compliance controls are associated with this Policy definition 'Initiate contingency plan testing corrective actions' (8bfdbaa6-6824-3fec-9b06-7961bf7389a6)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CP-4 |
FedRAMP_High_R4_CP-4 |
FedRAMP High CP-4 |
Contingency Planning |
Contingency Plan Testing |
Shared |
n/a |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3.
References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84. |
link |
3 |
FedRAMP_Moderate_R4 |
CP-4 |
FedRAMP_Moderate_R4_CP-4 |
FedRAMP Moderate CP-4 |
Contingency Planning |
Contingency Plan Testing |
Shared |
n/a |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3.
References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84. |
link |
3 |
ISO27001-2013 |
A.17.1.3 |
ISO27001-2013_A.17.1.3 |
ISO 27001:2013 A.17.1.3 |
Information Security Aspects Of Business Continuity Management |
Verify, review and evaluate information security continuity |
Shared |
n/a |
The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. |
link |
3 |
|
mp.if.4 Electrical energy |
mp.if.4 Electrical energy |
404 not found |
|
|
|
n/a |
n/a |
|
8 |
NIST_SP_800-53_R4 |
CP-4 |
NIST_SP_800-53_R4_CP-4 |
NIST SP 800-53 Rev. 4 CP-4 |
Contingency Planning |
Contingency Plan Testing |
Shared |
n/a |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3.
References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84. |
link |
3 |
NIST_SP_800-53_R5 |
CP-4 |
NIST_SP_800-53_R5_CP-4 |
NIST SP 800-53 Rev. 5 CP-4 |
Contingency Planning |
Contingency Plan Testing |
Shared |
n/a |
a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
b. Review the contingency plan test results; and
c. Initiate corrective actions, if needed. |
link |
3 |
|
op.cont.1 Impact analysis |
op.cont.1 Impact analysis |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.cont.2 Continuity plan |
op.cont.2 Continuity plan |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.cont.3 Periodic tests |
op.cont.3 Periodic tests |
404 not found |
|
|
|
n/a |
n/a |
|
91 |
|
op.cont.4 Alternative means |
op.cont.4 Alternative means |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
SOC_2 |
A1.3 |
SOC_2_A1.3 |
SOC 2 Type 2 A1.3 |
Additional Criteria For Availability |
Recovery plan testing |
Shared |
The customer is responsible for implementing this recommendation. |
• Implements Business Continuity Plan Testing — Business continuity plan testing is
performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that
consider the potential for the lack of availability of key personnel; and (4) revision
of continuity plans and systems based on test results.
• Tests Integrity and Completeness of Backup Data — The integrity and completeness
of backup information is tested on a periodic basis |
|
4 |