CP-10 - Information System Recovery and Reconstitution

Control requirements

CP-10 - 0

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

Additional IBM Cloud for Financial Services specifications

• Contingency plans must include procedures for validating successful recovery and reconstitution. Recovery and reconstitution activities include resuming operational capabilities at the original location.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

• Business continuity and disaster recovery overview
• Operational logging
• Operational monitoring

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

• Check whether Hyper Protect Crypto Services instance has at least # crypto units
• Check whether each Application Load Balancer for VPC is configured to use at least # zones
• Check whether Application Load Balancer for VPC is attached with an Auto Scale for VPC instance group provided with health check
• Check whether Application Load Balancer for VPC is configured with multiple members in the pool
• Check whether an OpenShift cluster has worker nodes across multiple zones
• Check whether Cloud Object Storage bucket resiliency is set to cross region
• Check that any Cloud Object Storage buckets used by Activity Tracker Event Routing are configured as cross-region
• Check that Hyper Protect Crypto Services has failover units in at least 2 different regions that are Financial Services Validated
• Check whether Application Load Balancer for VPC has health check configured when created
• Check whether Application Load Balancer for VPC listener is configured with default pool
• Check whether each Virtual Private Cloud is configured to use at least # zones

NIST supplemental guidance

Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.