Back

Include coordination amongst entities in the business continuity policy.


CONTROL ID
14235
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a business continuity policy., CC ID: 12405

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Based on their BIAs, financial institutions should establish plans to ensure business continuity (business continuity plans, BCPs), which should be documented and approved by their management bodies. The plans should specifically consider risks that could adversely impact ICT systems and ICT service… (3.7.2 80, Final Report EBA Guidelines on ICT and security risk management)
  • documented procedures to guide their actions (see 8.4.4), including those for the activation, operation, coordination and communication of the response. (§ 8.4.2.4 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Activate multi-sectoral, multi-partner coordination mechanisms to support preparedness and response (Pillar 1 Step 1 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Organizational incident response, business continuity, and disaster recovery plans and exercises incorporate its external dependencies and critical business partners. (DM.RS-2, CRI Profile, v1.2)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Coordinating plans and responses with external entities. (App A Objective 2:5k, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), FedRAMP Security Controls High Baseline, Version 5)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), FedRAMP Security Controls Low Baseline, Version 5)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • As information system contingency plans are developed during the Initiation phase of the SDLC, they should be coordinated with related organization-wide policies and programs, including information system security, physical security, human resources, system operations, and emergency preparedness fun… (§ 3.1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • When recovering a complex system, such as a wide area network (WAN) or virtual local area network (VLAN) involving multiple independent components, recovery procedures should reflect system priorities identified in the BIA. The sequence of activities should reflect the system's MTD to avoid signific… (§ 4.3.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The ISCP Coordinator should coordinate frequently with associated internal and external organizations and system POCs to ensure that impacts caused by changes within any organization will be reflected in the contingency plan. Strict version control must be maintained by requesting old plans or plan … (§ 3.6 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Personnel should be chosen to staff these teams based on their skills and knowledge. Ideally, teams are staffed with personnel responsible for the same or similar functions under normal conditions. For example, server recovery team members should include the server administrators. Team members must … (§ 3.4.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., TX-RAMP Security Controls Baseline Level 1)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., TX-RAMP Security Controls Baseline Level 2)