compliance controls are associated with this Policy definition 'Plan for resumption of essential business functions' (7ded6497-815d-6506-242b-e043e0273928)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CP-2(3) |
FedRAMP_High_R4_CP-2(3) |
FedRAMP High CP-2 (3) |
Contingency Planning |
Resume Essential Missions / Business Functions |
Shared |
n/a |
The organization plans for the resumption of essential missions and business functions within
[Assignment: organization-defined time period] of contingency plan activation.
Supplemental Guidance: Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions
to the information system and its supporting infrastructure. Related control: PE-12. |
link |
1 |
| FedRAMP_Moderate_R4 |
CP-2(3) |
FedRAMP_Moderate_R4_CP-2(3) |
FedRAMP Moderate CP-2 (3) |
Contingency Planning |
Resume Essential Missions / Business Functions |
Shared |
n/a |
The organization plans for the resumption of essential missions and business functions within
[Assignment: organization-defined time period] of contingency plan activation.
Supplemental Guidance: Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions
to the information system and its supporting infrastructure. Related control: PE-12. |
link |
1 |
| hipaa |
0824.09m3Organizational.1-09.m |
hipaa-0824.09m3Organizational.1-09.m |
0824.09m3Organizational.1-09.m |
08 Network Protection |
0824.09m3Organizational.1-09.m 09.06 Network Security Management |
Shared |
n/a |
The impact of the loss of network service to the business is defined. |
|
10 |
| hipaa |
1635.12b1Organizational.2-12.b |
hipaa-1635.12b1Organizational.2-12.b |
1635.12b1Organizational.2-12.b |
16 Business Continuity & Disaster Recovery |
1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Information security aspects of business continuity are: (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and, (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. |
|
6 |
| hipaa |
1637.12b2Organizational.2-12.b |
hipaa-1637.12b2Organizational.2-12.b |
1637.12b2Organizational.2-12.b |
16 Business Continuity & Disaster Recovery |
1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Business impact analyses are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. |
|
8 |
| hipaa |
1638.12b2Organizational.345-12.b |
hipaa-1638.12b2Organizational.345-12.b |
1638.12b2Organizational.345-12.b |
16 Business Continuity & Disaster Recovery |
1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Business continuity risk assessments: (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and, (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. |
|
5 |
| hipaa |
1666.12d1Organizational.1235-12.d |
hipaa-1666.12d1Organizational.1235-12.d |
1666.12d1Organizational.1235-12.d |
16 Business Continuity & Disaster Recovery |
1666.12d1Organizational.1235-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The organization creates, at a minimum, one business continuity plan and ensures each plan: (i) has an owner; (ii) describes the approach for continuity, ensuring at a minimum the approach to maintain information or information asset availability and security; and, (iii) specifies the escalation plan and the conditions for its activation, as well as the individuals responsible for executing each component of the plan. |
|
4 |
| hipaa |
1669.12d1Organizational.8-12.d |
hipaa-1669.12d1Organizational.8-12.d |
1669.12d1Organizational.8-12.d |
16 Business Continuity & Disaster Recovery |
1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The business continuity planning framework addresses a specific, minimal set of information security requirements. |
|
6 |
| ISO27001-2013 |
A.17.1.1 |
ISO27001-2013_A.17.1.1 |
ISO 27001:2013 A.17.1.1 |
Information Security Aspects Of Business Continuity Management |
Planning information security continuity |
Shared |
n/a |
The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. |
link |
11 |
| ISO27001-2013 |
A.17.1.2 |
ISO27001-2013_A.17.1.2 |
ISO 27001:2013 A.17.1.2 |
Information Security Aspects Of Business Continuity Management |
Implementing information security continuity |
Shared |
n/a |
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
link |
18 |
| ISO27001-2013 |
A.17.2.1 |
ISO27001-2013_A.17.2.1 |
ISO 27001:2013 A.17.2.1 |
Information Security Aspects Of Business Continuity Management |
Availability of information processing facilities |
Shared |
n/a |
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
link |
17 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.eq.4 Other devices connected to the network |
mp.eq.4 Other devices connected to the network |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
| NIST_SP_800-53_R4 |
CP-2(3) |
NIST_SP_800-53_R4_CP-2(3) |
NIST SP 800-53 Rev. 4 CP-2 (3) |
Contingency Planning |
Resume Essential Missions / Business Functions |
Shared |
n/a |
The organization plans for the resumption of essential missions and business functions within
[Assignment: organization-defined time period] of contingency plan activation.
Supplemental Guidance: Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions
to the information system and its supporting infrastructure. Related control: PE-12. |
link |
1 |
| NIST_SP_800-53_R5 |
CP-2(3) |
NIST_SP_800-53_R5_CP-2(3) |
NIST SP 800-53 Rev. 5 CP-2 (3) |
Contingency Planning |
Resume Mission and Business Functions |
Shared |
n/a |
Plan for the resumption of [Selection: all;essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
link |
1 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
127 |
| SWIFT_CSCF_v2022 |
10.1 |
SWIFT_CSCF_v2022_10.1 |
SWIFT CSCF v2022 10.1 |
10. Be Ready in case of Major Disaster |
Business continuity is ensured through a documented plan communicated to the potentially affected
parties (service bureau and customers). |
Shared |
n/a |
Business continuity is ensured through a documented plan communicated to the potentially affected
parties (service bureau and customers). |
link |
5 |
| SWIFT_CSCF_v2022 |
8.1 |
SWIFT_CSCF_v2022_8.1 |
SWIFT CSCF v2022 8.1 |
8. Set and Monitor Performance |
Ensure availability by formally setting and monitoring the objectives to be achieved |
Shared |
n/a |
Ensure availability by formally setting and monitoring the objectives to be achieved |
link |
8 |