This Control directly supports the implied Control(s):
Establish, implement, and maintain a recovery plan., CC ID: 13288
This Control has the following implementation support Control(s):
Test the backup information, as necessary., CC ID: 13303
Document lessons learned from testing the recovery plan or an actual event., CC ID: 13301
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Due to the dynamic nature of the cloud, information may not immediately be located in the event of a disaster. Business continuity and disaster recovery plans must be well documented and tested. The cloud provider must understand the role it plays in terms of backups, incident response and recovery.… (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 2 ¶ 7 h., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
A financial institution shall establish a recovery time objective (âRTOâ) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once … (Technology Risk Management ¶ 6, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Amendment 2018)
The FI should perform regular testing of its disaster recovery plan to validate the effectiveness of the plan and ensure its systems are able to meet the defined recovery objectives. Relevant stakeholders, including those in business and IT functions, should participate in the disaster recovery test… (§ 8.3.1, Technology Risk Management Guidelines, January 2021)
Redundancy or fault-tolerant solutions should be implemented for IT systems which require high system availability. The FI should perform a periodic review of its IT system and network architecture design to identify weaknesses in the existing design. The review should include a mapping of internal … (§ 8.1.2, Technology Risk Management Guidelines, January 2021)
Restoration of important data, software and configuration settings from backups to a common point of time is tested as part of disaster recovery exercises. (Control: ISM-1515; Revision: 3, Australian Government Information Security Manual, June 2023)
Restoration of important data, software and configuration settings from backups to a common point of time is tested as part of disaster recovery exercises. (Control: ISM-1515; Revision: 3, Australian Government Information Security Manual, September 2023)
A regulated institution would normally test system resilience and recovery capabilities at least annually to verify that business continuity and recovery requirements are achievable and that recovery plans remain current. The institution would benefit from a multi-year schedule of testing that incor… (Attachment B ¶ 9, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
processes that provide reasonable assurance that system recovery procedures and components are in place at the time of deployment to production so that recovery requirements can be met; and (Attachment A ¶ 2(h), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT sys… (3.5 57, Final Report EBA Guidelines on ICT and security risk management)
test the ICT business continuity plans and the ICT response and recovery plans in relation to ICT systems supporting all functions at least yearly, as well as in the event of any substantive changes to ICT systems supporting critical or important functions; (Art. 11.6. ¶ 1(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
test, on a regular basis, the plans and measures referred to in point (f), as well as the effectiveness of the controls implemented in accordance with points (a) and (c); (Art. 16.1. ¶ 2(g), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Backup media and restoration procedures must be tested with dedicated test media by qualified employees at regular intervals. The tests are designed in such a way that the reliability of the backup media and the restoration time can be audited with sufficient certainty. The tests are carried out by … (Section 5.6 RB-08 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Incident management and system recovery testing is performed on a periodic basis to make sure the entity continues to be able to identify, evaluate and respond to critical incidents. Testing includes: 1) the development and use of test scenarios based on the likelihood and magnitude of potential thr… (S7.5 Implements incident management and recovery testing, Privacy Management Framework, Updated March 1, 2020)
Verify that regular backups of important data are performed and that test restoration of data is performed. (8.1.5, Application Security Verification Standard 4.0.3, 4.0.3)
Verify that the application, configuration, and all dependencies can be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion. (14.1.4, Application Security Verification Standard 4.0.3, 4.0.3)
Exercise the disaster response plan annually or upon significant changes, including if possible local emergency authorities. (BCR-10, Cloud Controls Matrix, v4.0)
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets. (CIS Control 11: Safeguard 11.5 Test Data Recovery, CIS Controls, V8)
periodically test the planned response actions, where practicable; (§ 8.2 ¶ 2 d), ISO 14001:2015 - Environmental management systems â Requirements with guidance for use, Third Edition)
periodically testing and exercising the planned response capability; (§ 8.2 ¶ 1 c), ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
The entity tests recovery plan procedures supporting system recovery to meet its objectives. (A1.3 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the po… (CC7.5 ¶ 2 Bullet 6 Implements Incident-Recovery Plan Testing, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
The organization promotes, designs, organizes and manages testing exercises designed to test its response, resumption and recovery plans and processes. (PR.IP-10.4, CRI Profile, v1.2)
Response and recovery plans are tested. (PR.IP-10, CRI Profile, v1.2)
The organization promotes, designs, organizes and manages testing exercises designed to test its response, resumption and recovery plans and processes. (PR.IP-10.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Reading incident response and recovery plan documentation to understand the service organization's processes for recovering from identified system events, including its incident response procedures, incident communication protocols, recovery procedures, alternate processing plans, and procedures for… (¶ 3.59 Bullet 12, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
The entity tests recovery plan procedures supporting system recovery to meet its objectives. (A1.3, Trust Services Criteria)
Incident recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the po… (CC7.5 Implements Incident Recovery Plan Testing, Trust Services Criteria)
The entity tests recovery plan procedures supporting system recovery to meet its objectives. (A1.3 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the po… (CC7.5 ¶ 2 Bullet 6 Implements Incident-Recovery Plan Testing, Trust Services Criteria, (includes March 2020 updates))
With an operational exercise. (CIP-009-6 Table R2 Part 2.1 Requirements ¶ 1 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
By recovering from an actual incident; (CIP-009-6 Table R2 Part 2.1 Requirements ¶ 1 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
Test each of the recovery plans referenced in Requirement R1 at least once every 36 calendar months through an operational exercise of the recovery plans in an environment representative of the production environment. (CIP-009-6 Table R2 Part 2.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
Test each of the recovery plans referenced in Requirement R1 at least once every 15 calendar months: (CIP-009-6 Table R2 Part 2.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
With a paper drill or tabletop exercise; or (CIP-009-6 Table R2 Part 2.1 Requirements ¶ 1 Bullet 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
Verification of continuity and resilience process assumptions and the ability to process a sufficient volume of work during adverse operating conditions. (App A Objective 10:7f, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Verify that exercise and test objectives include resilience, system monitoring, and the recovery of business processes and critical system components. (App A Objective 10:10, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Build confidence that resilience and recovery strategies meet business requirements. (App A Objective 10:11a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Develop exercises that demonstrate not only the ability to failover to an alternate site but also validate recovery objectives. (App A Objective 10:13c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Performing recovery exercises over a sufficient length of time to allow issues to unfold as they would in a crisis. (App A Objective 10:16j, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Establish that critical services can be restored in the event of an incident at the recovery location. (App A Objective 10:11c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Determine whether the exercise and test program is sufficient to demonstrate the entity's ability to meet its continuity objectives and whether the results demonstrate the readiness of personnel to achieve the entity's recovery and resumption objectives. Determine whether management accomplishes the… (App A Objective 10:28, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Financial institutions and their TSPs should develop, implement, and test appropriate disaster recovery and business continuity plans capable of maintaining acceptable retail payment-related customer service levels. For financial institutions and service providers with complex retail payment operati… (Business Continuity Planning, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Determine whether the center has established and tested procedures to recover and restore data under various contingency scenarios. (App A Tier 2 Objectives and Procedures L.5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Business resilience and recovery capabilities. Operations moved to cloud computing environments should have resilience and recovery capabilities commensurate with the risk of the service or operation for the financial institution. Management should review and assess the resilience capabilities and s… (Risk Management Resilience and Recovery Bullet 1, FFIEC Security in a Cloud Computing Environment)
Schedule for exercising the DRP. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 1 Bullet 9, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Response and recovery plans are tested. (PR.PO-P8, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
