Back

Include continuity plans in the Service Management program.


CONTROL ID
13919
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a service management program., CC ID: 11388

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Determine that the service provider has in place satisfactory business continuity plans ("BCP") that are commensurate with the nature, scope and complexity of the outsourcing arrangement. Outsourcing agreements should contain BCP requirements on the service provider, in particular, recovery time obj… (5.7.2 (a), Guidelines on Outsourcing)
  • identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that e… (4.15 107(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • Firms should also actively consider temporary measures that can help ensure the ongoing provision of important business services following a disruption and/or a stressed exit, even if these are not suitable long-term solutions, (eg contractual or escrow arrangements), allowing for continued use of a… (§ 10.16, SS2/21 Outsourcing and third party risk management, March 2021)
  • The purpose of the service continuity management practice is to ensure that the availability and performance of a service are maintained at sufficient levels in case of a disaster. The practice provides a framework for building organizational resilience with the capability of producing an effective … (5.2.12 ¶ 1, ITIL Foundation, 4 Edition)
  • change management policy, information security policy and service continuity plan(s); (§ 7.5.4 ¶ 1(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Reliance of the CSO or user experience on Internet based capabilities such as the public DNS or content delivery networks. All such capabilities must be available via the CSO infrastructure and the connections to it via the DISN BCAPs. The CSO must be able to function if DoD limits access to or disc… (Section 5.1.7 ¶ 2 Bullet 7, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents (Incident Recovery Plan Execution (RC.RP), The NIST Cybersecurity Framework, v2.0)