Back

Include test scenarios in the continuity test plan.


CONTROL ID
13506
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity test plan., CC ID: 04896

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Story lines (III. Bullet 2 Sub-bullet 1, Hong Kong Monetary Authority The Cyber Resilience Assessment Framework, Cybersecurity Summit 2016)
  • various plausible disruption scenarios, including full and partial incapacitation of the primary or production site and major system failures; and (§ 8.3.3(a), Technology Risk Management Guidelines, January 2021)
  • The FI could also design the exercise scenario by using threat intelligence that is relevant to their IT environment to identify threat actors who are most likely to pose a threat to the FI; and identify the tactics, techniques and procedures most likely to be used in such attacks. (§ 13.5.2, Technology Risk Management Guidelines, January 2021)
  • A disaster recovery test plan should include the test objectives and scope, test scenarios, test scripts with details of the activities to be performed during and after testing, system recovery procedures, and the criteria for measuring the success of the test. (§ 8.3.2, Technology Risk Management Guidelines, January 2021)
  • Simulated failures of the supply of computing centres are integrated into the drills (see BCM-03). (Section 5.14 BCM-05 Description of additional requirements (availability)¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Once an outsourcing arrangement has been implemented, firms should test their business continuity and exit plans on a risk-based approach. Where possible and relevant, this testing should align to, support, or even be a component of firms' scenario testing under Operational Resilience – CRR Firms … (§ 10.19, SS2/21 Outsourcing and third party risk management, March 2021)
  • Incident management and system recovery testing is performed on a periodic basis to make sure the entity continues to be able to identify, evaluate and respond to critical incidents. Testing includes: 1) the development and use of test scenarios based on the likelihood and magnitude of potential thr… (S7.5 Implements incident management and recovery testing, Privacy Management Framework, Updated March 1, 2020)
  • The entity periodically tests the effectiveness of its business continuity and resiliency plans, procedures and capabilities to make sure that they continue to protect the entity from the adverse effects of unplanned system outages or damages that render systems and information assets unavailable or… (S7.5 Implements business continuity plan testing, Privacy Management Framework, Updated March 1, 2020)
  • are based on appropriate scenarios that are well planned with clearly defined aims and objectives; (§ 8.5 ¶ 2 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Business continuity plan testing is performed on a periodic basis to test the entity's ability to respond to, recover from, and resume operations through significant disruptions. Testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of syst… (A1.3 ¶ 2 Bullet 1 Implements Business Continuity Plan Testing, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the po… (CC7.5 ¶ 2 Bullet 6 Implements Incident-Recovery Plan Testing, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Incident recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the po… (CC7.5 Implements Incident Recovery Plan Testing, Trust Services Criteria)
  • Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the po… (CC7.5 ¶ 2 Bullet 6 Implements Incident-Recovery Plan Testing, Trust Services Criteria, (includes March 2020 updates))
  • Exercise and test scenarios, including exercise and test assumptions, objectives, expectations, and assessment metrics. (VII Action Summary ¶ 2 Bullet 7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Create scenarios that include only the data and systems that would be available for recovery. (App A Objective 10:13d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Develop scenarios that include threats that could affect third-party service providers, including communication processes with applicable stakeholders. (App A Objective 10:13b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Identify and document assumptions used in developing each scenario. (App A Objective 10:13a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management developed reasonably foreseeable threat scenarios that simulate disruptions in business functions and the ability to meet both business requirements and customer expectations. Management should: (App A Objective 10:13, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Escalation procedures and the ability to adjust for simulated scenarios. (App A Objective 10:12h, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Implementing a plan appropriate to the scenario. (App A Objective 10:17a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management established exercise and test plans, commensurate with the nature, scale, and complexity of the recovery objectives that address the objectives and expectations of the exercise or test and outline the scenario and any assumptions or constraints that may exist. Verify whe… (App A Objective 10:12, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Whether other organizations are also affected, causing effects that have the potential to cascade from one organization across to the entire financial services sector. (App A Objective 10:25c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • In this step, the system is analyzed in its operational context from two perspectives. First, a mission or business function perspective is applied to identify critical resources (i.e., those resources for which damage or destruction would severely impact operations) and sources of system fragility.… (3.2.3 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • To derive the most value from the test, the ISCP Coordinator should develop a test plan designed to examine the selected element(s) against explicit test objectives and success criteria. The use of test objectives and success criteria enable the effectiveness of each system element and the overall p… (§ 3.5.1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))