation available to authorized stakeholders and review periodically. (BCR-05, Cloud Controls Matrix, v4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain business continuity management and operational resilience policies and procedures. Review and update the policies and procedures at least annually. (BCR-01, Cloud Controls Matrix, v4.0)
  • Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (§ 164.308(a)(7)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Determine whether management established a crisis or emergency management process. Verify whether the BCP addresses the following: (App A Objective 8:13, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Management adequately considers and implements resilience as part of the entity's risk mitigation strategy for AIO. (III.F, "Resilience") (App A Objective 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Ensures the entity's business strategy and reliance on business functions drive the design for the entity's resilience. (App A Objective 8:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should develop and implement service and support processes. These processes should be designed to support an entity's strategic goals and objectives by preventing issues, ensuring continuous reliability and resilience, and supporting users (e.g., business lines, personnel, and customers). (VI.C Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should implement an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity's business objectives. Management should develop, document, and implement infrastructure control policies, standards, and procedures to saf… (V Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance. (T0044, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish alternative processing, exploitation and dissemination pathways to address identified issues or problems. (T0681, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)