Compliance |
The following 8 compliance controls are associated with this Policy definition 'Recover and reconstitute resources after any disruption' (f33c3238-11d2-508c-877c-4262ec1132e1)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CP-10 |
FedRAMP_High_R4_CP-10 |
FedRAMP High CP-10 |
Contingency Planning |
Information System Recovery And Reconstitution |
Shared |
n/a |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
Supplemental Guidance: Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24.
References: Federal Continuity Directive 1; NIST Special Publication 800-34. |
link |
1 |
FedRAMP_Moderate_R4 |
CP-10 |
FedRAMP_Moderate_R4_CP-10 |
FedRAMP Moderate CP-10 |
Contingency Planning |
Information System Recovery And Reconstitution |
Shared |
n/a |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
Supplemental Guidance: Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24.
References: Federal Continuity Directive 1; NIST Special Publication 800-34. |
link |
1 |
hipaa |
1464.09e2Organizational.5-09.e |
hipaa-1464.09e2Organizational.5-09.e |
1464.09e2Organizational.5-09.e |
14 Third Party Assurance |
1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The organization restricts the location of facilities that process, transmit or store covered information (e.g., to those located in the United States), as needed, based on its legal, regulatory, contractual and other security and privacy-related obligations. |
|
5 |
ISO27001-2013 |
A.17.1.2 |
ISO27001-2013_A.17.1.2 |
ISO 27001:2013 A.17.1.2 |
Information Security Aspects Of Business Continuity Management |
Implementing information security continuity |
Shared |
n/a |
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
link |
18 |
NIST_SP_800-53_R4 |
CP-10 |
NIST_SP_800-53_R4_CP-10 |
NIST SP 800-53 Rev. 4 CP-10 |
Contingency Planning |
Information System Recovery And Reconstitution |
Shared |
n/a |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
Supplemental Guidance: Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24.
References: Federal Continuity Directive 1; NIST Special Publication 800-34. |
link |
1 |
NIST_SP_800-53_R5 |
CP-10 |
NIST_SP_800-53_R5_CP-10 |
NIST SP 800-53 Rev. 5 CP-10 |
Contingency Planning |
System Recovery and Reconstitution |
Shared |
n/a |
Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. |
link |
1 |
SOC_2 |
A1.2 |
SOC_2_A1.2 |
SOC 2 Type 2 A1.2 |
Additional Criteria For Availability |
Environmental protections, software, data back-up processes, and recovery infrastructure |
Shared |
The customer is responsible for implementing this recommendation. |
Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the
system, including threats resulting from adverse weather, failure of environmental
control systems, electrical discharge, fire, and water.
• Designs Detection Measures — Detection measures are implemented to identify
anomalies that could result from environmental threat events.
• Implements and Maintains Environmental Protection Mechanisms — Management
implements and maintains environmental protection mechanisms to prevent and
mitigate environmental events.
• Implements Alerts to Analyze Anomalies — Management implements alerts that are
communicated to personnel for analysis to identify environmental threat events.
• Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems
(for example, uninterruptable power system and generator backup subsystem).
• Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary.
• Determines Data Requiring Backup — Data is evaluated to determine whether
backup is required.
• Performs Data Backup — Procedures are in place for backing up data, monitoring
to detect backup failures, and initiating corrective action when such failures occur.
• Addresses Offsite Storage — Backup data is stored in a location at a distance from
its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.
• Implements Alternate Processing Infrastructure — Measures are implemented for
migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. |
|
13 |
SWIFT_CSCF_v2022 |
9.2 |
SWIFT_CSCF_v2022_9.2 |
SWIFT CSCF v2022 9.2 |
9. Ensure Availability through Resilience |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
Shared |
n/a |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
link |
13 |
|