last sync: 2024-Nov-01 18:49:23 UTC

Review the results of contingency plan testing | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Review the results of contingency plan testing
Id 5d3abfea-a130-1208-29c0-e57de80aa6b0
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1262 - Review the results of contingency plan testing
Additional metadata Name/Id: CMA_C1262 / CMA_C1262
Category: Operational
Title: Review the results of contingency plan testing
Ownership: Customer
Description: The customer is responsible for reviewing the results of contingency plan testing (see CP-04.a).
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 11 compliance controls are associated with this Policy definition 'Review the results of contingency plan testing' (5d3abfea-a130-1208-29c0-e57de80aa6b0)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CP-4 FedRAMP_High_R4_CP-4 FedRAMP High CP-4 Contingency Planning Contingency Plan Testing Shared n/a The organization: a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; b. Reviews the contingency plan test results; and c. Initiates corrective actions, if needed. Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84. link 3
FedRAMP_Moderate_R4 CP-4 FedRAMP_Moderate_R4_CP-4 FedRAMP Moderate CP-4 Contingency Planning Contingency Plan Testing Shared n/a The organization: a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; b. Reviews the contingency plan test results; and c. Initiates corrective actions, if needed. Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84. link 3
ISO27001-2013 A.17.1.3 ISO27001-2013_A.17.1.3 ISO 27001:2013 A.17.1.3 Information Security Aspects Of Business Continuity Management Verify, review and evaluate information security continuity Shared n/a The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. link 3
mp.if.4 Electrical energy mp.if.4 Electrical energy 404 not found n/a n/a 8
NIST_SP_800-53_R4 CP-4 NIST_SP_800-53_R4_CP-4 NIST SP 800-53 Rev. 4 CP-4 Contingency Planning Contingency Plan Testing Shared n/a The organization: a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; b. Reviews the contingency plan test results; and c. Initiates corrective actions, if needed. Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84. link 3
NIST_SP_800-53_R5 CP-4 NIST_SP_800-53_R5_CP-4 NIST SP 800-53 Rev. 5 CP-4 Contingency Planning Contingency Plan Testing Shared n/a a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. b. Review the contingency plan test results; and c. Initiate corrective actions, if needed. link 3
op.cont.1 Impact analysis op.cont.1 Impact analysis 404 not found n/a n/a 68
op.cont.2 Continuity plan op.cont.2 Continuity plan 404 not found n/a n/a 68
op.cont.3 Periodic tests op.cont.3 Periodic tests 404 not found n/a n/a 91
op.cont.4 Alternative means op.cont.4 Alternative means 404 not found n/a n/a 95
SOC_2 A1.3 SOC_2_A1.3 SOC 2 Type 2 A1.3 Additional Criteria For Availability Recovery plan testing Shared The customer is responsible for implementing this recommendation. • Implements Business Continuity Plan Testing — Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results. • Tests Integrity and Completeness of Backup Data — The integrity and completeness of backup information is tested on a periodic basis 4
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 5d3abfea-a130-1208-29c0-e57de80aa6b0
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC