compliance controls are associated with this Policy definition 'Establish an alternate processing site' (af5ff768-a34b-720e-1224-e6b3214f3ba6)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CP-7 |
FedRAMP_High_R4_CP-7 |
FedRAMP High CP-7 |
Contingency Planning |
Alternate Processing Site |
Shared |
n/a |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6.
References: NIST Special Publication 800-34. |
link |
2 |
| FedRAMP_High_R4 |
CP-7(1) |
FedRAMP_High_R4_CP-7(1) |
FedRAMP High CP-7 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
1 |
| FedRAMP_High_R4 |
CP-7(2) |
FedRAMP_High_R4_CP-7(2) |
FedRAMP High CP-7 (2) |
Contingency Planning |
Accessibility |
Shared |
n/a |
The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
Supplemental Guidance: Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. |
link |
1 |
| FedRAMP_High_R4 |
CP-7(3) |
FedRAMP_High_R4_CP-7(3) |
FedRAMP High CP-7 (3) |
Contingency Planning |
Priority Of Service |
Shared |
n/a |
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).
Supplemental Guidance: Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site. |
link |
2 |
| FedRAMP_Moderate_R4 |
CP-7 |
FedRAMP_Moderate_R4_CP-7 |
FedRAMP Moderate CP-7 |
Contingency Planning |
Alternate Processing Site |
Shared |
n/a |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6.
References: NIST Special Publication 800-34. |
link |
2 |
| FedRAMP_Moderate_R4 |
CP-7(1) |
FedRAMP_Moderate_R4_CP-7(1) |
FedRAMP Moderate CP-7 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
1 |
| FedRAMP_Moderate_R4 |
CP-7(2) |
FedRAMP_Moderate_R4_CP-7(2) |
FedRAMP Moderate CP-7 (2) |
Contingency Planning |
Accessibility |
Shared |
n/a |
The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
Supplemental Guidance: Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. |
link |
1 |
| FedRAMP_Moderate_R4 |
CP-7(3) |
FedRAMP_Moderate_R4_CP-7(3) |
FedRAMP Moderate CP-7 (3) |
Contingency Planning |
Priority Of Service |
Shared |
n/a |
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).
Supplemental Guidance: Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site. |
link |
2 |
| hipaa |
0824.09m3Organizational.1-09.m |
hipaa-0824.09m3Organizational.1-09.m |
0824.09m3Organizational.1-09.m |
08 Network Protection |
0824.09m3Organizational.1-09.m 09.06 Network Security Management |
Shared |
n/a |
The impact of the loss of network service to the business is defined. |
|
10 |
| hipaa |
0860.09m1Organizational.9-09.m |
hipaa-0860.09m1Organizational.9-09.m |
0860.09m1Organizational.9-09.m |
08 Network Protection |
0860.09m1Organizational.9-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization formally manages equipment on the network, including equipment in user areas. |
|
5 |
| hipaa |
1464.09e2Organizational.5-09.e |
hipaa-1464.09e2Organizational.5-09.e |
1464.09e2Organizational.5-09.e |
14 Third Party Assurance |
1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The organization restricts the location of facilities that process, transmit or store covered information (e.g., to those located in the United States), as needed, based on its legal, regulatory, contractual and other security and privacy-related obligations. |
|
5 |
| hipaa |
1604.12c2Organizational.16789-12.c |
hipaa-1604.12c2Organizational.16789-12.c |
1604.12c2Organizational.16789-12.c |
16 Business Continuity & Disaster Recovery |
1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Alternative storage and processing sites are identified (permanent and/or temporary) at a sufficient distance from the primary facility and configured with security measures equivalent to the primary site, and the necessary third-party service agreements have been established to allow for the resumption of information systems operations of critical business functions within the time period defined (e.g., priority of service provisions) based on a risk assessment, including Recovery Time Objectives (RTO), in accordance with the organization's availability requirements. |
|
6 |
| hipaa |
1668.12d1Organizational.67-12.d |
hipaa-1668.12d1Organizational.67-12.d |
1668.12d1Organizational.67-12.d |
16 Business Continuity & Disaster Recovery |
1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Emergency procedures, manual "fallback" procedures, and resumption plans are the responsibility of the owner of the business resources or processes involved; and fallback arrangements for alternative technical services, such as information processing and communications facilities, are the responsibility of the service providers. |
|
4 |
| ISO27001-2013 |
A.11.1.4 |
ISO27001-2013_A.11.1.4 |
ISO 27001:2013 A.11.1.4 |
Physical And Environmental Security |
Protecting against external and environmental threats |
Shared |
n/a |
Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. |
link |
9 |
| ISO27001-2013 |
A.12.3.1 |
ISO27001-2013_A.12.3.1 |
ISO 27001:2013 A.12.3.1 |
Operations Security |
Information backup |
Shared |
n/a |
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. |
link |
13 |
| ISO27001-2013 |
A.17.1.2 |
ISO27001-2013_A.17.1.2 |
ISO 27001:2013 A.17.1.2 |
Information Security Aspects Of Business Continuity Management |
Implementing information security continuity |
Shared |
n/a |
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
link |
18 |
| ISO27001-2013 |
A.17.2.1 |
ISO27001-2013_A.17.2.1 |
ISO 27001:2013 A.17.2.1 |
Information Security Aspects Of Business Continuity Management |
Availability of information processing facilities |
Shared |
n/a |
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
link |
17 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.eq.4 Other devices connected to the network |
mp.eq.4 Other devices connected to the network |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
mp.if.1 Separate areas with access control |
mp.if.1 Separate areas with access control |
404 not found |
|
|
|
n/a |
n/a |
|
23 |
|
mp.if.3 Fitting-out of premises |
mp.if.3 Fitting-out of premises |
404 not found |
|
|
|
n/a |
n/a |
|
18 |
|
mp.if.5 Fire protection |
mp.if.5 Fire protection |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
|
mp.if.6 Flood protection |
mp.if.6 Flood protection |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.si.2 Cryptography |
mp.si.2 Cryptography |
404 not found |
|
|
|
n/a |
n/a |
|
32 |
| NIST_SP_800-53_R4 |
CP-7 |
NIST_SP_800-53_R4_CP-7 |
NIST SP 800-53 Rev. 4 CP-7 |
Contingency Planning |
Alternate Processing Site |
Shared |
n/a |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6.
References: NIST Special Publication 800-34. |
link |
2 |
| NIST_SP_800-53_R4 |
CP-7(1) |
NIST_SP_800-53_R4_CP-7(1) |
NIST SP 800-53 Rev. 4 CP-7 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
1 |
| NIST_SP_800-53_R4 |
CP-7(2) |
NIST_SP_800-53_R4_CP-7(2) |
NIST SP 800-53 Rev. 4 CP-7 (2) |
Contingency Planning |
Accessibility |
Shared |
n/a |
The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
Supplemental Guidance: Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. |
link |
1 |
| NIST_SP_800-53_R4 |
CP-7(3) |
NIST_SP_800-53_R4_CP-7(3) |
NIST SP 800-53 Rev. 4 CP-7 (3) |
Contingency Planning |
Priority Of Service |
Shared |
n/a |
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).
Supplemental Guidance: Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site. |
link |
2 |
| NIST_SP_800-53_R5 |
CP-7 |
NIST_SP_800-53_R5_CP-7 |
NIST SP 800-53 Rev. 5 CP-7 |
Contingency Planning |
Alternate Processing Site |
Shared |
n/a |
a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and
c. Provide controls at the alternate processing site that are equivalent to those at the primary site. |
link |
2 |
| NIST_SP_800-53_R5 |
CP-7(1) |
NIST_SP_800-53_R5_CP-7(1) |
NIST SP 800-53 Rev. 5 CP-7 (1) |
Contingency Planning |
Separation from Primary Site |
Shared |
n/a |
Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. |
link |
1 |
| NIST_SP_800-53_R5 |
CP-7(2) |
NIST_SP_800-53_R5_CP-7(2) |
NIST SP 800-53 Rev. 5 CP-7 (2) |
Contingency Planning |
Accessibility |
Shared |
n/a |
Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
link |
1 |
| NIST_SP_800-53_R5 |
CP-7(3) |
NIST_SP_800-53_R5_CP-7(3) |
NIST SP 800-53 Rev. 5 CP-7 (3) |
Contingency Planning |
Priority of Service |
Shared |
n/a |
Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). |
link |
2 |
| SOC_2 |
A1.2 |
SOC_2_A1.2 |
SOC 2 Type 2 A1.2 |
Additional Criteria For Availability |
Environmental protections, software, data back-up processes, and recovery infrastructure |
Shared |
The customer is responsible for implementing this recommendation. |
Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the
system, including threats resulting from adverse weather, failure of environmental
control systems, electrical discharge, fire, and water.
• Designs Detection Measures — Detection measures are implemented to identify
anomalies that could result from environmental threat events.
• Implements and Maintains Environmental Protection Mechanisms — Management
implements and maintains environmental protection mechanisms to prevent and
mitigate environmental events.
• Implements Alerts to Analyze Anomalies — Management implements alerts that are
communicated to personnel for analysis to identify environmental threat events.
• Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems
(for example, uninterruptable power system and generator backup subsystem).
• Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary.
• Determines Data Requiring Backup — Data is evaluated to determine whether
backup is required.
• Performs Data Backup — Procedures are in place for backing up data, monitoring
to detect backup failures, and initiating corrective action when such failures occur.
• Addresses Offsite Storage — Backup data is stored in a location at a distance from
its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.
• Implements Alternate Processing Infrastructure — Measures are implemented for
migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. |
|
13 |
| SWIFT_CSCF_v2022 |
9.2 |
SWIFT_CSCF_v2022_9.2 |
SWIFT CSCF v2022 9.2 |
9. Ensure Availability through Resilience |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
Shared |
n/a |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
link |
13 |