compliance controls are associated with this Policy definition 'Establish alternate storage site to store and retrieve backup information' (0a412110-3874-9f22-187a-c7a81c8a6704)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
AU_9(2) |
Canada_Federal_PBMM_3-1-2020_AU_9(2) |
Canada Federal PBMM 3-1-2020 AU 9(2) |
Protection of Audit Information |
Protection of Audit Information | Audit Backup on Separate Physical Systems / Components |
Shared |
The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited. |
To ensure redundancy and resilience of audit data against potential system failures or compromises. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CM_2(3) |
Canada_Federal_PBMM_3-1-2020_CM_2(3) |
Canada Federal PBMM 3-1-2020 CM 2(3) |
Baseline Configuration |
Baseline Configuration | Retention of Previous Configurations |
Shared |
The organization retains the two most recent precious versions of baseline configurations of the information system to support rollback. |
To mitigate risks and minimize disruptions to system functionality and operational continuity. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CM_8 |
Canada_Federal_PBMM_3-1-2020_CM_8 |
Canada Federal PBMM 3-1-2020 CM 8 |
Information System Component Inventory |
Information System Component Inventory |
Shared |
1. The organization develops and documents an inventory of information system components that accurately reflects the current information system.
2. The organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system.
3. The organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.
4. The organization develops and documents an inventory of information system components that includes unique asset identifier, NetBIOS name, baseline configuration name, OS Name, OS Version, system owner information.
5. The organization reviews and updates the information system component inventory at least monthly. |
To enable efficient decision-making and risk mitigation strategies. |
|
12 |
| Canada_Federal_PBMM_3-1-2020 |
CP_10 |
Canada_Federal_PBMM_3-1-2020_CP_10 |
Canada Federal PBMM 3-1-2020 CP 10 |
Information System Recovery and Reconstitution |
Information System Recovery and Reconstitution |
Shared |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. |
To ensure the restoration of normal operations following a disruption, compromise, or failure, maintaining continuity of essential missions and business functions. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_6 |
Canada_Federal_PBMM_3-1-2020_CP_6 |
Canada Federal PBMM 3-1-2020 CP 6 |
Alternate Storage Site |
Alternate Storage Site |
Shared |
1. The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information.
2. The organization ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. |
To ensure ensuring security measures match those of the primary site. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_6(1) |
Canada_Federal_PBMM_3-1-2020_CP_6(1) |
Canada Federal PBMM 3-1-2020 CP 6(1) |
Alternate Storage Site |
Alternate Storage Site | Separation from Primary Site |
Shared |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. |
To mitigate vulnerability to common threats. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_6(3) |
Canada_Federal_PBMM_3-1-2020_CP_6(3) |
Canada Federal PBMM 3-1-2020 CP 6(3) |
Alternate Storage Site |
Alternate Storage Site | Accessibility |
Shared |
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
To mitigate vulnerability to common threats. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_7 |
Canada_Federal_PBMM_3-1-2020_CP_7 |
Canada Federal PBMM 3-1-2020 CP 7 |
Alternate Processing Site |
Alternative Processing Site |
Shared |
1. The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable.
2. The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption.
3. The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
To mitigate vulnerability to common threats. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_7(1) |
Canada_Federal_PBMM_3-1-2020_CP_7(1) |
Canada Federal PBMM 3-1-2020 CP 7(1) |
Alternate Processing Site |
Alternative Processing Site | Separation from Primary Site |
Shared |
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. |
To mitigate vulnerability to common threats. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_7(3) |
Canada_Federal_PBMM_3-1-2020_CP_7(3) |
Canada Federal PBMM 3-1-2020 CP 7(3) |
Alternate Processing Site |
Alternative Processing Site | Priority of Service |
Shared |
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). |
To minimize downtime and maintain operational continuity. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_9 |
Canada_Federal_PBMM_3-1-2020_CP_9 |
Canada Federal PBMM 3-1-2020 CP 9 |
Information System Backup |
Information System Backup |
Shared |
1. The organization conducts backups of user-level information contained in the information system daily incremental; weekly full.
2. The organization conducts backups of system-level information contained in the information system daily incremental; weekly full.
3. The organization conducts backups of information system documentation including security-related documentation daily incremental; weekly full.
4. The organization protects the confidentiality, integrity, and availability of backup information at storage locations.
AA. The organization determines retention periods for essential business information and archived backups. |
To ensure the confidentiality, integrity, and availability of backup data at storage locations. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_9(1) |
Canada_Federal_PBMM_3-1-2020_CP_9(1) |
Canada Federal PBMM 3-1-2020 CP 9(1) |
Information System Backup |
Information System Backup | Testing for Reliability / Integrity |
Shared |
The organization tests backup information at least annually to verify media reliability and information integrity. |
To ensure the reliability of media and the integrity of information. |
|
3 |
| Canada_Federal_PBMM_3-1-2020 |
CP_9(2) |
Canada_Federal_PBMM_3-1-2020_CP_9(2) |
Canada Federal PBMM 3-1-2020 CP 9(2) |
Information System Backup |
Information System Backup | Test Restoration using Sampling |
Shared |
The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. |
To ensure the reliability and effectiveness of the backup process in real-world scenarios. |
|
3 |
| Canada_Federal_PBMM_3-1-2020 |
CP_9(3) |
Canada_Federal_PBMM_3-1-2020_CP_9(3) |
Canada Federal PBMM 3-1-2020 CP 9(3) |
Information System Backup |
Information System Backup | Separate Storage for Critical Information |
Shared |
The organization stores backup copies of all operating system and critical software code in a separate facility or in a fire-rated container that is not collocated with the operational system. |
To ensure essential components remain protected from potential damage or loss in the event of a disaster affecting the operational system. |
|
3 |
| Canada_Federal_PBMM_3-1-2020 |
CP_9(5) |
Canada_Federal_PBMM_3-1-2020_CP_9(5) |
Canada Federal PBMM 3-1-2020 CP 9(5) |
Information System Backup |
Information System Backup | Transfer to Alternate Storage Site |
Shared |
The organization transfers information system backup information to the alternate storage site at organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives. |
To facilitate timely restoration of critical systems and data in the event of a disruption. |
|
3 |
| Canada_Federal_PBMM_3-1-2020 |
SI_16 |
Canada_Federal_PBMM_3-1-2020_SI_16 |
404 not found |
|
|
|
n/a |
n/a |
|
3 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_9 |
EU_2555_(NIS2)_2022_9 |
EU 2022/2555 (NIS2) 2022 9 |
|
National cyber crisis management frameworks |
Shared |
n/a |
Requires Member States to establish frameworks for managing large-scale cybersecurity incidents and crises. |
|
14 |
| FedRAMP_High_R4 |
CP-6 |
FedRAMP_High_R4_CP-6 |
FedRAMP High CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup
media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4.
References: NIST Special Publication 800-34. |
link |
7 |
| FedRAMP_Moderate_R4 |
CP-6 |
FedRAMP_Moderate_R4_CP-6 |
FedRAMP Moderate CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup
media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4.
References: NIST Special Publication 800-34. |
link |
7 |
| hipaa |
0947.09y2Organizational.2-09.y |
hipaa-0947.09y2Organizational.2-09.y |
0947.09y2Organizational.2-09.y |
09 Transmission Protection |
0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. |
|
11 |
| hipaa |
1604.12c2Organizational.16789-12.c |
hipaa-1604.12c2Organizational.16789-12.c |
1604.12c2Organizational.16789-12.c |
16 Business Continuity & Disaster Recovery |
1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Alternative storage and processing sites are identified (permanent and/or temporary) at a sufficient distance from the primary facility and configured with security measures equivalent to the primary site, and the necessary third-party service agreements have been established to allow for the resumption of information systems operations of critical business functions within the time period defined (e.g., priority of service provisions) based on a risk assessment, including Recovery Time Objectives (RTO), in accordance with the organization's availability requirements. |
|
6 |
| hipaa |
1618.09l1Organizational.45-09.l |
hipaa-1618.09l1Organizational.45-09.l |
1618.09l1Organizational.45-09.l |
16 Business Continuity & Disaster Recovery |
1618.09l1Organizational.45-09.l 09.05 Information Back-Up |
Shared |
n/a |
The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. |
|
7 |
| hipaa |
1668.12d1Organizational.67-12.d |
hipaa-1668.12d1Organizational.67-12.d |
1668.12d1Organizational.67-12.d |
16 Business Continuity & Disaster Recovery |
1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Emergency procedures, manual "fallback" procedures, and resumption plans are the responsibility of the owner of the business resources or processes involved; and fallback arrangements for alternative technical services, such as information processing and communications facilities, are the responsibility of the service providers. |
|
4 |
| HITRUST_CSF_v11.3 |
09.l |
HITRUST_CSF_v11.3_09.l |
HITRUST CSF v11.3 09.l |
Information Back-Up |
To ensure the maintenance, integrity, and availability of organizational information. |
Shared |
1. Restoration procedures are to be tested regularly at appropriate intervals in accordance with an agreed-upon backup policy.
2. Inventory records for the backup copies are to be maintained, and is to include the content of the backup copies, and the current location of the backup copies.
3. Full backups are to be performed weekly to separate media and incremental.
4. Differential backups are to be performed daily to separate media. |
Back-up copies of information and software shall be taken and tested regularly. |
|
7 |
| ISO27001-2013 |
A.11.1.4 |
ISO27001-2013_A.11.1.4 |
ISO 27001:2013 A.11.1.4 |
Physical And Environmental Security |
Protecting against external and environmental threats |
Shared |
n/a |
Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. |
link |
9 |
| ISO27001-2013 |
A.17.1.2 |
ISO27001-2013_A.17.1.2 |
ISO 27001:2013 A.17.1.2 |
Information Security Aspects Of Business Continuity Management |
Implementing information security continuity |
Shared |
n/a |
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
link |
18 |
| ISO27001-2013 |
A.17.2.1 |
ISO27001-2013_A.17.2.1 |
ISO 27001:2013 A.17.2.1 |
Information Security Aspects Of Business Continuity Management |
Availability of information processing facilities |
Shared |
n/a |
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
link |
17 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.eq.4 Other devices connected to the network |
mp.eq.4 Other devices connected to the network |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
mp.if.1 Separate areas with access control |
mp.if.1 Separate areas with access control |
404 not found |
|
|
|
n/a |
n/a |
|
23 |
|
mp.if.3 Fitting-out of premises |
mp.if.3 Fitting-out of premises |
404 not found |
|
|
|
n/a |
n/a |
|
18 |
|
mp.if.5 Fire protection |
mp.if.5 Fire protection |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
|
mp.if.6 Flood protection |
mp.if.6 Flood protection |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
| NIST_SP_800-53_R4 |
CP-6 |
NIST_SP_800-53_R4_CP-6 |
NIST SP 800-53 Rev. 4 CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup
media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4.
References: NIST Special Publication 800-34. |
link |
7 |
| NIST_SP_800-53_R5.1.1 |
CP.9.5 |
NIST_SP_800-53_R5.1.1_CP.9.5 |
NIST SP 800-53 R5.1.1 CP.9.5 |
Contingency Planning Control |
System Backup | Transfer to Alternate Storage Site |
Shared |
Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. |
System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media. |
|
4 |
| NIST_SP_800-53_R5.1.1 |
CP.9.6 |
NIST_SP_800-53_R5.1.1_CP.9.6 |
NIST SP 800-53 R5.1.1 CP.9.6 |
Contingency Planning Control |
System Backup | Redundant Secondary System |
Shared |
Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. |
The effect of system backup can be achieved by maintaining a redundant secondary system that mirrors the primary system, including the replication of information. If this type of redundancy is in place and there is sufficient geographic separation between the two systems, the secondary system can also serve as the alternate processing site. |
|
4 |
| NIST_SP_800-53_R5 |
CP-6 |
NIST_SP_800-53_R5_CP-6 |
NIST SP 800-53 Rev. 5 CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and
b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. |
link |
7 |
| NZISM_v3.7 |
19.1.20.C.01. |
NZISM_v3.7_19.1.20.C.01. |
NZISM v3.7 19.1.20.C.01. |
Gateways |
19.1.20.C.01. - To reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST authenticate system users to all classified networks accessed through gateways. |
|
24 |
| NZISM_v3.7 |
19.1.20.C.02. |
NZISM_v3.7_19.1.20.C.02. |
NZISM v3.7 19.1.20.C.02. |
Gateways |
19.1.20.C.02. - To reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST ensure that only authenticated and authorised system users can use the gateway. |
|
15 |
| NZISM_v3.7 |
19.1.20.C.03. |
NZISM_v3.7_19.1.20.C.03. |
NZISM v3.7 19.1.20.C.03. |
Gateways |
19.1.20.C.03. - To reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies SHOULD use multi-factor authentication for access to networks and gateways. |
|
9 |
|
op.cont.3 Periodic tests |
op.cont.3 Periodic tests |
404 not found |
|
|
|
n/a |
n/a |
|
91 |
|
op.cont.4 Alternative means |
op.cont.4 Alternative means |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
|
op.exp.3 Security configuration management |
op.exp.3 Security configuration management |
404 not found |
|
|
|
n/a |
n/a |
|
123 |
| Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
To facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
219 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
To maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
230 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
214 |
| SWIFT_CSCF_v2022 |
9.2 |
SWIFT_CSCF_v2022_9.2 |
SWIFT CSCF v2022 9.2 |
9. Ensure Availability through Resilience |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
Shared |
n/a |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
link |
13 |