compliance controls are associated with this Policy definition 'Create separate alternate and primary storage sites' (81b6267b-97a7-9aa5-51ee-d2584a160424)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CP-6(1) |
FedRAMP_High_R4_CP-6(1) |
FedRAMP High CP-6 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
6 |
| FedRAMP_Moderate_R4 |
CP-6(1) |
FedRAMP_Moderate_R4_CP-6(1) |
FedRAMP Moderate CP-6 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
6 |
| hipaa |
0947.09y2Organizational.2-09.y |
hipaa-0947.09y2Organizational.2-09.y |
0947.09y2Organizational.2-09.y |
09 Transmission Protection |
0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. |
|
11 |
| hipaa |
1464.09e2Organizational.5-09.e |
hipaa-1464.09e2Organizational.5-09.e |
1464.09e2Organizational.5-09.e |
14 Third Party Assurance |
1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The organization restricts the location of facilities that process, transmit or store covered information (e.g., to those located in the United States), as needed, based on its legal, regulatory, contractual and other security and privacy-related obligations. |
|
5 |
| hipaa |
1604.12c2Organizational.16789-12.c |
hipaa-1604.12c2Organizational.16789-12.c |
1604.12c2Organizational.16789-12.c |
16 Business Continuity & Disaster Recovery |
1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Alternative storage and processing sites are identified (permanent and/or temporary) at a sufficient distance from the primary facility and configured with security measures equivalent to the primary site, and the necessary third-party service agreements have been established to allow for the resumption of information systems operations of critical business functions within the time period defined (e.g., priority of service provisions) based on a risk assessment, including Recovery Time Objectives (RTO), in accordance with the organization's availability requirements. |
|
6 |
| hipaa |
1618.09l1Organizational.45-09.l |
hipaa-1618.09l1Organizational.45-09.l |
1618.09l1Organizational.45-09.l |
16 Business Continuity & Disaster Recovery |
1618.09l1Organizational.45-09.l 09.05 Information Back-Up |
Shared |
n/a |
The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. |
|
7 |
| ISO27001-2013 |
A.11.1.4 |
ISO27001-2013_A.11.1.4 |
ISO 27001:2013 A.11.1.4 |
Physical And Environmental Security |
Protecting against external and environmental threats |
Shared |
n/a |
Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. |
link |
9 |
| ISO27001-2013 |
A.12.3.1 |
ISO27001-2013_A.12.3.1 |
ISO 27001:2013 A.12.3.1 |
Operations Security |
Information backup |
Shared |
n/a |
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. |
link |
13 |
| ISO27001-2013 |
A.17.1.2 |
ISO27001-2013_A.17.1.2 |
ISO 27001:2013 A.17.1.2 |
Information Security Aspects Of Business Continuity Management |
Implementing information security continuity |
Shared |
n/a |
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
link |
18 |
| ISO27001-2013 |
A.17.2.1 |
ISO27001-2013_A.17.2.1 |
ISO 27001:2013 A.17.2.1 |
Information Security Aspects Of Business Continuity Management |
Availability of information processing facilities |
Shared |
n/a |
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
link |
17 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.eq.4 Other devices connected to the network |
mp.eq.4 Other devices connected to the network |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
mp.if.1 Separate areas with access control |
mp.if.1 Separate areas with access control |
404 not found |
|
|
|
n/a |
n/a |
|
23 |
|
mp.if.3 Fitting-out of premises |
mp.if.3 Fitting-out of premises |
404 not found |
|
|
|
n/a |
n/a |
|
18 |
|
mp.if.5 Fire protection |
mp.if.5 Fire protection |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
|
mp.if.6 Flood protection |
mp.if.6 Flood protection |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.si.2 Cryptography |
mp.si.2 Cryptography |
404 not found |
|
|
|
n/a |
n/a |
|
32 |
| NIST_SP_800-53_R4 |
CP-6(1) |
NIST_SP_800-53_R4_CP-6(1) |
NIST SP 800-53 Rev. 4 CP-6 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
6 |
| NIST_SP_800-53_R5 |
CP-6(1) |
NIST_SP_800-53_R5_CP-6(1) |
NIST SP 800-53 Rev. 5 CP-6 (1) |
Contingency Planning |
Separation from Primary Site |
Shared |
n/a |
Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. |
link |
6 |
| SWIFT_CSCF_v2022 |
9.2 |
SWIFT_CSCF_v2022_9.2 |
SWIFT CSCF v2022 9.2 |
9. Ensure Availability through Resilience |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
Shared |
n/a |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
link |
13 |