CMA_C1263 - Initiate contingency plan testing corrective actions
Additional metadata
Name/Id: CMA_C1263 / CMA_C1263 Category: Operational Title: Initiate contingency plan testing corrective actions Ownership: Customer Description: The customer is responsible for initiating corrective action regarding contingency plan testing. Requirements: The customer is responsible for implementing this recommendation.
Mode
All
Type
BuiltIn
Preview
False
Deprecated
False
Effect
Default Manual Allowed Manual, Disabled
RBAC role(s)
none
Rule aliases
none
Rule resource types
IF (1) Microsoft.Resources/subscriptions
Compliance
The following 6 compliance controls are associated with this Policy definition 'Initiate contingency plan testing corrective actions' (8bfdbaa6-6824-3fec-9b06-7961bf7389a6)
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3.
References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84.
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3.
References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84.
Information Security Aspects Of Business Continuity Management
Verify, review and evaluate information security continuity
Shared
n/a
The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3.
References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84.
a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
b. Review the contingency plan test results; and
c. Initiate corrective actions, if needed.
The customer is responsible for implementing this recommendation.
• Implements Business Continuity Plan Testing — Business continuity plan testing is
performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that
consider the potential for the lack of availability of key personnel; and (4) revision
of continuity plans and systems based on test results.
• Tests Integrity and Completeness of Backup Data — The integrity and completeness
of backup information is tested on a periodic basis