Back

Establish, implement, and maintain the continuity procedures.


CONTROL ID
14236
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

This Control has the following implementation support Control(s):
  • Disseminate and communicate the continuity procedures to interested personnel and affected parties., CC ID: 14055


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Preparedness for any disaster should also be established and maintained with reference to that of any failure. (P122.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Incident management and system recovery testing is performed on a periodic basis to make sure the entity continues to be able to identify, evaluate and respond to critical incidents. Testing includes: 1) the development and use of test scenarios based on the likelihood and magnitude of potential thr… (S7.5 Implements incident management and recovery testing, Privacy Management Framework, Updated March 1, 2020)
  • The organization shall establish, implement and maintain the process(es) needed to prepare for and respond to potential emergency situations identified in 6.1.1. (§ 8.2 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • actions to implement the solutions; (§ 8.4.4.3 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall identify and document business continuity plans and procedures based on the output of the selected strategies and solutions. (§ 8.4.1 ¶ 2, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • continue or recover prioritized activities within predetermined time frames; (§ 8.4.4.2 a) 1), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall document and maintain business continuity plans and procedures. The business continuity plans shall provide guidance and information to assist teams to respond to a disruption and to assist the organization with response and recovery. (§ 8.4.4.1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • documented procedures to guide their actions (see 8.4.4), including those for the activation, operation, coordination and communication of the response. (§ 8.4.2.4 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • evaluate the suitability, adequacy and effectiveness of its business impact analysis, risk assessment, strategies, solutions, plans and procedures; (§ 8.6 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • modification of procedures and controls to respond to internal or external issues that may impact the BCMS; (§ 9.3.3.1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Address personnel, processes, technology, and facility issues. (IV Action Summary ¶ 2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Appropriateness of resilience practices, including the adequacy of recovery infrastructure and backup processes. (IV.A Action Summary ¶ 3 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Documentation of issues identified through exercises and tests, and action plans and target dates for resolution. (VII Action Summary ¶ 2 Bullet 10, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management continuously measures the progress and assesses the effectiveness of BCM and uses the information to improve the BCM process. (VIII, "Maintenance and Improvement") (App A Objective 11, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the board and senior management have engaged audit (or an independent review) to validate the design effectiveness of the business continuity program and whether controls are operating effectively. (App A Objective 3:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The reliability, adequacy, and effectiveness of continuity and resilience controls. (App A Objective 3:5b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Contingency planning procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. (CP-1b.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Contingency planning procedures [FedRAMP Assignment: at least annually]. (CP-1b.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Contingency planning procedures [FedRAMP Assignment: at least annually]. (CP-1b.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (CP-1c.2., FedRAMP Security Controls High Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (CP-1c.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (CP-1c.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Contingency plans should cover the full range of failures or problems that could be caused by cyber incidents. Contingency plans should include procedures for restoring systems from known valid backups, separating systems from all non-essential interferences and connections that could permit cyberse… (§ 6.2.6 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Plans should be formatted to provide quick and clear directions in the event that personnel unfamiliar with the plan or the systems are called on to perform recovery operations. Plans should be clear, concise, and easy to implement in an emergency. Where possible, checklists and step-by-step procedu… (§ 4 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Contingency planning procedures [Assignment: organization-defined frequency]. (CP-1b.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Contingency planning procedures [TX-RAMP Assignment: at least annually]. (CP-1b.2., TX-RAMP Security Controls Baseline Level 1)
  • Contingency planning procedures [TX-RAMP Assignment: at least annually]. (CP-1b.2., TX-RAMP Security Controls Baseline Level 2)