last sync: 2023-Dec-04 18:38:36 UTC

Azure Policy definition

Develop contingency plan | Regulatory Compliance - Operational

Source Azure Portal
Display name Develop contingency plan
Id aa305b4d-8c84-1754-0c74-dec004e66be0
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1244 - Develop contingency plan
Additional metadata Name/Id: CMA_C1244 / CMA_C1244
Category: Operational
Title: Develop contingency plan
Ownership: Customer
Description: The customer is responsible for developing a contingency plan for customer-deployed resources, including essential mission and business functions and associated contingency requirements; recovery objectives, restoration priorities and metrics; contact information for assigned roles/responsibilities/individuals; maintaining essential mission and business functions despite system disruption, compromise or failure; eventual, full system restoration without deterioration of originally implemented security safeguards; and review/approval of the plan by customer-defined personnel/roles. Note: the customer should also include any reliance on Microsoft Azure functionality to perform these tasks.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 28 compliance controls are associated with this Policy definition 'Develop contingency plan' (aa305b4d-8c84-1754-0c74-dec004e66be0)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CP-2 FedRAMP_High_R4_CP-2 FedRAMP High CP-2 Contingency Planning Contingency Plan Shared n/a The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification. Supplemental Guidance: Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. References: Federal Continuity Directive 1; NIST Special Publication 800-34. link 8
FedRAMP_Moderate_R4 CP-2 FedRAMP_Moderate_R4_CP-2 FedRAMP Moderate CP-2 Contingency Planning Contingency Plan Shared n/a The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification. Supplemental Guidance: Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. References: Federal Continuity Directive 1; NIST Special Publication 800-34. link 8
hipaa 1562.11d2Organizational.2-11.d hipaa-1562.11d2Organizational.2-11.d 1562.11d2Organizational.2-11.d 15 Incident Management 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements Shared n/a The organization coordinates incident handling activities with contingency planning activities. 12
hipaa 1601.12c1Organizational.1238-12.c hipaa-1601.12c1Organizational.1238-12.c 1601.12c1Organizational.1238-12.c 16 Business Continuity & Disaster Recovery 1601.12c1Organizational.1238-12.c 12.01 Information Security Aspects of Business Continuity Management Shared n/a The organization can recover and restore business operations and establish an availability of information in the time frame required by the business objectives and without a deterioration of the security measures. 3
hipaa 1602.12c1Organizational.4567-12.c hipaa-1602.12c1Organizational.4567-12.c 1602.12c1Organizational.4567-12.c 16 Business Continuity & Disaster Recovery 1602.12c1Organizational.4567-12.c 12.01 Information Security Aspects of Business Continuity Management Shared n/a The contingency program addresses required capacity, identifies critical missions and business functions, defines recovery objectives and priorities, and identifies roles and responsibilities. 3
hipaa 1607.12c2Organizational.4-12.c hipaa-1607.12c2Organizational.4-12.c 1607.12c2Organizational.4-12.c 16 Business Continuity & Disaster Recovery 1607.12c2Organizational.4-12.c 12.01 Information Security Aspects of Business Continuity Management Shared n/a Business continuity planning includes identification and agreement on all responsibilities, business continuity processes, and the acceptable loss of information and services. 2
hipaa 1617.09l1Organizational.23-09.l hipaa-1617.09l1Organizational.23-09.l 1617.09l1Organizational.23-09.l 16 Business Continuity & Disaster Recovery 1617.09l1Organizational.23-09.l 09.05 Information Back-Up Shared n/a A formal definition of the level of backup required for each system is defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements. 3
hipaa 1634.12b1Organizational.1-12.b hipaa-1634.12b1Organizational.1-12.b 1634.12b1Organizational.1-12.b 16 Business Continuity & Disaster Recovery 1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a The organization identifies the critical business processes requiring business continuity. 5
hipaa 1635.12b1Organizational.2-12.b hipaa-1635.12b1Organizational.2-12.b 1635.12b1Organizational.2-12.b 16 Business Continuity & Disaster Recovery 1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a Information security aspects of business continuity are: (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and, (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. 6
hipaa 1636.12b2Organizational.1-12.b hipaa-1636.12b2Organizational.1-12.b 1636.12b2Organizational.1-12.b 16 Business Continuity & Disaster Recovery 1636.12b2Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a The organization identifies its critical business processes and integrates the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and facilities. 3
hipaa 1637.12b2Organizational.2-12.b hipaa-1637.12b2Organizational.2-12.b 1637.12b2Organizational.2-12.b 16 Business Continuity & Disaster Recovery 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a Business impact analyses are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. 8
hipaa 1638.12b2Organizational.345-12.b hipaa-1638.12b2Organizational.345-12.b 1638.12b2Organizational.345-12.b 16 Business Continuity & Disaster Recovery 1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a Business continuity risk assessments: (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and, (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. 5
hipaa 1666.12d1Organizational.1235-12.d hipaa-1666.12d1Organizational.1235-12.d 1666.12d1Organizational.1235-12.d 16 Business Continuity & Disaster Recovery 1666.12d1Organizational.1235-12.d 12.01 Information Security Aspects of Business Continuity Management Shared n/a The organization creates, at a minimum, one business continuity plan and ensures each plan: (i) has an owner; (ii) describes the approach for continuity, ensuring at a minimum the approach to maintain information or information asset availability and security; and, (iii) specifies the escalation plan and the conditions for its activation, as well as the individuals responsible for executing each component of the plan. 4
hipaa 1668.12d1Organizational.67-12.d hipaa-1668.12d1Organizational.67-12.d 1668.12d1Organizational.67-12.d 16 Business Continuity & Disaster Recovery 1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management Shared n/a Emergency procedures, manual "fallback" procedures, and resumption plans are the responsibility of the owner of the business resources or processes involved; and fallback arrangements for alternative technical services, such as information processing and communications facilities, are the responsibility of the service providers. 4
hipaa 1669.12d1Organizational.8-12.d hipaa-1669.12d1Organizational.8-12.d 1669.12d1Organizational.8-12.d 16 Business Continuity & Disaster Recovery 1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management Shared n/a The business continuity planning framework addresses a specific, minimal set of information security requirements. 6
hipaa 1670.12d2Organizational.1-12.d hipaa-1670.12d2Organizational.1-12.d 1670.12d2Organizational.1-12.d 16 Business Continuity & Disaster Recovery 1670.12d2Organizational.1-12.d 12.01 Information Security Aspects of Business Continuity Management Shared n/a Each business unit creates at a minimum one business continuity plan. 1
hipaa 1672.12d2Organizational.3-12.d hipaa-1672.12d2Organizational.3-12.d 1672.12d2Organizational.3-12.d 16 Business Continuity & Disaster Recovery 1672.12d2Organizational.3-12.d 12.01 Information Security Aspects of Business Continuity Management Shared n/a The business continuity planning framework addresses the specific, minimal set of information security requirements as well as (i) temporary operational procedures to follow pending completion of recovery and restoration, and (ii) the responsibilities of the individuals, describing who is responsible for executing which component of the plan (alternatives are nominated as required). 5
ISO27001-2013 A.17.1.1 ISO27001-2013_A.17.1.1 ISO 27001:2013 A.17.1.1 Information Security Aspects Of Business Continuity Management Planning information security continuity Shared n/a The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. link 11
ISO27001-2013 A.17.1.2 ISO27001-2013_A.17.1.2 ISO 27001:2013 A.17.1.2 Information Security Aspects Of Business Continuity Management Implementing information security continuity Shared n/a The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. link 18
ISO27001-2013 A.17.2.1 ISO27001-2013_A.17.2.1 ISO 27001:2013 A.17.2.1 Information Security Aspects Of Business Continuity Management Availability of information processing facilities Shared n/a Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. link 17
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
NIST_SP_800-53_R4 CP-2 NIST_SP_800-53_R4_CP-2 NIST SP 800-53 Rev. 4 CP-2 Contingency Planning Contingency Plan Shared n/a The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification. Supplemental Guidance: Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. References: Federal Continuity Directive 1; NIST Special Publication 800-34. link 8
NIST_SP_800-53_R5 CP-2 NIST_SP_800-53_R5_CP-2 NIST SP 800-53 Rev. 5 CP-2 Contingency Planning Contingency Plan Shared n/a a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinate contingency planning activities with incident handling activities; d. Review the contingency plan for the system [Assignment: organization-defined frequency]; e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h. Protect the contingency plan from unauthorized disclosure and modification. link 8
SWIFT_CSCF_v2022 10.1 SWIFT_CSCF_v2022_10.1 SWIFT CSCF v2022 10.1 10. Be Ready in case of Major Disaster Business continuity is ensured through a documented plan communicated to the potentially affected parties (service bureau and customers). Shared n/a Business continuity is ensured through a documented plan communicated to the potentially affected parties (service bureau and customers). link 5
SWIFT_CSCF_v2022 8.1 SWIFT_CSCF_v2022_8.1 SWIFT CSCF v2022 8.1 8. Set and Monitor Performance Ensure availability by formally setting and monitoring the objectives to be achieved Shared n/a Ensure availability by formally setting and monitoring the objectives to be achieved link 8
SWIFT_CSCF_v2022 8.4 SWIFT_CSCF_v2022_8.4 SWIFT CSCF v2022 8.4 8. Set and Monitor Performance Ensure availability, capacity, and quality of services to customers Shared n/a Ensure availability, capacity, and quality of services to customers link 7
SWIFT_CSCF_v2022 9.1 SWIFT_CSCF_v2022_9.1 SWIFT CSCF v2022 9.1 9. Ensure Availability through Resilience Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. Shared n/a Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. link 8
SWIFT_CSCF_v2022 9.3 SWIFT_CSCF_v2022_9.3 SWIFT CSCF v2022 9.3 9. Ensure Availability through Resilience Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. Shared n/a Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. link 7
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add aa305b4d-8c84-1754-0c74-dec004e66be0
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC