compliance controls are associated with this Policy definition 'Separately store backup information' (fc26e2fd-3149-74b4-5988-d64bb90f8ef7)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CP-9(3) |
FedRAMP_High_R4_CP-9(3) |
FedRAMP High CP-9 (3) |
Contingency Planning |
Separate Storage For Critical Information |
Shared |
n/a |
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.
Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. |
link |
1 |
| FedRAMP_Moderate_R4 |
CP-9(3) |
FedRAMP_Moderate_R4_CP-9(3) |
FedRAMP Moderate CP-9 (3) |
Contingency Planning |
Separate Storage For Critical Information |
Shared |
n/a |
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.
Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. |
link |
1 |
| hipaa |
0824.09m3Organizational.1-09.m |
hipaa-0824.09m3Organizational.1-09.m |
0824.09m3Organizational.1-09.m |
08 Network Protection |
0824.09m3Organizational.1-09.m 09.06 Network Security Management |
Shared |
n/a |
The impact of the loss of network service to the business is defined. |
|
10 |
| hipaa |
0860.09m1Organizational.9-09.m |
hipaa-0860.09m1Organizational.9-09.m |
0860.09m1Organizational.9-09.m |
08 Network Protection |
0860.09m1Organizational.9-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization formally manages equipment on the network, including equipment in user areas. |
|
5 |
| hipaa |
1608.12c2Organizational.5-12.c |
hipaa-1608.12c2Organizational.5-12.c |
1608.12c2Organizational.5-12.c |
16 Business Continuity & Disaster Recovery |
1608.12c2Organizational.5-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Business continuity plans are stored in a remote location. |
|
3 |
| hipaa |
1618.09l1Organizational.45-09.l |
hipaa-1618.09l1Organizational.45-09.l |
1618.09l1Organizational.45-09.l |
16 Business Continuity & Disaster Recovery |
1618.09l1Organizational.45-09.l 09.05 Information Back-Up |
Shared |
n/a |
The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. |
|
7 |
| hipaa |
1620.09l1Organizational.8-09.l |
hipaa-1620.09l1Organizational.8-09.l |
1620.09l1Organizational.8-09.l |
16 Business Continuity & Disaster Recovery |
1620.09l1Organizational.8-09.l 09.05 Information Back-Up |
Shared |
n/a |
When the backup service is delivered by the third-party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. |
|
5 |
| hipaa |
1622.09l2Organizational.23-09.l |
hipaa-1622.09l2Organizational.23-09.l |
1622.09l2Organizational.23-09.l |
16 Business Continuity & Disaster Recovery |
1622.09l2Organizational.23-09.l 09.05 Information Back-Up |
Shared |
n/a |
The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster. |
|
4 |
| hipaa |
1627.09l3Organizational.6-09.l |
hipaa-1627.09l3Organizational.6-09.l |
1627.09l3Organizational.6-09.l |
16 Business Continuity & Disaster Recovery |
1627.09l3Organizational.6-09.l 09.05 Information Back-Up |
Shared |
n/a |
The organization tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter. |
|
2 |
| ISO27001-2013 |
A.12.3.1 |
ISO27001-2013_A.12.3.1 |
ISO 27001:2013 A.12.3.1 |
Operations Security |
Information backup |
Shared |
n/a |
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. |
link |
13 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.si.2 Cryptography |
mp.si.2 Cryptography |
404 not found |
|
|
|
n/a |
n/a |
|
32 |
| NIST_SP_800-53_R4 |
CP-9(3) |
NIST_SP_800-53_R4_CP-9(3) |
NIST SP 800-53 Rev. 4 CP-9 (3) |
Contingency Planning |
Separate Storage For Critical Information |
Shared |
n/a |
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.
Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. |
link |
1 |
| NIST_SP_800-53_R5 |
CP-9(3) |
NIST_SP_800-53_R5_CP-9(3) |
NIST SP 800-53 Rev. 5 CP-9 (3) |
Contingency Planning |
Separate Storage for Critical Information |
Shared |
n/a |
Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. |
link |
1 |
|
op.cont.3 Periodic tests |
op.cont.3 Periodic tests |
404 not found |
|
|
|
n/a |
n/a |
|
91 |
|
op.cont.4 Alternative means |
op.cont.4 Alternative means |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
|
op.exp.3 Security configuration management |
op.exp.3 Security configuration management |
404 not found |
|
|
|
n/a |
n/a |
|
123 |
| SOC_2 |
A1.2 |
SOC_2_A1.2 |
SOC 2 Type 2 A1.2 |
Additional Criteria For Availability |
Environmental protections, software, data back-up processes, and recovery infrastructure |
Shared |
The customer is responsible for implementing this recommendation. |
Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the
system, including threats resulting from adverse weather, failure of environmental
control systems, electrical discharge, fire, and water.
• Designs Detection Measures — Detection measures are implemented to identify
anomalies that could result from environmental threat events.
• Implements and Maintains Environmental Protection Mechanisms — Management
implements and maintains environmental protection mechanisms to prevent and
mitigate environmental events.
• Implements Alerts to Analyze Anomalies — Management implements alerts that are
communicated to personnel for analysis to identify environmental threat events.
• Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems
(for example, uninterruptable power system and generator backup subsystem).
• Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary.
• Determines Data Requiring Backup — Data is evaluated to determine whether
backup is required.
• Performs Data Backup — Procedures are in place for backing up data, monitoring
to detect backup failures, and initiating corrective action when such failures occur.
• Addresses Offsite Storage — Backup data is stored in a location at a distance from
its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.
• Implements Alternate Processing Infrastructure — Measures are implemented for
migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. |
|
13 |
| SOC_2 |
PI1.5 |
SOC_2_PI1.5 |
SOC 2 Type 2 PI1.5 |
Additional Criteria For Processing Integrity |
Store inputs and outputs completely, accurately, and timely |
Shared |
The customer is responsible for implementing this recommendation. |
• Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications.
• Archives and Protects System Records — System records are archived and archives
are protected against theft, corruption, destruction, or deterioration that would prevent them from being used.
• Stores Data Completely and Accurately — Procedures are in place to provide for
the complete, accurate, and timely storage of data.
• Creates and Maintains Records of System Storage Activities — Records of system
storage activities are created and maintained completely and accurately in a timely
manner |
|
10 |
| SWIFT_CSCF_v2022 |
9.2 |
SWIFT_CSCF_v2022_9.2 |
SWIFT CSCF v2022 9.2 |
9. Ensure Availability through Resilience |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
Shared |
n/a |
Providers must ensure that the service remains available for customers in the event of a site disaster. |
link |
13 |