compliance controls are associated with this Policy definition 'Review and update contingency planning policies and procedures' (e9c60c37-65b0-2d72-6c3c-af66036203ae)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CP-1 |
FedRAMP_High_R4_CP-1 |
FedRAMP High CP-1 |
Contingency Planning |
Contingency Planning Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: Federal Continuity Directive 1; NIST Special Publications 800-12, 800-34, 800-100. |
link |
1 |
FedRAMP_Moderate_R4 |
CP-1 |
FedRAMP_Moderate_R4_CP-1 |
FedRAMP Moderate CP-1 |
Contingency Planning |
Contingency Planning Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: Federal Continuity Directive 1; NIST Special Publications 800-12, 800-34, 800-100. |
link |
1 |
hipaa |
0115.04b2Organizational.123-04.b |
hipaa-0115.04b2Organizational.123-04.b |
0115.04b2Organizational.123-04.b |
01 Information Protection Program |
0115.04b2Organizational.123-04.b 04.01 Information Security Policy |
Shared |
n/a |
The owner of the security policies has management approval and assigned responsibility to develop, review, update (based on specific input), and approve the security policies; and such reviews, updates, and approvals occur no less than annually. |
|
20 |
hipaa |
1603.12c1Organizational.9-12.c |
hipaa-1603.12c1Organizational.9-12.c |
1603.12c1Organizational.9-12.c |
16 Business Continuity & Disaster Recovery |
1603.12c1Organizational.9-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Copies of the business continuity plans are distributed to key contingency personnel. |
|
5 |
hipaa |
1607.12c2Organizational.4-12.c |
hipaa-1607.12c2Organizational.4-12.c |
1607.12c2Organizational.4-12.c |
16 Business Continuity & Disaster Recovery |
1607.12c2Organizational.4-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Business continuity planning includes identification and agreement on all responsibilities, business continuity processes, and the acceptable loss of information and services. |
|
2 |
hipaa |
1668.12d1Organizational.67-12.d |
hipaa-1668.12d1Organizational.67-12.d |
1668.12d1Organizational.67-12.d |
16 Business Continuity & Disaster Recovery |
1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Emergency procedures, manual "fallback" procedures, and resumption plans are the responsibility of the owner of the business resources or processes involved; and fallback arrangements for alternative technical services, such as information processing and communications facilities, are the responsibility of the service providers. |
|
4 |
hipaa |
1672.12d2Organizational.3-12.d |
hipaa-1672.12d2Organizational.3-12.d |
1672.12d2Organizational.3-12.d |
16 Business Continuity & Disaster Recovery |
1672.12d2Organizational.3-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The business continuity planning framework addresses the specific, minimal set of information security requirements as well as (i) temporary operational procedures to follow pending completion of recovery and restoration, and (ii) the responsibilities of the individuals, describing who is responsible for executing which component of the plan (alternatives are nominated as required). |
|
5 |
ISO27001-2013 |
A.11.1.5 |
ISO27001-2013_A.11.1.5 |
ISO 27001:2013 A.11.1.5 |
Physical And Environmental Security |
Working in secure areas |
Shared |
n/a |
Procedures for working in secure areas shall be designed and applied. |
link |
3 |
ISO27001-2013 |
A.12.1.1 |
ISO27001-2013_A.12.1.1 |
ISO 27001:2013 A.12.1.1 |
Operations Security |
Documented operating procedures |
Shared |
n/a |
Operating procedures shall be documented and made available to all users who need them. |
link |
31 |
ISO27001-2013 |
A.17.1.1 |
ISO27001-2013_A.17.1.1 |
ISO 27001:2013 A.17.1.1 |
Information Security Aspects Of Business Continuity Management |
Planning information security continuity |
Shared |
n/a |
The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. |
link |
11 |
ISO27001-2013 |
A.18.1.1 |
ISO27001-2013_A.18.1.1 |
ISO 27001:2013 A.18.1.1 |
Compliance |
Identification applicable legislation and contractual requirements |
Shared |
n/a |
All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. |
link |
30 |
ISO27001-2013 |
A.18.2.2 |
ISO27001-2013_A.18.2.2 |
ISO 27001:2013 A.18.2.2 |
Compliance |
Compliance with security policies and standards |
Shared |
n/a |
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
link |
36 |
ISO27001-2013 |
A.5.1.1 |
ISO27001-2013_A.5.1.1 |
ISO 27001:2013 A.5.1.1 |
Information Security Policies |
Policies for information security |
Shared |
n/a |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
link |
42 |
ISO27001-2013 |
A.5.1.2 |
ISO27001-2013_A.5.1.2 |
ISO 27001:2013 A.5.1.2 |
Information Security Policies |
Review of the policies for information security |
Shared |
n/a |
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. |
link |
29 |
ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
ISO27001-2013 |
C.5.1.b |
ISO27001-2013_C.5.1.b |
ISO 27001:2013 C.5.1.b |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
b) ensuring the integration of the information security management system requirements into the
organization’s processes. |
link |
28 |
ISO27001-2013 |
C.5.2.c |
ISO27001-2013_C.5.2.c |
ISO 27001:2013 C.5.2.c |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
c) includes a commitment to satisfy applicable requirements related to information security. |
link |
23 |
ISO27001-2013 |
C.5.2.d |
ISO27001-2013_C.5.2.d |
ISO 27001:2013 C.5.2.d |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
d) includes a commitment to continual improvement of the information security management system. |
link |
23 |
|
mp.if.1 Separate areas with access control |
mp.if.1 Separate areas with access control |
404 not found |
|
|
|
n/a |
n/a |
|
23 |
|
mp.if.2 Identification of persons |
mp.if.2 Identification of persons |
404 not found |
|
|
|
n/a |
n/a |
|
13 |
|
mp.if.3 Fitting-out of premises |
mp.if.3 Fitting-out of premises |
404 not found |
|
|
|
n/a |
n/a |
|
18 |
|
mp.if.5 Fire protection |
mp.if.5 Fire protection |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
|
mp.if.6 Flood protection |
mp.if.6 Flood protection |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
|
mp.if.7 Recording of entries and exits of equipment |
mp.if.7 Recording of entries and exits of equipment |
404 not found |
|
|
|
n/a |
n/a |
|
12 |
|
mp.info.1 Personal data |
mp.info.1 Personal data |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
NIST_SP_800-53_R4 |
CP-1 |
NIST_SP_800-53_R4_CP-1 |
NIST SP 800-53 Rev. 4 CP-1 |
Contingency Planning |
Contingency Planning Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: Federal Continuity Directive 1; NIST Special Publications 800-12, 800-34, 800-100. |
link |
1 |
NIST_SP_800-53_R5 |
CP-1 |
NIST_SP_800-53_R5_CP-1 |
NIST SP 800-53 Rev. 5 CP-1 |
Contingency Planning |
Policy and Procedures |
Shared |
n/a |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (OneOrMore): Organization-level;Mission/business process-level;System-level] contingency planning policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and
c. Review and update the current contingency planning:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
link |
1 |
|
op.cont.1 Impact analysis |
op.cont.1 Impact analysis |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.cont.2 Continuity plan |
op.cont.2 Continuity plan |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.cont.3 Periodic tests |
op.cont.3 Periodic tests |
404 not found |
|
|
|
n/a |
n/a |
|
91 |
|
op.cont.4 Alternative means |
op.cont.4 Alternative means |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |