Back

Involve senior management, as necessary, when testing the continuity plan.


CONTROL ID
13793
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Test the continuity plan, as necessary., CC ID: 00755

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Depending on the exercise objectives, the FI should involve relevant stakeholders, including senior management, business functions, corporate communications, crisis management team, service providers, and technical staff responsible for cyber threat detection, response and recovery. (§ 13.3.2, Technology Risk Management Guidelines, January 2021)
  • management body and senior management are appropriately involved in (e.g. as part of crisis management teams) and are informed of test results. (Title 3 3.3.4(a) 54.c(iii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The organization's governing body (e.g., the Board or one of its committees) is involved in testing as part of a crisis management team and is informed of test results. (PR.IP-10.3, CRI Profile, v1.2)
  • The organization's governing body (e.g., the Board or one of its committees) is involved in testing as part of a crisis management team and is informed of test results. (PR.IP-10.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Authorities and control over exercises and tests. (VII Action Summary ¶ 2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Validating management response and decision-making capability. (App A Objective 10:17c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • For moderate-impact systems, a functional exercise at an organization-defined frequency should be conducted. The functional exercise should include all ISCP points of contact and be facilitated by the system owner or responsible authority. Exercise procedures should be developed to include an elemen… (§ 3.5.4 ¶ 2 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • For most systems, a management team is necessary for providing overall guidance following a major system disruption or emergency. The team is responsible for activating the contingency plan and supervising the execution of contingency operations. The management team also facilitates communications a… (§ 3.4.6 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • For low-impact systems, a tabletop exercise at an organization-defined frequency is sufficient. The tabletop should simulate a disruption, include all main ISCP points of contact, and be conducted by the system owner or responsible authority. (§ 3.5.4 ¶ 2 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))