Back

Include the procedures for the storage of information necessary to recover functionality in the recovery plan.


CONTROL ID
13295
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a recovery plan., CC ID: 13288

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • If damage to important data files occur due to troubles and disasters, it is necessary to acquire backup copies and define the storage and management method for the early recovery of damaged files. (P39.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Financial institutions should ensure that data and ICT system backups are stored securely and are sufficiently remote from the primary site so they are not exposed to the same risks. (3.5 58, Final Report EBA Guidelines on ICT and security risk management)
  • Are there documented plans/procedures for restoring business operations after an incident? Do they reflect the needs of those who will use them and contain all the essential information they need? (Operation ¶ 26, ISO 22301: Self-assessment questionnaire)
  • Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process, CIS Controls, V8)
  • The recovery plan includes recovery of resilience following a long term loss of capability (e.g., site or third-party) detailing when the plan should be activated and implementation steps. (RC.RP-1.5, CRI Profile, v1.2)
  • The recovery plan includes recovery of resilience following a long term loss of capability (e.g., site or third-party) detailing when the plan should be activated and implementation steps. (RC.RP-1.5, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. (M1053 Data Backup, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • One or more processes for the backup and storage of information required to recover BES Cyber System functionality. (CIP-009-6 Table R1 Part 1.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Processes and procedures for the backup and secure storage of information. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 1 Bullet 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The safe storage of installation media, license keys, and configuration information. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 3 Bullet 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • System data should be backed up regularly. Policies should specify the minimum frequency and scope of backups (e.g., daily or weekly, incremental or full) based on data criticality and the frequency that new information is introduced. Data backup policies should designate the location of stored data… (§ 3.4.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Minimum frequency of backups and storage of backup media. (§ 3.1 ¶ 1 Bullet 7, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Storage volume. To ensure adequate storage, the amount of data to be backed up should determine the appropriate backup solution. (§ 5.1.2 ¶ 5 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))