Doc:NIST SP 800-53Ar1 FPD Appendix F/Enhanced/CP

From FISMApedia
Revision as of 01:42, 18 May 2010 by DanPhilpott (talk) (Created page with '{| align="right" | __TOC__ |} <font size="6">SP 800-53Ar1 FPD Assessment Procedure Catalog, with SP 800-53r3 Security Controls</font> == CONTINGENCY PLANNING == === CP-1 ===…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

SP 800-53Ar1 FPD Assessment Procedure Catalog, with SP 800-53r3 Security Controls


CONTINGENCY PLANNING

CP-1


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/CP-1


ASSESSMENT PROCEDURE
CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES
CP-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents contingency planning policy;
(ii) the organization contingency planning policy addresses:
(iii) the organization disseminates formal documented contingency planning policy to elements within the organization having associated contingency planning roles and responsibilities;
(iv) the organization develops and formally documents contingency planning procedures;
(v) the organization contingency planning procedures facilitate implementation of the contingency planning policy and associated contingency planning controls; and
(vi) the organization disseminates formal documented contingency planning procedures to elements within the organization having associated contingency planning roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning responsibilities].
CP-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of contingency planning policy reviews/updates;
(ii) the organization reviews/updates contingency planning policy in accordance with organization-defined frequency;
(iii) the organization defines the frequency of contingency planning procedure reviews/updates; and
(iv) the organization reviews/updates contingency planning procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning responsibilities].


CP-2


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/CP-2


ASSESSMENT PROCEDURE
CP-2 CONTINGENCY PLAN
CP-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops a contingency plan for the information system that:
  • identifies essential missions and business functions and associated contingency requirements;
  • provides recovery objectives, restoration priorities, and metrics;
  • addresses contingency roles, responsibilities, assigned individuals with contact information;
  • addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; and
  • addresses eventual, full information system restoration without deterioration of the security measures originally planned and implemented; and
  • is reviewed and approved by designated officials within the organization;
(ii) the organization defines key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan; and
(iii) the organization distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].
CP-2.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization coordinates contingency planning activities with incident handling activities:
(ii) the organization defines the frequency of contingency plan reviews;
(iii) the organization reviews the contingency plan for the information system in accordance with the organization-defined frequency;
(iv) the organization revises the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution or testing; and
(v) the organization communicates contingency plan changes to the key contingency personnel and organizational elements as identified in CP-2.1 (ii).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with incident handling responsibilities].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-2/1


CP-2(1) CONTINGENCY PLAN
CP-2(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization coordinates the contingency plan development with other organizational elements responsible for related plans.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; other related plans; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities and responsibilities in related plan areas].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-2/2


CP-2(2) CONTINGENCY PLAN
CP-2(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; capacity planning documents; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-2/3


CP-2(3) CONTINGENCY PLAN
CP-2(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period for planning the resumption of essential missions and business functions as a result of contingency plan activation; and
(ii) the organization plans for the resumption of essential missions and business function within organization-defined time period of contingency plan activation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; business impact assessment; other related plans; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-2/4


CP-2(4) CONTINGENCY PLAN
CP-2(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period for planning the full resumption of affected missions and business functions as a result of contingency plan activation; and
(ii) the organization plans for the full resumption of affected missions and business functions within organization-defined time period of contingency plan activation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; business impact assessment; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-2/5


CP-2(5) CONTINGENCY PLAN
CP-2(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity; and
(ii) the organization sustains operational continuity until full information system restoration at primary processing and/or storage sites.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; business impact assessment; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-2/6


CP-2(6) CONTINGENCY PLAN
CP-2(6).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization provides for the transfer of all essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity; and
(ii) the organization sustains operational continuity through restoration to primary processing and/or storage sites.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; alternate processing site agreements; alternate storage site agreements; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].


CP-3


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/CP-3


ASSESSMENT PROCEDURE
CP-3 CONTINGENCY TRAINING
CP-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization provides initial contingency training to personnel with contingency roles and responsibilities with respect to the information system;
(ii) the organization defines the frequency of refresher contingency training; and
(iii) the organization provides refresher training in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; security plan; contingency training records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-3/1


CP-3(1) CONTINGENCY TRAINING
CP-3(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization incorporates simulated events into contingency training; and
(ii) the incorporation of simulated events into contingency training facilitates effective response by personnel in crisis situations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-3/2


CP-3(2) CONTINGENCY TRAINING
CP-3(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms that provide a more thorough and realistic contingency training environment.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; automated mechanisms supporting contingency training; contingency training curriculum; contingency training material; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities].


CP-4


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/CP-4


ASSESSMENT PROCEDURE
CP-4 CONTINGENCY PLAN TESTING AND EXERCISES
CP-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the contingency plan tests and/or exercises to be conducted;
(ii) the organization defines the frequency of contingency plan tests and/or exercises;
(iii) the organization tests/exercises the contingency plan using organization-defined tests/exercises in accordance with organization-defined frequency; and
(iv) the organization reviews the contingency plan test/exercise results and takes corrective actions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; security plan; contingency plan testing and/or exercise documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing or responding to contingency plan tests/exercises].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-4/1


CP-4(1) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan testing and exercises; contingency plan testing and/or exercise documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and testing responsibilities; organizational personnel with responsibilities for related plans].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-4/2


CP-4(2) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization conducts contingency plan testing/exercises at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site's capabilities to support contingency operations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-4/3


CP-4(3) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to more thoroughly and effectively test/exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the information system and supported missions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan testing and exercises; automated mechanisms supporting contingency plan testing/exercises; contingency plan testing and/or exercise documentation; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-4/4


CP-4(4) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities; organizational personnel with contingency plan testing and/or exercise responsibilities].



FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CP-5 CONTINGENCY PLAN UPDATE

[Withdrawn: Incorporated into CP-2].

CP-5.1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into CP-2].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into CP-2].
CP-5.2 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into CP-2].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into CP-2].


CP-6


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/CP-6


ASSESSMENT PROCEDURE
CP-6 ALTERNATE STORAGE SITE
CP-6.1 ASSESSMENT OBJECTIVE:
Determine if :
(i) the organization establishes an alternate storage site; and
(ii) the organization initiates necessary alternate storage site agreements to permit the storage and recovery of information system backup information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site agreements; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-6/1


CP-6(1) ALTERNATE STORAGE SITE
CP-6(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the contingency plan identifies the primary storage site hazards; and
(ii) the alternate storage site is separated from the primary storage site so as not to be susceptible to the same hazards identified at the primary site.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-6/2


CP-6(2) ALTERNATE STORAGE SITE
CP-6(2).1 ASSESSMENT OBJECTIVE:
Determine if the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives and recovery point objectives.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site agreements; alternate storage site; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-6/3


CP-6(3) ALTERNATE STORAGE SITE
CP-6(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and
(ii) the organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site; mitigation actions for accessibility problems to the alternate storage site; other relevant documents or records].



CP-7


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/CP-7


ASSESSMENT PROCEDURE
CP-7 ALTERNATE PROCESSING SITE
CP-7.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes an alternate processing site;
(ii) the organization defines the time period for achieving the recovery time objectives within which processing must be resumed at the alternate processing site;
(iii) the organization includes necessary alternate processing site agreements to permit the resumption of information system operations for essential missions and business functions within organization-defined time period; and
(iv) the equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site agreements; security plan; spare equipment and supplies at alternate processing site; equipment and supply contracts; service level agreements; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-7/1


CP-7(1) ALTERNATE PROCESSING SITE
CP-7(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the contingency plan identifies the primary processing site hazards; and
(ii) the alternate processing site is separated from the primary processing site so as not to be susceptible to the same hazards identified at the primary site.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-7/2


CP-7(2) ALTERNATE PROCESSING SITE
CP-7(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and
(ii) the organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-7/3


CP-7(3) ALTERNATE PROCESSING SITE
CP-7(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organization's availability requirements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site agreements; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-7/4


CP-7(4) ALTERNATE PROCESSING SITE
CP-7(4).1 ASSESSMENT OBJECTIVE:
Determine if the alternate processing site is configured so that it is ready to be used as the operational site to support essential missions and business functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; alternate processing site agreements; other relevant documents or records].
Test: [SELECT FROM: Information system at the alternate processing site].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-7/5


CP-7(5) ALTERNATE PROCESSING SITE
CP-7(5).1 ASSESSMENT OBJECTIVE:
Determine if the alternate processing site provides information security measures equivalent to that of the primary site.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records].



CP-8


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/CP-8


ASSESSMENT PROCEDURE
CP-8 TELECOMMUNICATIONS SERVICES
CP-8.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes alternate telecommunications services to support the information system;
(ii) the organization defines in the time period within which resumption of information system operations must take place; and
(iii) the organization establishes necessary alternate telecommunications service agreements to permit the resumption of telecommunications services for essential missions and business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; security plan; primary and alternate telecommunications service agreements; list of essential missions and business functions; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-8/1


CP-8(1) TELECOMMUNICATIONS SERVICES
CP-8(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements; and
(ii) the organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; Telecommunications Service Priority documentation; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-8/2


CP-8(2) TELECOMMUNICATIONS SERVICES
CP-8(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization obtains alternate telecommunications services with consideration for reducing the likelihood of sharing a single point of failure with primary telecommunications services.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; telecommunications service providers].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-8/3


CP-8(3) TELECOMMUNICATIONS SERVICES
CP-8(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies the primary provider's telecommunications service hazards; and
(ii) the alternate telecommunications service providers are separated from the primary telecommunications service providers so as not to be susceptible to the same hazards.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; alternate telecommunications service provider's site; primary telecommunications service provider's site; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; telecommunications service providers].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-8/4


CP-8(4) TELECOMMUNICATIONS SERVICES
CP-8(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization requires primary and alternate telecommunications service providers to have contingency plans.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and testing responsibilities; telecommunications service providers].


CP-9


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/CP-9


ASSESSMENT PROCEDURE
CP-9 INFORMATION SYSTEM BACKUP
CP-9.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives;
(ii) the organization defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives;
(iii) the organization defines the frequency of conducting information system documentation backups (including security-related information) to support recovery time objectives and recovery point objectives;
(iv) the organization backs up user-level information in accordance with the organization-defined frequency;
(v) the organization backs up system-level information in accordance with the organization-defined frequency; and
(vi) the organization backs up information system documentation in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; backup storage location(s); information system backup logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system backup responsibilities].
CP-9.2 ASSESSMENT OBJECTIVE:
Determine if the organization protects the confidentiality and integrity of backup information at the storage location.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; information system design documentation; information system configuration settings and associated documentation; backup storage location(s); other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system backup responsibilities].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-9/1


CP-9(1) INFORMATION SYSTEM BACKUP
CP-9(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of information system backup testing; and
(ii) the organization conducts information system backup testing in accordance with organization-defined frequency to verify backup media reliability and information integrity.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; information system backup test results; backup storage location(s); other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-9/2


CP-9(2) INFORMATION SYSTEM BACKUP
CP-9(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; information system backup test results; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-9/3


CP-9(3) INFORMATION SYSTEM BACKUP
CP-9(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization stores backup copies of operating system and other critical information system software, as well as copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not collocated with the operational system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; backup storage location(s); other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with information system backup responsibilities].


CP-9(4) INFORMATION SYSTEM BACKUP

[Withdrawn: Incorporated into CP-9].

CP-9(4).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into CP-9].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into CP-9].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-9/5


CP-9(5) INFORMATION SYSTEM BACKUP
CP-9(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period and rate of transferring information system backup information to the alternate storage site to support recovery time objectives and recovery point objectives; and
(ii) the organization transfers information system backup information to the alternate storage site in accordance with the organization-defined frequency and transfer rate.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; information system backup test results; alternate site service agreements; backup storage location(s); other relevant documents or records].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-9/6


CP-9(6) INFORMATION SYSTEM BACKUP
CP-9(6).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization maintains a redundant, secondary backup system that is not collocated with the primary backup system for the information system; and
(ii) the redundant, secondary backup system can be activated to accomplish information system backups without causing loss of information or disruption to the operation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; information system backup test results; contingency plan test results; contingency plan testing and/or exercise documentation; secondary backup storage location(s); redundant secondary system for information system backups; other relevant documents or records].



CP-10


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/CP-10


ASSESSMENT PROCEDURE
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10.1 ASSESSMENT OBJECTIVE:
Determine if the organization provides automated mechanisms and/or manual procedures for the recovery and reconstitution of the information system to known state after a disruption, compromise, or failure.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; information system configuration settings and associated documentation; information system design documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms and/or manual procedures for implementing information system recovery and reconstitution operations].


CP-10(1) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION

[Withdrawn: Incorporated into CP-4(4)].

CP-10(1).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into CP-4(4)].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into CP-4(4)].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-10/2


CP-10(2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system implements transaction recovery for systems that are transaction-based.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; information system design documentation; information system configuration settings and associated documentation; contingency plan test results; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing transaction recovery capability].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-10/3


CP-10(3) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines in the security plan, explicitly or by reference, the circumstances that can inhibit recovery and reconstitution of the information system to a known state; and
(ii) the organization provides compensating security controls for organization-defined circumstances that can inhibit recovery and reconstitution of the information system to a known state.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; contingency plan test procedures; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-10/4


CP-10(4) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time-periods within which information system components must be reimaged from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components; and
(ii) the organization provides the capability to reimage information system components, within organization-defined time-periods, from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-10/5


CP-10(5) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines whether real-time or near-real-time failover capability will be provided for the information system;
(ii) the organization provides the real-time or near-real-time failover capability identified for the information system;
(iii) the organization defines the type of failover capability for the information system; and
(iv) the organization provides the organization-defined failover capability for the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities].
Test: [SELECT FROM: Failover capability for the information system].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/CP-10/6


CP-10(6) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization protects backup and restoration hardware, firmware, and software.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; location(s) of backup and restoration hardware, firmware, and software; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities].


Source