NIST SP 800-53Ar1 Assessment Procedure Catalog, with SP 800-53r3 Security Controls
CONTINGENCY PLANNING
CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES
| FAMILY: CONTINGENCY PLANNING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| CP-1
|
Contingency Planning Policy and Procedures
|
P1
|
LOW CP-1
|
MOD CP-1
|
HIGH CP-1
|
| ASSESSMENT PROCEDURE
|
| CP-1 |
CONTINGENCY PLANNING POLICY AND PROCEDURES
|
| CP-1.1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with contingency planning responsibilities].
|
| CP-1.2 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency of contingency planning policy reviews/updates;
- (ii) the organization reviews/updates contingency planning policy in accordance with organization-defined frequency;
- (iii) the organization defines the frequency of contingency planning procedure reviews/updates; and
- (iv) the organization reviews/updates contingency planning procedures in accordance with organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with contingency planning responsibilities].
|
CP-2 CONTINGENCY PLAN
| FAMILY: CONTINGENCY PLANNING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| CP-2
|
Contingency Plan
|
P1
|
LOW CP-2
|
MOD CP-2 (1)
|
HIGH CP-2 (1) (2) (3)
|
| ASSESSMENT PROCEDURE
|
| CP-2 |
CONTINGENCY PLAN
|
| CP-2.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization develops a contingency plan for the information system that:
- identifies essential missions and business functions and associated contingency requirements;
- provides recovery objectives, restoration priorities, and metrics;
- addresses contingency roles, responsibilities, assigned individuals with contact information;
- addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; and
- addresses eventual, full information system restoration without deterioration of the security measures originally planned and implemented; and
- is reviewed and approved by designated officials within the organization;
- (ii) the organization defines key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan; and
- (iii) the organization distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].
|
| CP-2.2 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization coordinates contingency planning activities with incident handling activities:
- (ii) the organization defines the frequency of contingency plan reviews;
- (iii) the organization reviews the contingency plan for the information system in accordance with the organization-defined frequency;
- (iv) the organization revises the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution or testing; and
- (v) the organization communicates contingency plan changes to the key contingency personnel and organizational elements as identified in CP-2.1 (ii).
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with incident handling responsibilities].
|
CP-3 CONTINGENCY TRAINING
| FAMILY: CONTINGENCY PLANNING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| CP-3
|
Contingency Training
|
P2
|
LOW CP-3
|
MOD CP-3
|
HIGH CP-3 (1)
|
| ASSESSMENT PROCEDURE
|
| CP-3 |
CONTINGENCY TRAINING
|
| CP-3.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization provides initial contingency training to personnel with contingency roles and responsibilities with respect to the information system;
- (ii) the organization defines the frequency of refresher contingency training; and
- (iii) the organization provides refresher training in accordance with organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; security plan; contingency training records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities].
|
CP-4 CONTINGENCY PLAN TESTING AND EXERCISES
| FAMILY: CONTINGENCY PLANNING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| CP-4
|
Contingency Plan Testing and Exercises
|
P2
|
LOW CP-4
|
MOD CP-4 (1)
|
HIGH CP-4 (1) (2) (4)
|
| ASSESSMENT PROCEDURE
|
| CP-4 |
CONTINGENCY PLAN TESTING AND EXERCISES
|
| CP-4.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the contingency plan tests and/or exercises to be conducted;
- (ii) the organization defines the frequency of contingency plan tests and/or exercises;
- (iii) the organization tests/exercises the contingency plan using organization-defined tests/exercises in accordance with organization-defined frequency; and
- (iv) the organization reviews the contingency plan test/exercise results and takes corrective actions.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; security plan; contingency plan testing and/or exercise documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing or responding to contingency plan tests/exercises].
|
CP-9 INFORMATION SYSTEM BACKUP
| FAMILY: CONTINGENCY PLANNING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| CP-9
|
Information System Backup
|
P1
|
LOW CP-9
|
MOD CP-9 (1)
|
HIGH CP-9 (1) (2) (3)
|
| ASSESSMENT PROCEDURE
|
| CP-9 |
INFORMATION SYSTEM BACKUP
|
| CP-9.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives;
- (ii) the organization defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives;
- (iii) the organization defines the frequency of conducting information system documentation backups (including security-related information) to support recovery time objectives and recovery point objectives;
- (iv) the organization backs up user-level information in accordance with the organization-defined frequency;
- (v) the organization backs up system-level information in accordance with the organization-defined frequency; and
- (vi) the organization backs up information system documentation in accordance with the organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; backup storage location(s); information system backup logs or records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with information system backup responsibilities].
|
| CP-9.2 |
ASSESSMENT OBJECTIVE:
| Determine if the organization protects the confidentiality and integrity of backup information at the storage location.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; information system design documentation; information system configuration settings and associated documentation; backup storage location(s); other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with information system backup responsibilities].
|
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
| FAMILY: CONTINGENCY PLANNING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| CP-10
|
Information System Recovery and Reconstitution
|
P1
|
LOW CP-10
|
MOD CP-10 (2) (3)
|
HIGH CP-10 (2) (3) (4)
|
| ASSESSMENT PROCEDURE
|
| CP-10 |
INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
|
| CP-10.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization provides automated mechanisms and/or manual procedures for the recovery and reconstitution of the information system to known state after a disruption, compromise, or failure.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; information system configuration settings and associated documentation; information system design documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms and/or manual procedures for implementing information system recovery and reconstitution operations].
|
Source
