Back

Include roles and responsibilities in the continuity plan, as necessary.


CONTROL ID
13254
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The CISO contributes to the development and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster. (Control: ISM-0734; Revision: 3, Australian Government Information Security Manual, June 2023)
  • The CISO contributes to the development, implementation and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster. (Control: ISM-0734; Revision: 4, Australian Government Information Security Manual, June 2024)
  • The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster. (Security Control: 0734; Revision: 2, Australian Government Information Security Manual, March 2021)
  • The CISO contributes to the development, implementation and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster. (Control: ISM-0734; Revision: 4, Australian Government Information Security Manual, September 2023)
  • For the purposes of point (d), financial entities shall clearly specify roles and responsibilities. (Article 26 1 ¶ 2, Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework)
  • The top management (and/or a member of the top management) is specified as the process owner of the business continuity and contingency management and bears the responsibility for the establishment of the process in the company and compliance with the policies. They must ensure that adequate resourc… (Section 5.14 BCM-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Defined communication channels, roles and responsibilities including the notification of the customer (Section 5.14 BCM-03 Basic requirement ¶ 1 Bullet 4, Cloud Computing Compliance Controls Catalogue (C5))
  • Ownership by at least one appointed person who is responsible for review, updating and approval (Section 5.14 BCM-03 Basic requirement ¶ 1 Bullet 3, Cloud Computing Compliance Controls Catalogue (C5))
  • Strategic establishment and control of a business continuity management (BCM). planning, implementing and testing business continuity concept as well as incorporating safeguards in order to ensure and maintain operations. (Section 5.14 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • Are these processes consistent with the personnel in the defined BCMS roles? (Support ¶ 2, ISO 22301: Self-assessment questionnaire)
  • Firms should assign clear roles and responsibilities for business continuity and exit plans. Subject to proportionality, they may establish cross-disciplinary teams to develop, document, test, and execute their business continuity and exit plans, especially in stressed scenarios (which may include c… (§ 10.22, SS2/21 Outsourcing and third party risk management, March 2021)
  • the roles and responsibilities of the team that will implement the plan; (§ 8.4.4.3 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • details of the actions that the teams will take in order to: (§ 8.4.4.2 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • who will be responsible; (§ 6.2.2 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • criteria and responsibilities for invoking service continuity; (§ 8.7.2 ¶ 2(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Roles and responsibilities of responders. (CIP-009-6 Table R1 Part 1.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Operating Procedures, including decision authority, for use in determining when to implement the Operating Plan for backup functionality. (B. R1. 1.4., North American Electric Reliability Corporation Emergency Preparedness and Operations Reliability Standards - Loss of Control Center Functionality EOP-008-2)
  • Each Transmission Operator shall provide the entities identified in its approved restoration plan with a description of any changes to their roles and specific tasks prior to the effective date of the plan. [Violation Risk Factor = Medium] [Time Horizon = Operations Planning] (B. R2., North American Electric Reliability Corporation Emergency Preparedness and Operations Reliability Standards - System Restoration from Blackstart Resources EOP-005-3)
  • Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the S… (§242.1004 ¶ 1(b), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Responsibility for the management of the approved security requirements shall remain with the CJA. Security control includes the authority to enforce the standards for the selection, supervision, and separation of personnel who have access to CJI; set and enforce policy governing the operation of co… (§ 3.2.2 ¶ 1(3)(a), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Participants' roles and responsibilities, defined decision makers, and rotation of test participants; (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether roles and responsibilities reflect the entity's current organizational structure. (App A Objective 8:2d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Address personnel, processes, technology, and facility issues. (IV Action Summary ¶ 2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Authorities, responsibilities, and relocation strategies. (V Action Summary ¶ 2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Roles, responsibilities, and required skills for entity personnel and third-party service providers. (App A Objective 8:1a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., FedRAMP Security Controls High Baseline, Version 5)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., FedRAMP Security Controls Low Baseline, Version 5)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2 a.3., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance. (T0044, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Procurement team (equipment and supplies). (§ 3.4.6 ¶ 2 Bullet 15, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Telecommunications team; (§ 3.4.6 ¶ 2 Bullet 9, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Transportation and relocation team; (§ 3.4.6 ¶ 2 Bullet 11, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Physical/personnel security team; and (§ 3.4.6 ¶ 2 Bullet 14, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Test team; (§ 3.4.6 ¶ 2 Bullet 10, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Personnel to be notified should be clearly identified in the contact lists appended to the plan. This list should identify personnel by their team position, name, and contact information (e.g., home, work, cell phone, email addresses, and home addresses). An entry may resemble the following format: (§ 4.2.2 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Operating system administration team; (§ 3.4.6 ¶ 2 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance. (T0044, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Provide a statewide disaster recovery coordinator for IT disaster recovery planning and coordination among state agencies. (RESPONSIBILITIES: Information Services Division Bullet 2, Policy 690: Disaster Recovery, 690-00)
  • Provide a disaster recovery coordinator for all shared services. (RESPONSIBILITIES: Information Services Division Bullet 3, Policy 690: Disaster Recovery, 690-00)
  • Identify an agency IT disaster recovery coordinator. (RESPONSIBILITIES: Agency Management, Information Technology Organization Bullet 2, Policy 690: Disaster Recovery, 690-00)
  • identify the supervisory personnel responsible for implementing each aspect of the BCDR plan; (§ 500.16 Incident Response and Business Continuity Management (a)(2)(ii), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • identify documents, data, facilities, infrastructure, services, personnel and competencies essential to the continued operations of the covered entity's business; (§ 500.16 Incident Response and Business Continuity Management (a)(2)(i), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., TX-RAMP Security Controls Baseline Level 1)
  • Addresses contingency roles, responsibilities, assigned individuals with contact information; (CP-2a.3., TX-RAMP Security Controls Baseline Level 2)