compliance controls are associated with this Policy definition 'Separately store backup information' (fc26e2fd-3149-74b4-5988-d64bb90f8ef7)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
CP_10(2) |
Canada_Federal_PBMM_3-1-2020_CP_10(2) |
Canada Federal PBMM 3-1-2020 CP 10(2) |
Information System Recovery and Reconstitution |
Information System Recovery and Reconstitution | Transaction Recovery |
Shared |
The information system implements transaction recovery for systems that are transaction-based. |
To minimise the impact on business operations and preventing data loss or corruption. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_10(4) |
Canada_Federal_PBMM_3-1-2020_CP_10(4) |
Canada Federal PBMM 3-1-2020 CP 10(4) |
Information System Recovery and Reconstitution |
Information System Recovery and Reconstitution | Restore within Time Period |
Shared |
The organization provides the capability to restore information system components within organization-defined restoration time-periods from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
To minimise downtime and ensuring business continuity. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(3) |
Canada_Federal_PBMM_3-1-2020_CP_2(3) |
Canada Federal PBMM 3-1-2020 CP 2(3) |
Contingency Plan |
Contingency Plan | Resume Essential Missions / Business Functions |
Shared |
The organization plans for the resumption of essential missions and business functions within 24 hours of contingency plan activation. |
To ensure that the organization plans for the resumption of essential missions and business functions within 24 hours of activating the contingency plan. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(4) |
Canada_Federal_PBMM_3-1-2020_CP_2(4) |
Canada Federal PBMM 3-1-2020 CP 2(4) |
Contingency Plan |
Contingency Plan | Resume All Missions / Business Functions |
Shared |
The organization plans for the resumption of all missions and business functions within organization-defined time period of contingency plan activation. |
To ensure that the organization plans for the resumption of all missions and business functions within an organization-defined time period of contingency plan activation. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(5) |
Canada_Federal_PBMM_3-1-2020_CP_2(5) |
Canada Federal PBMM 3-1-2020 CP 2(5) |
Contingency Plan |
Contingency Plan | Continue Essential Missions / Business Functions |
Shared |
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
To minimise downtime, mitigate potential financial losses, maintain customer trust, and uphold critical services or functions.
|
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(6) |
Canada_Federal_PBMM_3-1-2020_CP_2(6) |
Canada Federal PBMM 3-1-2020 CP 2(6) |
Contingency Plan |
Contingency Plan | Alternate Processing / Storage Site |
Shared |
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
To minimise downtime and ensure that critical services can continue uninterrupted until full restoration is achieved. |
|
10 |
| CSA_v4.0.12 |
BCR_08 |
CSA_v4.0.12_BCR_08 |
CSA Cloud Controls Matrix v4.0.12 BCR 08 |
Business Continuity Management and Operational Resilience |
Backup |
Shared |
n/a |
Periodically backup data stored in the cloud. Ensure the confidentiality,
integrity and availability of the backup, and verify data restoration from backup for resiliency. |
|
7 |
| CSA_v4.0.12 |
BCR_11 |
CSA_v4.0.12_BCR_11 |
CSA Cloud Controls Matrix v4.0.12 BCR 11 |
Business Continuity Management and Operational Resilience |
Equipment Redundancy |
Shared |
n/a |
Supplement business-critical equipment with redundant equipment independently
located at a reasonable minimum distance in accordance with applicable industry
standards. |
|
3 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_9 |
EU_2555_(NIS2)_2022_9 |
EU 2022/2555 (NIS2) 2022 9 |
|
National cyber crisis management frameworks |
Shared |
n/a |
Requires Member States to establish frameworks for managing large-scale cybersecurity incidents and crises. |
|
14 |
| FedRAMP_High_R4 |
CP-9(3) |
FedRAMP_High_R4_CP-9(3) |
FedRAMP High CP-9 (3) |
Contingency Planning |
Separate Storage For Critical Information |
Shared |
n/a |
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.
Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. |
link |
1 |
| FedRAMP_Moderate_R4 |
CP-9(3) |
FedRAMP_Moderate_R4_CP-9(3) |
FedRAMP Moderate CP-9 (3) |
Contingency Planning |
Separate Storage For Critical Information |
Shared |
n/a |
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.
Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. |
link |
1 |
| hipaa |
0824.09m3Organizational.1-09.m |
hipaa-0824.09m3Organizational.1-09.m |
0824.09m3Organizational.1-09.m |
08 Network Protection |
0824.09m3Organizational.1-09.m 09.06 Network Security Management |
Shared |
n/a |
The impact of the loss of network service to the business is defined. |
|
10 |
| hipaa |
0860.09m1Organizational.9-09.m |
hipaa-0860.09m1Organizational.9-09.m |
0860.09m1Organizational.9-09.m |
08 Network Protection |
0860.09m1Organizational.9-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization formally manages equipment on the network, including equipment in user areas. |
|
5 |
| hipaa |
1608.12c2Organizational.5-12.c |
hipaa-1608.12c2Organizational.5-12.c |
1608.12c2Organizational.5-12.c |
16 Business Continuity & Disaster Recovery |
1608.12c2Organizational.5-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Business continuity plans are stored in a remote location. |
|
3 |
| hipaa |
1618.09l1Organizational.45-09.l |
hipaa-1618.09l1Organizational.45-09.l |
1618.09l1Organizational.45-09.l |
16 Business Continuity & Disaster Recovery |
1618.09l1Organizational.45-09.l 09.05 Information Back-Up |
Shared |
n/a |
The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. |
|
7 |
| hipaa |
1620.09l1Organizational.8-09.l |
hipaa-1620.09l1Organizational.8-09.l |
1620.09l1Organizational.8-09.l |
16 Business Continuity & Disaster Recovery |
1620.09l1Organizational.8-09.l 09.05 Information Back-Up |
Shared |
n/a |
When the backup service is delivered by the third-party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. |
|
5 |
| hipaa |
1622.09l2Organizational.23-09.l |
hipaa-1622.09l2Organizational.23-09.l |
1622.09l2Organizational.23-09.l |
16 Business Continuity & Disaster Recovery |
1622.09l2Organizational.23-09.l 09.05 Information Back-Up |
Shared |
n/a |
The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster. |
|
4 |
| hipaa |
1627.09l3Organizational.6-09.l |
hipaa-1627.09l3Organizational.6-09.l |
1627.09l3Organizational.6-09.l |
16 Business Continuity & Disaster Recovery |
1627.09l3Organizational.6-09.l 09.05 Information Back-Up |
Shared |
n/a |
The organization tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter. |
|
2 |
| ISO_IEC_27017_2015 |
12.3.1 |
ISO_IEC_27017_2015_12.3.1 |
ISO IEC 27017 2015 12.3.1 |
Operations Security |
Information Backup |
Shared |
For Cloud Service Customer:
Where the cloud service provider provides backup capability as part of the cloud service, the cloud service customer should request the specifications of the backup capability from the cloud service provider. The cloud service customer should also verify that they meet their backup requirements.
The cloud service customer is responsible for implementing backup capabilities when the cloud service provider does not provide them.
For Cloud Service Provider:
The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. The specifications should include the following information, as appropriate:
(i) scope and schedule of backups;
(ii) backup methods and data formats, including encryption, if relevant;
(iii) retention periods for backup data;
(iv) procedures for verifying integrity of backup data;
(v) procedures and timescales involved in restoring data from backup;
(vi) procedures to test the backup capabilities;
(vii) storage location of backups.
The cloud service provider should provide secure and segregated access to backups, such as virtual snapshots, if such service is offered to cloud service customers. |
To enable recovery from loss of data or systems. |
|
3 |
| ISO27001-2013 |
A.12.3.1 |
ISO27001-2013_A.12.3.1 |
ISO 27001:2013 A.12.3.1 |
Operations Security |
Information backup |
Shared |
n/a |
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. |
link |
13 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.si.2 Cryptography |
mp.si.2 Cryptography |
404 not found |
|
|
|
n/a |
n/a |
|
32 |
| NIST_SP_800-53_R4 |
CP-9(3) |
NIST_SP_800-53_R4_CP-9(3) |
NIST SP 800-53 Rev. 4 CP-9 (3) |
Contingency Planning |
Separate Storage For Critical Information |
Shared |
n/a |
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.
Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. |
link |
1 |
| NIST_SP_800-53_R5.1.1 |
CP.6 |
NIST_SP_800-53_R5.1.1_CP.6 |
NIST SP 800-53 R5.1.1 CP.6 |
Contingency Planning Control |
Alternate Storage Site |
Shared |
a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and
b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. |
Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems. |
|
2 |
| NIST_SP_800-53_R5.1.1 |
CP.6.1 |
NIST_SP_800-53_R5.1.1_CP.6.1 |
NIST SP 800-53 R5.1.1 CP.6.1 |
Contingency Planning Control |
Alternate Storage Site | Separation from Primary Site |
Shared |
Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. |
Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant. |
|
2 |
| NIST_SP_800-53_R5 |
CP-9(3) |
NIST_SP_800-53_R5_CP-9(3) |
NIST SP 800-53 Rev. 5 CP-9 (3) |
Contingency Planning |
Separate Storage for Critical Information |
Shared |
n/a |
Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. |
link |
1 |
|
op.cont.3 Periodic tests |
op.cont.3 Periodic tests |
404 not found |
|
|
|
n/a |
n/a |
|
91 |
|
op.cont.4 Alternative means |
op.cont.4 Alternative means |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
|
op.exp.3 Security configuration management |
op.exp.3 Security configuration management |
404 not found |
|
|
|
n/a |
n/a |
|
123 |
| PCI_DSS_v4.0.1 |
9.4.1.2 |
PCI_DSS_v4.0.1_9.4.1.2 |
PCI DSS v4.0.1 9.4.1.2 |
Restrict Physical Access to Cardholder Data |
The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months |
Shared |
n/a |
Examine documentation to verify that procedures are defined for reviewing the security of the offline media backup location(s) with cardholder data at least once every 12 months. Examine documented procedures, logs, or other documentation, and interview responsible personnel at the storage location(s) to verify that the storage location’s security is reviewed at least once every 12 months |
|
2 |
| SOC_2 |
A1.2 |
SOC_2_A1.2 |
SOC 2 Type 2 A1.2 |
Additional Criteria For Availability |
Environmental protections, software, data back-up processes, and recovery infrastructure |
Shared |
The customer is responsible for implementing this recommendation. |
Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the
system, including threats resulting from adverse weather, failure of environmental
control systems, electrical discharge, fire, and water.
• Designs Detection Measures — Detection measures are implemented to identify
anomalies that could result from environmental threat events.
• Implements and Maintains Environmental Protection Mechanisms — Management
implements and maintains environmental protection mechanisms to prevent and
mitigate environmental events.
• Implements Alerts to Analyze Anomalies — Management implements alerts that are
communicated to personnel for analysis to identify environmental threat events.
• Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems
(for example, uninterruptable power system and generator backup subsystem).
• Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary.
• Determines Data Requiring Backup — Data is evaluated to determine whether
backup is required.
• Performs Data Backup — Procedures are in place for backing up data, monitoring
to detect backup failures, and initiating corrective action when such failures occur.
• Addresses Offsite Storage — Backup data is stored in a location at a distance from
its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.
• Implements Alternate Processing Infrastructure — Measures are implemented for
migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. |
|
13 |
| SOC_2 |
PI1.5 |
SOC_2_PI1.5 |
SOC 2 Type 2 PI1.5 |
Additional Criteria For Processing Integrity |
Store inputs and outputs completely, accurately, and timely |
Shared |
The customer is responsible for implementing this recommendation. |
• Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications.
• Archives and Protects System Records — System records are archived and archives
are protected against theft, corruption, destruction, or deterioration that would prevent them from being used.
• Stores Data Completely and Accurately — Procedures are in place to provide for
the complete, accurate, and timely storage of data.
• Creates and Maintains Records of System Storage Activities — Records of system
storage activities are created and maintained completely and accurately in a timely
manner |
|
10 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
| SWIFT_CSCF_v2022 |
9.2 |
SWIFT_CSCF_v2022_9.2 |
SWIFT CSCF v2022 9.2 |
9. Ensure Availability through Resilience |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
Shared |
n/a |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
link |
13 |