AzPolicyAdvertizer

last sync: 2024-Jul-26 18:17:39 UTC

Test the business continuity and disaster recovery plan | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Test the business continuity and disaster recovery plan

58a51cde-008b-1a5d-61b5-d95849770677

Version

1.1.0
Details on versioning

Category

Regulatory Compliance
Microsoft Learn

Description

CMA_0509 - Test the business continuity and disaster recovery plan

Additional metadata

Name/Id: CMA_0509 / CMA_0509
Category: Operational
Title: Test the business continuity and disaster recovery plan
Ownership: Customer
Description: Microsoft recommends that your organization assesses the effectiveness of the Business Continuity Plan and Disaster Recovery Plan through testing (i.e., tabletop or simulated crisis exercises). We recommend tests that: - Are consistent with its business continuity objectives - Are based on appropriate scenarios that are well planned - Employ mechanisms to disrupt and adversely affect the system or system component - Develop teamwork, competence, confidence, and knowledge for those who have roles to perform in relation to disruptions - Validate business continuity strategies and solutions - Use a sample of backup information in the restoration of selected system functions - Include alternate facilities - Include utilities services - Produce formal post-exercise reports that contain outcomes, recommendations, and actions to implement improvements and those results are shared with key stakeholders - Are performed at planned intervals - Include automated mechanisms - Are coordinated with organizational elements responsible for related plans Microsoft recommends that your organization update the Business Continuity Plan and Disaster Recovery Plan based on the results of testing and initiate corrective actions if required. We recommend that your organization develop and adequately communicate the crisis plan to appropriate internal and external stakeholders. It is also suggested that your organization establish and communicate standard procedures for reporting possible information security incidents to a designated officer or organizational unit or appropriate law enforcement authorities. It is recommended that your organization notify law enforcement authorities about any situations involving criminal violations requiring immediate attention. Philippine's regulations require your organization to notify the National Privacy Commission of any incident involving unauthorized disclosure of sensitive personal information and to notify affected customers. It is recommended to consider the potential impact of evolving cyber events and incorporate this into your organization's business continuity planning, while instituting adequate cyber resilience capabilities. It is also suggested to consider cyber-related attacks and incidents in the business continuity management and recovery processes to achieve cyber resilience.
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)
Microsoft.Resources/subscriptions

Compliance

The following 9 compliance controls are associated with this Policy definition 'Test the business continuity and disaster recovery plan' (58a51cde-008b-1a5d-61b5-d95849770677)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
FedRAMP_High_R4	CP-4	FedRAMP_High_R4_CP-4	FedRAMP High CP-4	Contingency Planning	Contingency Plan Testing	Shared	n/a	The organization: a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; b. Reviews the contingency plan test results; and c. Initiates corrective actions, if needed. Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84.	link	3
FedRAMP_Moderate_R4	CP-4	FedRAMP_Moderate_R4_CP-4	FedRAMP Moderate CP-4	Contingency Planning	Contingency Plan Testing	Shared	n/a	The organization: a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; b. Reviews the contingency plan test results; and c. Initiates corrective actions, if needed. Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84.	link	3
hipaa	1601.12c1Organizational.1238-12.c	hipaa-1601.12c1Organizational.1238-12.c	1601.12c1Organizational.1238-12.c	16 Business Continuity & Disaster Recovery	1601.12c1Organizational.1238-12.c 12.01 Information Security Aspects of Business Continuity Management	Shared	n/a	The organization can recover and restore business operations and establish an availability of information in the time frame required by the business objectives and without a deterioration of the security measures.		3
hipaa	1669.12d1Organizational.8-12.d	hipaa-1669.12d1Organizational.8-12.d	1669.12d1Organizational.8-12.d	16 Business Continuity & Disaster Recovery	1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management	Shared	n/a	The business continuity planning framework addresses a specific, minimal set of information security requirements.		6
ISO27001-2013	A.17.1.3	ISO27001-2013_A.17.1.3	ISO 27001:2013 A.17.1.3	Information Security Aspects Of Business Continuity Management	Verify, review and evaluate information security continuity	Shared	n/a	The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.	link	3
	mp.if.4 Electrical energy	mp.if.4 Electrical energy	404 not found				n/a	n/a		8
NIST_SP_800-53_R4	CP-4	NIST_SP_800-53_R4_CP-4	NIST SP 800-53 Rev. 4 CP-4	Contingency Planning	Contingency Plan Testing	Shared	n/a	The organization: a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; b. Reviews the contingency plan test results; and c. Initiates corrective actions, if needed. Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84.	link	3
NIST_SP_800-53_R5	CP-4	NIST_SP_800-53_R5_CP-4	NIST SP 800-53 Rev. 5 CP-4	Contingency Planning	Contingency Plan Testing	Shared	n/a	a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. b. Review the contingency plan test results; and c. Initiate corrective actions, if needed.	link	3
SOC_2	A1.3	SOC_2_A1.3	SOC 2 Type 2 A1.3	Additional Criteria For Availability	Recovery plan testing	Shared	The customer is responsible for implementing this recommendation.	• Implements Business Continuity Plan Testing — Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results. • Tests Integrity and Completeness of Backup Data — The integrity and completeness of backup information is tested on a periodic basis		4

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
FedRAMP High	d5264498-16f4-418a-b659-fa7ef418175f	Regulatory Compliance	GA	BuiltIn
FedRAMP Moderate	e95f5a9f-57ad-4d03-bb0b-b1d16db93693	Regulatory Compliance	GA	BuiltIn
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA	BuiltIn
ISO 27001:2013	89c6cddc-1c73-4ac1-b19c-54d1a15a42f2	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 4	cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 5	179d1daa-458f-4e47-8086-2a68d0d6c38f	Regulatory Compliance	GA	BuiltIn
SOC 2 Type 2	4054785f-702b-4a98-9215-009cbd58b141	Regulatory Compliance	GA	BuiltIn
Spain ENS	175daf90-21e1-4fec-b745-7b4c909aa94c	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29	add	58a51cde-008b-1a5d-61b5-d95849770677

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC