| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CP-9 |
FedRAMP_High_R4_CP-9 |
FedRAMP High CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
| FedRAMP_Moderate_R4 |
CP-9 |
FedRAMP_Moderate_R4_CP-9 |
FedRAMP Moderate CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
| hipaa |
1608.12c2Organizational.5-12.c |
hipaa-1608.12c2Organizational.5-12.c |
1608.12c2Organizational.5-12.c |
16 Business Continuity & Disaster Recovery |
1608.12c2Organizational.5-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Business continuity plans are stored in a remote location. |
|
3 |
| hipaa |
1616.09l1Organizational.16-09.l |
hipaa-1616.09l1Organizational.16-09.l |
1616.09l1Organizational.16-09.l |
16 Business Continuity & Disaster Recovery |
1616.09l1Organizational.16-09.l 09.05 Information Back-Up |
Shared |
n/a |
Backup copies of information and software are made, and tests of the media and restoration procedures are regularly performed at appropriate intervals. |
|
2 |
| hipaa |
1617.09l1Organizational.23-09.l |
hipaa-1617.09l1Organizational.23-09.l |
1617.09l1Organizational.23-09.l |
16 Business Continuity & Disaster Recovery |
1617.09l1Organizational.23-09.l 09.05 Information Back-Up |
Shared |
n/a |
A formal definition of the level of backup required for each system is defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements. |
|
3 |
| hipaa |
1620.09l1Organizational.8-09.l |
hipaa-1620.09l1Organizational.8-09.l |
1620.09l1Organizational.8-09.l |
16 Business Continuity & Disaster Recovery |
1620.09l1Organizational.8-09.l 09.05 Information Back-Up |
Shared |
n/a |
When the backup service is delivered by the third-party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. |
|
5 |
| hipaa |
1623.09l2Organizational.4-09.l |
hipaa-1623.09l2Organizational.4-09.l |
1623.09l2Organizational.4-09.l |
16 Business Continuity & Disaster Recovery |
1623.09l2Organizational.4-09.l 09.05 Information Back-Up |
Shared |
n/a |
Covered information is backed-up in an encrypted format to ensure confidentiality. |
|
3 |
| hipaa |
1624.09l3Organizational.12-09.l |
hipaa-1624.09l3Organizational.12-09.l |
1624.09l3Organizational.12-09.l |
16 Business Continuity & Disaster Recovery |
1624.09l3Organizational.12-09.l 09.05 Information Back-Up |
Shared |
n/a |
The organization performs incremental or differential backups daily and full backups weekly to separate media. |
|
3 |
| hipaa |
1625.09l3Organizational.34-09.l |
hipaa-1625.09l3Organizational.34-09.l |
1625.09l3Organizational.34-09.l |
16 Business Continuity & Disaster Recovery |
1625.09l3Organizational.34-09.l 09.05 Information Back-Up |
Shared |
n/a |
Three generations of backups (full plus all related incremental or differential backups) are stored off-site, and both on-site and off-site backups are logged with name, date, time and action. |
|
2 |
| hipaa |
1626.09l3Organizational.5-09.l |
hipaa-1626.09l3Organizational.5-09.l |
1626.09l3Organizational.5-09.l |
16 Business Continuity & Disaster Recovery |
1626.09l3Organizational.5-09.l 09.05 Information Back-Up |
Shared |
n/a |
The organization ensures a current, retrievable copy of covered information is available before movement of servers. |
|
2 |
| hipaa |
1908.06.c1Organizational.4-06.c |
hipaa-1908.06.c1Organizational.4-06.c |
1908.06.c1Organizational.4-06.c |
19 Data Protection & Privacy |
1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization documents and maintains (i) designated record sets that are subject to access by individuals, and (ii) titles of the persons or office responsible for receiving and processing requests for access by individuals as organizational records for a period of six years. |
|
11 |
| hipaa |
19141.06c1Organizational.7-06.c |
hipaa-19141.06c1Organizational.7-06.c |
19141.06c1Organizational.7-06.c |
19 Data Protection & Privacy |
19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Important records, such as contracts, personnel records, financial information, client/customer information, etc., of the organization are protected from loss, destruction and falsification through the implementation of security controls such as access controls, encryption, backups, electronic signatures, locked facilities or containers, etc. |
|
10 |
| hipaa |
19145.06c2Organizational.2-06.c |
hipaa-19145.06c2Organizational.2-06.c |
19145.06c2Organizational.2-06.c |
19 Data Protection & Privacy |
19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Specific controls for record storage, access, retention, and destruction have been implemented. |
|
8 |
| ISO27001-2013 |
A.12.3.1 |
ISO27001-2013_A.12.3.1 |
ISO 27001:2013 A.12.3.1 |
Operations Security |
Information backup |
Shared |
n/a |
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. |
link |
13 |
| ISO27001-2013 |
A.17.1.2 |
ISO27001-2013_A.17.1.2 |
ISO 27001:2013 A.17.1.2 |
Information Security Aspects Of Business Continuity Management |
Implementing information security continuity |
Shared |
n/a |
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
link |
18 |
| ISO27001-2013 |
A.18.1.3 |
ISO27001-2013_A.18.1.3 |
ISO 27001:2013 A.18.1.3 |
Compliance |
Protection of records |
Shared |
n/a |
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual and business requirements. |
link |
15 |
| NIST_SP_800-53_R4 |
CP-9 |
NIST_SP_800-53_R4_CP-9 |
NIST SP 800-53 Rev. 4 CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
| NIST_SP_800-53_R5 |
CP-9 |
NIST_SP_800-53_R5_CP-9 |
NIST SP 800-53 Rev. 5 CP-9 |
Contingency Planning |
System Backup |
Shared |
n/a |
a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protect the confidentiality, integrity, and availability of backup information. |
link |
9 |
| SWIFT_CSCF_v2022 |
2.4 |
SWIFT_CSCF_v2022_2.4 |
SWIFT CSCF v2022 2.4 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms (at system, transport or message level) are implemented to protect data flows between SWIFT infrastructure components and the back-office first hops they connect to. |
link |
7 |
| SWIFT_CSCF_v2022 |
2.5 |
SWIFT_CSCF_v2022_2.5 |
SWIFT CSCF v2022 2.5 |
2. Reduce Attack Surface and Vulnerabilities |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
Shared |
n/a |
Sensitive SWIFT-related data that leaves the secure zone as a result of operating system/application back-ups, business transaction data replication for archiving or recovery purposes, or extraction for offline processing is protected when stored outside of a secure zone and is encrypted while in transit. |
link |
7 |
| SWIFT_CSCF_v2022 |
9.2 |
SWIFT_CSCF_v2022_9.2 |
SWIFT CSCF v2022 9.2 |
9. Ensure Availability through Resilience |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
Shared |
n/a |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
link |
13 |