Back

Coordinate and incorporate supply chain members' continuity plans, as necessary.


CONTROL ID
13242
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or… (4.9 48, Final Report on EBA Guidelines on outsourcing arrangements)
  • reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. (4.14 104(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • the business continuity measures; and (4.7 44(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • partners and suppliers. (§ 8.3.4 ¶ 1 h), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Logistical arrangements to support incident management and operations should be reviewed. Expedited procedures may be required in key areas (e.g. surge staff deployments, procurement of essential supplies, staff payments). (Pillar 8: Operational support and logistics, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Assess the capacity of local market to meet increased demand for medical and other essential supplies, and coordinate international request of supplies through regional and global procurement mechanisms (Pillar 8 Step 2 Action 3, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Joint maintenance of contingency plans; (DM.ED-6.5(1), CRI Profile, v1.2)
  • Joint maintenance of contingency plans; (DM.ED-6.5(1), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Determine whether the institution has a copy of the TSPs' BCP and incorporates it, as appropriate, into their plans. (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether management documented and implemented, as appropriate, the following resilience measures for third-party service providers: (App A Objective 6:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that entity management worked with the third-party service provider to design executable and viable strategies. (App A Objective 8:2b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. (CP-2(7) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. (CP-2(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. (CP-2(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. (CP-2(7) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)