compliance controls are associated with this Policy definition 'Long-term geo-redundant backup should be enabled for Azure SQL Databases' (d38fc420-0735-4ef3-ac11-c806f651a570)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v1.0 |
9.1 |
Azure_Security_Benchmark_v1.0_9.1 |
Azure Security Benchmark 9.1 |
Data Recovery |
Ensure regular automated back ups |
Customer |
Enable Azure Backup and configure the backup source (Azure VMs, SQL Server, or File Shares), as well as the desired frequency and retention period.
How to enable Azure Backup:
https://docs.microsoft.com/azure/backup/ |
n/a |
link |
5 |
| Azure_Security_Benchmark_v1.0 |
9.2 |
Azure_Security_Benchmark_v1.0_9.2 |
Azure Security Benchmark 9.2 |
Data Recovery |
Perform complete system backups and backup any customer managed keys |
Customer |
Enable Azure Backup and target VM(s), as well as the desired frequency and retention periods. Backup customer managed keys within Azure Key Vault.
How to enable Azure Backup:
https://docs.microsoft.com/azure/backup/
How to backup key vault keys in Azure:
https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0 |
n/a |
link |
5 |
| Azure_Security_Benchmark_v2.0 |
BR-1 |
Azure_Security_Benchmark_v2.0_BR-1 |
Azure Security Benchmark BR-1 |
Backup and Recovery |
Ensure regular automated backups |
Customer |
Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be defined by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
Enable Azure Backup and configure the backup source (e.g. Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period.
For a higher level of protection, you can enable geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore.
Enterprise-scale business continuity and disaster recovery: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery
How to enable Azure Backup: https://docs.microsoft.com/azure/backup/
How to enable cross region restore: https://docs.microsoft.com/azure/backup/backup-azure-arm-restore-vms#cross-region-restore |
n/a |
link |
5 |
| Azure_Security_Benchmark_v2.0 |
BR-2 |
Azure_Security_Benchmark_v2.0_BR-2 |
Azure Security Benchmark BR-2 |
Backup and Recovery |
Encrypt backup data |
Customer |
Ensure your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality.
For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. For regular Azure service backups, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.
Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer managed keys. Additionally, you can enable advanced security features to require MFA before backups can be altered or deleted.
Overview of security features in Azure Backup: https://docs.microsoft.com/azure/backup/security-overview
Encryption of backup data using customer-managed keys: https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk
How to backup Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0
Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks |
n/a |
link |
5 |
| Canada_Federal_PBMM_3-1-2020 |
AU_9(2) |
Canada_Federal_PBMM_3-1-2020_AU_9(2) |
Canada Federal PBMM 3-1-2020 AU 9(2) |
Protection of Audit Information |
Protection of Audit Information | Audit Backup on Separate Physical Systems / Components |
Shared |
The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited. |
To ensure redundancy and resilience of audit data against potential system failures or compromises. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CM_2(3) |
Canada_Federal_PBMM_3-1-2020_CM_2(3) |
Canada Federal PBMM 3-1-2020 CM 2(3) |
Baseline Configuration |
Baseline Configuration | Retention of Previous Configurations |
Shared |
The organization retains the two most recent precious versions of baseline configurations of the information system to support rollback. |
To mitigate risks and minimize disruptions to system functionality and operational continuity. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_10 |
Canada_Federal_PBMM_3-1-2020_CP_10 |
Canada Federal PBMM 3-1-2020 CP 10 |
Information System Recovery and Reconstitution |
Information System Recovery and Reconstitution |
Shared |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. |
To ensure the restoration of normal operations following a disruption, compromise, or failure, maintaining continuity of essential missions and business functions. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_10(2) |
Canada_Federal_PBMM_3-1-2020_CP_10(2) |
Canada Federal PBMM 3-1-2020 CP 10(2) |
Information System Recovery and Reconstitution |
Information System Recovery and Reconstitution | Transaction Recovery |
Shared |
The information system implements transaction recovery for systems that are transaction-based. |
To minimise the impact on business operations and preventing data loss or corruption. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_10(4) |
Canada_Federal_PBMM_3-1-2020_CP_10(4) |
Canada Federal PBMM 3-1-2020 CP 10(4) |
Information System Recovery and Reconstitution |
Information System Recovery and Reconstitution | Restore within Time Period |
Shared |
The organization provides the capability to restore information system components within organization-defined restoration time-periods from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
To minimise downtime and ensuring business continuity. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(3) |
Canada_Federal_PBMM_3-1-2020_CP_2(3) |
Canada Federal PBMM 3-1-2020 CP 2(3) |
Contingency Plan |
Contingency Plan | Resume Essential Missions / Business Functions |
Shared |
The organization plans for the resumption of essential missions and business functions within 24 hours of contingency plan activation. |
To ensure that the organization plans for the resumption of essential missions and business functions within 24 hours of activating the contingency plan. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(4) |
Canada_Federal_PBMM_3-1-2020_CP_2(4) |
Canada Federal PBMM 3-1-2020 CP 2(4) |
Contingency Plan |
Contingency Plan | Resume All Missions / Business Functions |
Shared |
The organization plans for the resumption of all missions and business functions within organization-defined time period of contingency plan activation. |
To ensure that the organization plans for the resumption of all missions and business functions within an organization-defined time period of contingency plan activation. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(5) |
Canada_Federal_PBMM_3-1-2020_CP_2(5) |
Canada Federal PBMM 3-1-2020 CP 2(5) |
Contingency Plan |
Contingency Plan | Continue Essential Missions / Business Functions |
Shared |
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
To minimise downtime, mitigate potential financial losses, maintain customer trust, and uphold critical services or functions.
|
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(6) |
Canada_Federal_PBMM_3-1-2020_CP_2(6) |
Canada Federal PBMM 3-1-2020 CP 2(6) |
Contingency Plan |
Contingency Plan | Alternate Processing / Storage Site |
Shared |
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
To minimise downtime and ensure that critical services can continue uninterrupted until full restoration is achieved. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_6 |
Canada_Federal_PBMM_3-1-2020_CP_6 |
Canada Federal PBMM 3-1-2020 CP 6 |
Alternate Storage Site |
Alternate Storage Site |
Shared |
1. The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information.
2. The organization ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. |
To ensure ensuring security measures match those of the primary site. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_6(1) |
Canada_Federal_PBMM_3-1-2020_CP_6(1) |
Canada Federal PBMM 3-1-2020 CP 6(1) |
Alternate Storage Site |
Alternate Storage Site | Separation from Primary Site |
Shared |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. |
To mitigate vulnerability to common threats. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_6(3) |
Canada_Federal_PBMM_3-1-2020_CP_6(3) |
Canada Federal PBMM 3-1-2020 CP 6(3) |
Alternate Storage Site |
Alternate Storage Site | Accessibility |
Shared |
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
To mitigate vulnerability to common threats. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_7 |
Canada_Federal_PBMM_3-1-2020_CP_7 |
Canada Federal PBMM 3-1-2020 CP 7 |
Alternate Processing Site |
Alternative Processing Site |
Shared |
1. The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable.
2. The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption.
3. The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
To mitigate vulnerability to common threats. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_7(1) |
Canada_Federal_PBMM_3-1-2020_CP_7(1) |
Canada Federal PBMM 3-1-2020 CP 7(1) |
Alternate Processing Site |
Alternative Processing Site | Separation from Primary Site |
Shared |
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. |
To mitigate vulnerability to common threats. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_7(3) |
Canada_Federal_PBMM_3-1-2020_CP_7(3) |
Canada Federal PBMM 3-1-2020 CP 7(3) |
Alternate Processing Site |
Alternative Processing Site | Priority of Service |
Shared |
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). |
To minimize downtime and maintain operational continuity. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CP_9 |
Canada_Federal_PBMM_3-1-2020_CP_9 |
Canada Federal PBMM 3-1-2020 CP 9 |
Information System Backup |
Information System Backup |
Shared |
1. The organization conducts backups of user-level information contained in the information system daily incremental; weekly full.
2. The organization conducts backups of system-level information contained in the information system daily incremental; weekly full.
3. The organization conducts backups of information system documentation including security-related documentation daily incremental; weekly full.
4. The organization protects the confidentiality, integrity, and availability of backup information at storage locations.
AA. The organization determines retention periods for essential business information and archived backups. |
To ensure the confidentiality, integrity, and availability of backup data at storage locations. |
|
4 |
| CMMC_L3 |
RE.2.137 |
CMMC_L3_RE.2.137 |
CMMC L3 RE.2.137 |
Recovery |
Regularly perform and test data back-ups. |
Customer |
The customer is responsible for implementing this requirement. |
Backups are used to recover data in the event of a hardware or software failure. Backups should be performed and tested regularly based on an organizational defined frequency. |
link |
6 |
| CMMC_L3 |
RE.3.139 |
CMMC_L3_RE.3.139 |
CMMC L3 RE.3.139 |
Recovery |
Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. |
Customer |
The customer is responsible for implementing this requirement. |
The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine. This practice is based on the following CIS controls: 10.1 Ensure that all system data is automatically backed up on a regular basis. 10.2 Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. 10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination. |
link |
6 |
| CSA_v4.0.12 |
BCR_08 |
CSA_v4.0.12_BCR_08 |
CSA Cloud Controls Matrix v4.0.12 BCR 08 |
Business Continuity Management and Operational Resilience |
Backup |
Shared |
n/a |
Periodically backup data stored in the cloud. Ensure the confidentiality,
integrity and availability of the backup, and verify data restoration from backup for resiliency. |
|
7 |
| CSA_v4.0.12 |
CEK_08 |
CSA_v4.0.12_CEK_08 |
CSA Cloud Controls Matrix v4.0.12 CEK 08 |
Cryptography, Encryption & Key Management |
CSC Key Management Capability |
Shared |
n/a |
CSPs must provide the capability for CSCs to manage their own data
encryption keys. |
|
6 |
| CSA_v4.0.12 |
CEK_20 |
CSA_v4.0.12_CEK_20 |
CSA Cloud Controls Matrix v4.0.12 CEK 20 |
Cryptography, Encryption & Key Management |
Key Recovery |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to assess the risk to operational continuity versus the risk of the
keying material and the information it protects being exposed if control of
the keying material is lost, which include provisions for legal and regulatory
requirements. |
|
24 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_9 |
EU_2555_(NIS2)_2022_9 |
EU 2022/2555 (NIS2) 2022 9 |
|
National cyber crisis management frameworks |
Shared |
n/a |
Requires Member States to establish frameworks for managing large-scale cybersecurity incidents and crises. |
|
14 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FedRAMP_High_R4 |
CP-6 |
FedRAMP_High_R4_CP-6 |
FedRAMP High CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup
media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4.
References: NIST Special Publication 800-34. |
link |
7 |
| FedRAMP_High_R4 |
CP-6(1) |
FedRAMP_High_R4_CP-6(1) |
FedRAMP High CP-6 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
6 |
| FedRAMP_Moderate_R4 |
CP-6 |
FedRAMP_Moderate_R4_CP-6 |
FedRAMP Moderate CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup
media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4.
References: NIST Special Publication 800-34. |
link |
7 |
| FedRAMP_Moderate_R4 |
CP-6(1) |
FedRAMP_Moderate_R4_CP-6(1) |
FedRAMP Moderate CP-6 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
6 |
| hipaa |
1616.09l1Organizational.16-09.l |
hipaa-1616.09l1Organizational.16-09.l |
1616.09l1Organizational.16-09.l |
16 Business Continuity & Disaster Recovery |
1616.09l1Organizational.16-09.l 09.05 Information Back-Up |
Shared |
n/a |
Backup copies of information and software are made, and tests of the media and restoration procedures are regularly performed at appropriate intervals. |
|
2 |
| hipaa |
1621.09l2Organizational.1-09.l |
hipaa-1621.09l2Organizational.1-09.l |
1621.09l2Organizational.1-09.l |
16 Business Continuity & Disaster Recovery |
1621.09l2Organizational.1-09.l 09.05 Information Back-Up |
Shared |
n/a |
Automated tools are used to track all backups. |
|
3 |
| HITRUST_CSF_v11.3 |
06.c |
HITRUST_CSF_v11.3_06.c |
HITRUST CSF v11.3 06.c |
Compliance with Legal Requirements |
Prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. |
Shared |
1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information.
2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. |
Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. |
|
26 |
| HITRUST_CSF_v11.3 |
09.l |
HITRUST_CSF_v11.3_09.l |
HITRUST CSF v11.3 09.l |
Information Back-Up |
Ensure the maintenance, integrity, and availability of organizational information. |
Shared |
1. Restoration procedures are to be tested regularly at appropriate intervals in accordance with an agreed-upon backup policy.
2. Inventory records for the backup copies are to be maintained, and is to include the content of the backup copies, and the current location of the backup copies.
3. Full backups are to be performed weekly to separate media and incremental.
4. Differential backups are to be performed daily to separate media. |
Back-up copies of information and software shall be taken and tested regularly. |
|
7 |
| NIST_CSF_v2.0 |
PR.DS_01 |
NIST_CSF_v2.0_PR.DS_01 |
NIST CSF v2.0 PR.DS 01 |
PROTECT-Data Security |
The confidentiality, integrity, and availability of data-at-rest are protected. |
Shared |
n/a |
To implement safeguards for managing organization’s cybersecurity risks. |
|
4 |
| NIST_SP_800-171_R3_3 |
.8.9 |
NIST_SP_800-171_R3_3.8.9 |
NIST 800-171 R3 3.8.9 |
Media Protection Control |
System Backup – Cryptographic Protection |
Shared |
Backup storage locations may include system-level information and user-level information System-level information includes system state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. Hardware-enabled security technologies (e.g., hardware security modules [HSM]) can be used to enhance cryptographic protection for backup information. HSM devices safeguard and manage cryptographic keys and provide cryptographic processing. Cryptographic operations (e.g., encryption, decryption, and signature generation/verification) are typically hosted on the HSM device, and many implementations provide hardware-accelerated mechanisms for cryptographic operations. This requirement is related to 03.13.11. |
Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI at backup storage locations. |
|
4 |
| NIST_SP_800-53_R4 |
CP-6 |
NIST_SP_800-53_R4_CP-6 |
NIST SP 800-53 Rev. 4 CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup
media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4.
References: NIST Special Publication 800-34. |
link |
7 |
| NIST_SP_800-53_R4 |
CP-6(1) |
NIST_SP_800-53_R4_CP-6(1) |
NIST SP 800-53 Rev. 4 CP-6 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
6 |
| NIST_SP_800-53_R5.1.1 |
CP.10 |
NIST_SP_800-53_R5.1.1_CP.10 |
NIST SP 800-53 R5.1.1 CP.10 |
Contingency Planning Control |
System Recovery and Reconstitution |
Shared |
Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. |
Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning. |
|
2 |
| NIST_SP_800-53_R5.1.1 |
CP.12 |
NIST_SP_800-53_R5.1.1_CP.12 |
NIST SP 800-53 R5.1.1 CP.12 |
Contingency Planning Control |
Safe Mode |
Shared |
When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. |
For systems that support critical mission and business functions—including military operations, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments)—organizations can identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated either automatically or manually, restricts the operations that systems can execute when those conditions are encountered. Restriction includes allowing only selected functions to execute that can be carried out under limited power or with reduced communications bandwidth. |
|
1 |
| NIST_SP_800-53_R5.1.1 |
CP.9 |
NIST_SP_800-53_R5.1.1_CP.9 |
NIST SP 800-53 R5.1.1 CP.9 |
Contingency Planning Control |
System Backup |
Shared |
a. Conduct backups of user-level information contained in [Assignment: organization-defined system components]
[Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protect the confidentiality, integrity, and availability of backup information. |
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements. |
|
4 |
| NIST_SP_800-53_R5.1.1 |
CP.9.5 |
NIST_SP_800-53_R5.1.1_CP.9.5 |
NIST SP 800-53 R5.1.1 CP.9.5 |
Contingency Planning Control |
System Backup | Transfer to Alternate Storage Site |
Shared |
Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. |
System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media. |
|
4 |
| NIST_SP_800-53_R5.1.1 |
CP.9.6 |
NIST_SP_800-53_R5.1.1_CP.9.6 |
NIST SP 800-53 R5.1.1 CP.9.6 |
Contingency Planning Control |
System Backup | Redundant Secondary System |
Shared |
Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. |
The effect of system backup can be achieved by maintaining a redundant secondary system that mirrors the primary system, including the replication of information. If this type of redundancy is in place and there is sufficient geographic separation between the two systems, the secondary system can also serve as the alternate processing site. |
|
4 |
| NIST_SP_800-53_R5 |
CP-6 |
NIST_SP_800-53_R5_CP-6 |
NIST SP 800-53 Rev. 5 CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and
b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. |
link |
7 |
| NIST_SP_800-53_R5 |
CP-6(1) |
NIST_SP_800-53_R5_CP-6(1) |
NIST SP 800-53 Rev. 5 CP-6 (1) |
Contingency Planning |
Separation from Primary Site |
Shared |
n/a |
Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. |
link |
6 |
| NZISM_v3.7 |
19.1.20.C.01. |
NZISM_v3.7_19.1.20.C.01. |
NZISM v3.7 19.1.20.C.01. |
Gateways |
19.1.20.C.01. - reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST authenticate system users to all classified networks accessed through gateways. |
|
24 |
| NZISM_v3.7 |
19.1.20.C.02. |
NZISM_v3.7_19.1.20.C.02. |
NZISM v3.7 19.1.20.C.02. |
Gateways |
19.1.20.C.02. - reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST ensure that only authenticated and authorised system users can use the gateway. |
|
15 |
| NZISM_v3.7 |
19.1.20.C.03. |
NZISM_v3.7_19.1.20.C.03. |
NZISM v3.7 19.1.20.C.03. |
Gateways |
19.1.20.C.03. - reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies SHOULD use multi-factor authentication for access to networks and gateways. |
|
9 |
| NZISM_v3.7 |
22.1.26.C.01. |
NZISM_v3.7_22.1.26.C.01. |
NZISM v3.7 22.1.26.C.01. |
Cloud Computing |
22.1.26.C.01. - ensure safety of data. |
Shared |
n/a |
Agencies MUST develop and implement a backup, recovery and archiving plan and supporting procedures. |
|
11 |
| NZISM_v3.7 |
5.1.21.C.02. |
NZISM_v3.7_5.1.21.C.02. |
NZISM v3.7 5.1.21.C.02. |
Documentation Fundamentals |
5.1.21.C.02. - establish a systematic approach to reviewing information security documentation, |
Shared |
n/a |
Agencies SHOULD ensure that information security documentation is reviewed:
1. At least annually; or
2. In response to significant changes in the environment, business or system; and
3. With the date of the most recent review being recorded on each document. |
|
6 |
| NZISM_v3.7 |
6.4.6.C.01. |
NZISM_v3.7_6.4.6.C.01. |
NZISM v3.7 6.4.6.C.01. |
Business Continuity and Disaster Recovery |
6.4.6.C.01. - enhance operational resilience. |
Shared |
n/a |
Agencies SHOULD:
1.Identify vital records;
2. backup all vital records;
3. store copies of critical information, with associated documented recovery procedures, offsite and secured in accordance with the requirements for the highest 4.
4. classification of the information; and
5. test backup and restoration processes regularly to confirm their effectiveness. |
|
13 |
| NZISM_v3.7 |
7.3.11.C.01. |
NZISM_v3.7_7.3.11.C.01. |
NZISM v3.7 7.3.11.C.01. |
Managing Information Security Incidents |
7.3.11.C.01. - support comprehensive investigations and ensure accountability |
Shared |
n/a |
Agencies SHOULD:
1. transfer a copy of raw audit trails and other relevant data onto media for secure archiving, as well as securing manual log records for retention; and
2. ensure that all personnel involved in the investigation maintain a record of actions undertaken to support the investigation. |
|
8 |
| NZISM_v3.7 |
7.3.6.C.01. |
NZISM_v3.7_7.3.6.C.01. |
NZISM v3.7 7.3.6.C.01. |
Managing Information Security Incidents |
7.3.6.C.01. - enhance incident management and oversight. |
Shared |
n/a |
Agencies SHOULD ensure that all information security incidents are recorded in a register. |
|
8 |
|
op.cont.3 Periodic tests |
op.cont.3 Periodic tests |
404 not found |
|
|
|
n/a |
n/a |
|
91 |
|
op.cont.4 Alternative means |
op.cont.4 Alternative means |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
|
op.exp.3 Security configuration management |
op.exp.3 Security configuration management |
404 not found |
|
|
|
n/a |
n/a |
|
123 |
| RBI_ITF_NBFC_v2017 |
6 |
RBI_ITF_NBFC_v2017_6 |
RBI IT Framework 6 |
Business Continuity Planning |
Business Continuity Planning (BCP) and Disaster Recovery-6 |
|
n/a |
BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. The BCP may have the following salient features |
link |
9 |
| RBI_ITF_NBFC_v2017 |
6.2 |
RBI_ITF_NBFC_v2017_6.2 |
RBI IT Framework 6.2 |
Business Continuity Planning |
Recovery strategy / Contingency Plan-6.2 |
|
n/a |
NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster. |
link |
8 |
| RBI_ITF_NBFC_v2017 |
6.3 |
RBI_ITF_NBFC_v2017_6.3 |
RBI IT Framework 6.3 |
Business Continuity Planning |
Recovery strategy / Contingency Plan-6.3 |
|
n/a |
NBFCs shall consider the need to put in place necessary backup sites for their critical business systems and Data centers. |
link |
7 |
| RMiT_v1.0 |
10.51 |
RMiT_v1.0_10.51 |
RMiT 10.51 |
Cloud Services |
Cloud Services - 10.51 |
Shared |
n/a |
A financial institution is required to consult the Bank prior to the use of public cloud for critical systems. The financial institution is expected to demonstrate that specific risks associated with the use of cloud services for critical systems have been adequately considered and addressed. The risk assessment shall address the risks outlined in paragraph 10.49 as well as the following areas:
(a) the adequacy of the overarching cloud adoption strategy of the financial institution including:
(i) board oversight over cloud strategy and cloud operational management;
(ii) senior management roles and responsibilities on cloud management;
(iii) conduct of day-to-day operational management functions;
(iv) management and oversight by the financial institution of cloud service providers;
(v) quality of risk management and internal control functions; and
(vi) strength of in-house competency and experience;
(b) the availability of independent, internationally recognised certifications of the cloud service providers, at a minimum, in the following areas:
(i) information security management framework, including cryptographic modules such as used for encryption and decryption of user data; and
(ii) cloud-specific security controls for protection of customer and counterparty or proprietary information including payment transaction data in use, in storage and in transit; and
(c) the degree to which the selected cloud configuration adequately addresses the following attributes:
(i) geographical redundancy;
(ii) high availability;
(iii) scalability;
(iv) portability;
(v) interoperability; and
(vi) strong recovery and resumption capability including appropriate alternate Internet path to protect against potential Internet faults. |
link |
6 |
| Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
| SWIFT_CSCF_v2021 |
2.5A |
SWIFT_CSCF_v2021_2.5A |
SWIFT CSCF v2021 2.5A |
Reduce Attack Surface and Vulnerabilities |
External Transmission Data Protection |
|
n/a |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
link |
11 |