| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| AU_ISM |
1511 |
AU_ISM_1511 |
AU ISM 1511 |
Guidelines for System Management - Data backup and restoration |
Performing backups - 1511 |
|
n/a |
Backups of important data, software and configuration settings are performed at least daily. |
link |
1 |
| CCCS |
CP-7 |
CCCS_CP-7 |
CCCS CP-7 |
Contingency Planning |
Alternative Processing Site |
|
n/a |
(A) The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable.
(B) The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption.
(C) The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
link |
1 |
| CMMC_L3 |
RE.2.137 |
CMMC_L3_RE.2.137 |
CMMC L3 RE.2.137 |
Recovery |
Regularly perform and test data back-ups. |
Customer |
The customer is responsible for implementing this requirement. |
Backups are used to recover data in the event of a hardware or software failure. Backups should be performed and tested regularly based on an organizational defined frequency. |
link |
6 |
| CMMC_L3 |
RE.3.139 |
CMMC_L3_RE.3.139 |
CMMC L3 RE.3.139 |
Recovery |
Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. |
Customer |
The customer is responsible for implementing this requirement. |
The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine. This practice is based on the following CIS controls: 10.1 Ensure that all system data is automatically backed up on a regular basis. 10.2 Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. 10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination. |
link |
6 |
| FedRAMP_High_R4 |
CP-7 |
FedRAMP_High_R4_CP-7 |
FedRAMP High CP-7 |
Contingency Planning |
Alternate Processing Site |
Shared |
n/a |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6.
References: NIST Special Publication 800-34. |
link |
2 |
| FedRAMP_Moderate_R4 |
CP-7 |
FedRAMP_Moderate_R4_CP-7 |
FedRAMP Moderate CP-7 |
Contingency Planning |
Alternate Processing Site |
Shared |
n/a |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6.
References: NIST Special Publication 800-34. |
link |
2 |
| hipaa |
1634.12b1Organizational.1-12.b |
hipaa-1634.12b1Organizational.1-12.b |
1634.12b1Organizational.1-12.b |
16 Business Continuity & Disaster Recovery |
1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The organization identifies the critical business processes requiring business continuity. |
|
5 |
| hipaa |
1638.12b2Organizational.345-12.b |
hipaa-1638.12b2Organizational.345-12.b |
1638.12b2Organizational.345-12.b |
16 Business Continuity & Disaster Recovery |
1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Business continuity risk assessments: (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and, (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. |
|
5 |
| IRS_1075_9.3 |
.6.6 |
IRS_1075_9.3.6.6 |
IRS 1075 9.3.6.6 |
Contingency Planning |
Alternate Processing Site (CP-7) |
|
n/a |
The agency must:
a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of information system operations, in accordance with the agency's contingency plan when the primary processing capabilities are unavailable
b. Ensure that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the agency-defined time period for transfer/resumption
c. Ensure that the alternate storage site provides information security safeguards that meet the minimum protection standards and the disclosure provisions of IRC 6103 |
link |
1 |
| NIST_SP_800-53_R4 |
CP-7 |
NIST_SP_800-53_R4_CP-7 |
NIST SP 800-53 Rev. 4 CP-7 |
Contingency Planning |
Alternate Processing Site |
Shared |
n/a |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6.
References: NIST Special Publication 800-34. |
link |
2 |
| NIST_SP_800-53_R5 |
CP-7 |
NIST_SP_800-53_R5_CP-7 |
NIST SP 800-53 Rev. 5 CP-7 |
Contingency Planning |
Alternate Processing Site |
Shared |
n/a |
a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and
c. Provide controls at the alternate processing site that are equivalent to those at the primary site. |
link |
2 |
| NZ_ISM_v3.5 |
ISM-7 |
NZ_ISM_v3.5_ISM-7 |
NZISM Security Benchmark ISM-7 |
Information security monitoring |
6.4.5 Availability requirements |
Customer |
n/a |
Availability and recovery requirements will vary based on each agency???s business needs and are likely to be widely variable across government. Agencies will determine their own availability and recovery requirements and implement measures consistent with the agency's SRMP to achieve them as part of their risk management and governance processes. |
link |
1 |
| NZISM_Security_Benchmark_v1.1 |
ISM-7 |
NZISM_Security_Benchmark_v1.1_ISM-7 |
NZISM Security Benchmark ISM-7 |
Information security monitoring |
6.4.5 Availability requirements |
Customer |
Agencies MUST determine availability and recovery requirements for their systems and implement measures consistent with the agency's SRMP to support them. |
Availability and recovery requirements will vary based on each agency’s business needs and are likely to be widely variable across government. Agencies will determine their own availability and recovery requirements and implement measures consistent with the agency's SRMP to achieve them as part of their risk management and governance processes. |
link |
1 |
| RBI_CSF_Banks_v2016 |
19.4 |
RBI_CSF_Banks_v2016_19.4 |
|
Incident Response & Management |
Recovery From Cyber - Incidents-19.4 |
|
n/a |
Bank???s BCP/DR capabilities shall adequately and effectively support the Bank???s
cyber resilience objectives and should be so designed to enable the bank to recover
rapidly from cyber-attacks/other incidents and safely resume critical operations
aligned with recovery time objectives while ensuring security of processes and data
is protected. |
|
2 |
| RBI_ITF_NBFC_v2017 |
6 |
RBI_ITF_NBFC_v2017_6 |
RBI IT Framework 6 |
Business Continuity Planning |
Business Continuity Planning (BCP) and Disaster Recovery-6 |
|
n/a |
BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. The BCP may have the following salient features |
link |
9 |
| RBI_ITF_NBFC_v2017 |
6.2 |
RBI_ITF_NBFC_v2017_6.2 |
RBI IT Framework 6.2 |
Business Continuity Planning |
Recovery strategy / Contingency Plan-6.2 |
|
n/a |
NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster. |
link |
8 |
| RBI_ITF_NBFC_v2017 |
6.4 |
RBI_ITF_NBFC_v2017_6.4 |
RBI IT Framework 6.4 |
Business Continuity Planning |
Recovery strategy / Contingency Plan-6.4 |
|
n/a |
NBFCs shall test the BCP either annually or when significant IT or business changes take place to determine if the entity could be recovered to an acceptable level of business within the timeframe stated in the contingency plan. The test should be based on ???worst case scenarios???. The results along with the gap analysis may be placed before the CIO and the Board. The GAP Analysis along with Board???s insight should form the basis for construction of the updated BCP. |
link |
4 |
| RMiT_v1.0 |
10.51 |
RMiT_v1.0_10.51 |
RMiT 10.51 |
Cloud Services |
Cloud Services - 10.51 |
Shared |
n/a |
A financial institution is required to consult the Bank prior to the use of public cloud for critical systems. The financial institution is expected to demonstrate that specific risks associated with the use of cloud services for critical systems have been adequately considered and addressed. The risk assessment shall address the risks outlined in paragraph 10.49 as well as the following areas:
(a) the adequacy of the overarching cloud adoption strategy of the financial institution including:
(i) board oversight over cloud strategy and cloud operational management;
(ii) senior management roles and responsibilities on cloud management;
(iii) conduct of day-to-day operational management functions;
(iv) management and oversight by the financial institution of cloud service providers;
(v) quality of risk management and internal control functions; and
(vi) strength of in-house competency and experience;
(b) the availability of independent, internationally recognised certifications of the cloud service providers, at a minimum, in the following areas:
(i) information security management framework, including cryptographic modules such as used for encryption and decryption of user data; and
(ii) cloud-specific security controls for protection of customer and counterparty or proprietary information including payment transaction data in use, in storage and in transit; and
(c) the degree to which the selected cloud configuration adequately addresses the following attributes:
(i) geographical redundancy;
(ii) high availability;
(iii) scalability;
(iv) portability;
(v) interoperability; and
(vi) strong recovery and resumption capability including appropriate alternate Internet path to protect against potential Internet faults. |
link |
7 |
| SWIFT_CSCF_v2021 |
2.5A |
SWIFT_CSCF_v2021_2.5A |
SWIFT CSCF v2021 2.5A |
Reduce Attack Surface and Vulnerabilities |
External Transmission Data Protection |
|
n/a |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
link |
12 |
| SWIFT_CSCF_v2021 |
6.4 |
SWIFT_CSCF_v2021_6.4 |
SWIFT CSCF v2021 6.4 |
Detect Anomalous Activity to Systems or Transaction Records |
Logging and Monitoring |
|
n/a |
Record security events and detect anomalous actions and operations within the local SWIFT environment. |
link |
34 |
| SWIFT_CSCF_v2022 |
2.5A |
SWIFT_CSCF_v2022_2.5A |
SWIFT CSCF v2022 2.5A |
2. Reduce Attack Surface and Vulnerabilities |
External Transmission Data Protection |
Customer |
n/a |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
link |
7 |
| SWIFT_CSCF_v2022 |
6.4 |
SWIFT_CSCF_v2022_6.4 |
SWIFT CSCF v2022 6.4 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Record security events and detect anomalous actions and operations within the local SWIFT environment. |
Shared |
n/a |
Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs. |
link |
52 |
| UK_NCSC_CSP |
5.3 |
UK_NCSC_CSP_5.3 |
UK NCSC CSP 5.3 |
Operational security |
Protective Monitoring |
Shared |
n/a |
A service which does not effectively monitor for attack, misuse and malfunction will be unlikely to detect attacks (both successful and unsuccessful). As a result, it will be unable to quickly respond to potential compromises of your environments and data. |
link |
4 |