Back

Establish, implement, and maintain a recovery plan.


CONTROL ID
13288
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

This Control has the following implementation support Control(s):
  • Notify interested personnel and affected parties of updates to the recovery plan., CC ID: 13302
  • Include addressing backup failures in the recovery plan., CC ID: 13298
  • Include procedures to verify completion of the data backup procedure in the recovery plan., CC ID: 13297
  • Include the roles and responsibilities of responders in the recovery plan., CC ID: 13296
  • Include the procedures for the storage of information necessary to recover functionality in the recovery plan., CC ID: 13295
  • Include the backup procedures for information necessary to recover functionality in the recovery plan., CC ID: 13294
  • Include the criteria for activation in the recovery plan., CC ID: 13293
  • Include procedures to preserve data before beginning the recovery process in the recovery plan., CC ID: 13292
  • Determine the cause for the activation of the recovery plan., CC ID: 13291
  • Test the recovery plan, as necessary., CC ID: 13290
  • Disseminate and communicate the recovery plan to interested personnel and affected parties., CC ID: 14859


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Establishing system backups and disaster recovery plans. Establish a disaster recovery plan that allows for rapid recovery from any emergency (including a cyber attack). (Critical components of information security 24) viii. ¶ 1 m., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Reliability - As several virtual servers work on a single physical server, failures of hardware components may affect all the virtual servers running on it. Planning and implementing disaster recovery strategies to ensure reliability of a virtual infrastructure will be a better solution. (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 1 ¶ 5 d., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A business operator of clustered information and communications facilities shall, once the event that caused suspension of services terminates, resume its services immediately. (Article 46-2(3), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • The FI's disaster recovery plan should include procedures to recover systems from various disaster scenarios, as well as the roles and responsibilities of relevant personnel in the recovery process. The disaster recovery plan should be reviewed at least annually and updated when there are material c… (§ 8.2.2, Technology Risk Management Guidelines, January 2021)
  • During the recovery process, the FI should follow the established disaster recovery plan that has been tested and approved by management. The FI should avoid deviating from the plan as untested recovery measures could exacerbate the incident and prolong the recovery process. In exceptional circumsta… (§ 8.2.3, Technology Risk Management Guidelines, January 2021)
  • Recovery under all plausible scenarios (Attachment G Control Objective Row 10, APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Regardless of the level of resilience, APRA envisages that a regulated institution would still develop formal recovery plans to enable recovery of critical IT assets to a known state, sufficient to enable restoration of critical business operations in line with business needs. (Attachment B ¶ 4, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • be updated in line with lessons learned from incidents, tests, new risks identified and threats, and changed recovery objectives and priorities. (3.7.3 84(c), Final Report EBA Guidelines on ICT and security risk management)
  • be documented and made available to the business and support units and readily accessible in the event of an emergency; (3.7.3 84(b), Final Report EBA Guidelines on ICT and security risk management)
  • Based on the BIAs (paragraph 78) and plausible scenarios (paragraph 82), financial institutions should develop response and recovery plans. These plans should specify what conditions may prompt activation of the plans and what actions should be taken to ensure the availability, continuity and recove… (3.7.3 83, Final Report EBA Guidelines on ICT and security risk management)
  • ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and (§ 107(2)(c), UK Data Protection Act 2018 Chapter 12)
  • Develop a framework for IT continuity to support enterprisewide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT continge… (DS4.1 IT Continuity Framework, CobiT, Version 4.1)
  • Plan the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites, initiation of alternative processing, customer and stakeholder communication, and resumption procedures. Ensure that the business understands IT recovery times and th… (DS4.8 IT Services Recovery and Resumption, CobiT, Version 4.1)
  • Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recove… (DS4.2 IT Continuity Plans, CobiT, Version 4.1)
  • Establish, document, approve, communicate, apply, evaluate and maintain a disaster response plan to recover from natural and man-made disasters. Update the plan at least annually or upon significant changes. (BCR-09, Cloud Controls Matrix, v4.0)
  • Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process, CIS Controls, V8)
  • Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. (CIS Control 11: Data Recovery, CIS Controls, V8)
  • periodically review and revise the process(es) and planned response actions, in particular after the occurrence of emergency situations or tests; (§ 8.2 ¶ 2 e), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • take action to prevent or mitigate the consequences of emergency situations, appropriate to the magnitude of the emergency and the potential environmental impact; (§ 8.2 ¶ 2 c), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed. (PR.IP-9.1, CRI Profile, v1.2)
  • Organization's recovery plans are executed by first resuming critical services and core business functions, and without causing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications. (RC.RP-1.2, CRI Profile, v1.2)
  • The organization periodically reviews recovery strategy and exercises and updates them as necessary, based on: (RC.IM-2.1, CRI Profile, v1.2)
  • Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity incidents. (Recovery Planning (RC.RP), CRI Profile, v1.2)
  • Recovery strategies are updated. (RC.IM-2, CRI Profile, v1.2)
  • Operationally and technically plausible future cyber attacks; and (RC.IM-2.1(4), CRI Profile, v1.2)
  • New technological developments. (RC.IM-2.1(5), CRI Profile, v1.2)
  • The organization executes its recovery plans, including incident recovery, disaster recovery and business continuity plans, during or after an incident to resume operations. (RC.RP-1.1, CRI Profile, v1.2)
  • Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed. (PR.IP-9, CRI Profile, v1.2)
  • Recovery plan is executed during or after a cybersecurity incident. (RC.RP-1, CRI Profile, v1.2)
  • The organization periodically reviews recovery strategy and exercises and updates them as necessary, based on: (RC.IM-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization executes its recovery plans, including incident recovery, disaster recovery and business continuity plans, during or after an incident to resume operations. (RC.RP-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Current cyber threat intelligence (both internal and external sources); (RC.IM-2.1(2), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Organization's recovery plans are executed by first resuming critical services and core business functions, and without causing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications. (RC.RP-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Widely reported events, industry reports and cybersecurity incidents that have occurred outside the organization. (RC.IM-1.1(3), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed. (PR.IP-9.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization designs and tests its cyber resilience plans, and exercises to support financial sector's sector-wide resilience and address external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc. (DM.RS-2.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Reading incident response and recovery plan documentation to understand the service organization's processes for recovering from identified system events, including its incident response procedures, incident communication protocols, recovery procedures, alternate processing plans, and procedures for… (¶ 3.59 Bullet 12, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Each Responsible Entity shall maintain each of its recovery plan(s) in accordance with each of the applicable requirement parts in CIP-009-6 Table R3 – Recovery Plan Review, Update and Communication. [Violation Risk Factor: Lower] [Time Horizon: Operations Assessment]. (B. R3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Each Responsible Entity shall have one or more documented recovery plan(s) that collectively include each of the applicable requirement parts in CIP-009-6 Table R1 – Recovery Plan Specifications. [Violation Risk Factor: Medium] [Time Horizon: Long Term Planning]. (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Each Responsible Entity shall implement its documented recovery plan(s) to collectively include each of the applicable requirement parts in CIP-009-6 Table R2 – Recovery Plan Implementation and Testing. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning and Real-time Operations.] (B. R2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Update the recovery plan based on any documented lessons learned associated with the plan; and (CIP-009-6 Table R3 Part 3.1 Requirements 3.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Update the recovery plan; and (CIP-009-6 Table R3 Part 3.2 Requirements 3.2.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a … (§242.1001(a)(2)(v), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. (§ 164.308(a)(7)(ii)(B), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Reasonableness of recovery objectives. (III.A Action Summary ¶ 2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The board and senior management should develop effective strategies to meet resilience and recovery objectives. Effective oversight generally includes guidelines to achieve defined business continuity objectives. (IV Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Appropriateness of resilience practices, including the adequacy of recovery infrastructure and backup processes. (IV.A Action Summary ¶ 3 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Periodically reassess backup and recovery strategies as technology and threats change. (App A Objective 6:3c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that management documents the reasons (e.g., cost and service level) for choosing recovery alternatives and why they are appropriate based on the entity's risk profile and complexity. (App A Objective 12:1c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Maintains standard images of the entity's servers and stores them securely. Uses clean (i.e., trusted) images to restore the server if a server needs to be rebuilt and documents, reviews, and approves deviations from the standard image. (App A Objective 13:3g, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Evaluate whether business line management is consulted to assist in data classification, recovery standards development, and appropriate control validation. (App A Objective 3:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Evaluate whether management integrates the entity's AIO functions into the entity's BCM program to mitigate threats, respond to and recover from disruptions, and incorporate lessons learned to strengthen the entity's resilience. (App A Objective 8:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Capability to restore operations to a previous trusted state. (App A Objective 15:4a Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Appropriate preventive maintenance or operational restoration processes for equipment within the facilities that support the entity's business objectives. (VI.B Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Financial institutions and their TSPs should develop, implement, and test appropriate disaster recovery and business continuity plans capable of maintaining acceptable retail payment-related customer service levels. For financial institutions and service providers with complex retail payment operati… (Business Continuity Planning, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether the center has established and tested procedures to recover and restore data under various contingency scenarios. (App A Tier 2 Objectives and Procedures L.5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implement transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Implement transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment. (T0070, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform backup and recovery of databases to ensure data integrity. (T0162, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and implement network backup and recovery procedures. (T0065, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure the execution of disaster recovery and continuity of operations. (T0477, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans. (T0548, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are established, in place, and managed. (PR.PO-P7, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Approaches to applying cyber resiliency techniques vary in maturity and adoption. The decision to use less mature technologies depends on the organization's risk management strategy and its strategy for managing technical risks. Many highly mature and widely adopted technologies and processes that w… (3.1.8 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Perform backup and recovery of databases to ensure data integrity. (T0162, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment. (T0070, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Ensure the execution of disaster recovery and continuity of operations. (T0477, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans. (T0548, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Plan, execute, and verify data redundancy and system recovery procedures. (T0186, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • The information system implements transaction recovery for systems that are transaction-based. (CP-10(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)