CP-7 - Alternate Processing Site

Control requirements

The organization:

CP-7 (a): Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [IBM Assignment: customer applications must failover production workload to an alternate site for a period of five (5) consecutive days] for essential missions/business functions within [IBM Assignment: customer defined RTO/RPO for application] when the primary processing capabilities are unavailable;
CP-7 (b): Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
CP-7 (c): Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

Additional IBM Cloud for Financial Services specifications

Where failover is used, applications must failover and maintain production workload to an alternate site for a period of five (5) consecutive days.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

Rules for CP-7 in IBM Cloud for Financial Services v1.2.0 profile
Requirement ID	Rules
CP-7 (a)	Check whether Hyper Protect Crypto Services instance has at least # crypto units Check whether each Application Load Balancer for VPC is configured to use at least # zones Check whether an OpenShift cluster has worker nodes across multiple zones Check that any Cloud Object Storage buckets used by Activity Tracker Event Routing are configured as cross-region Check that Hyper Protect Crypto Services has failover units in at least 2 different regions that are Financial Services Validated Check whether there are at least # instances of Direct Link in an account Check whether OpenShift version is up-to-date Check whether each Virtual Private Cloud is configured to use at least # zones
CP-7 (b)	Check whether each Application Load Balancer for VPC is configured to use at least # zones Check whether an OpenShift cluster has worker nodes across multiple zones Check that any Cloud Object Storage buckets used by Activity Tracker Event Routing are configured as cross-region Check that Hyper Protect Crypto Services has failover units in at least 2 different regions that are Financial Services Validated Check whether each Virtual Private Cloud is configured to use at least # zones
CP-7 (c)	Check whether Hyper Protect Crypto Services instance has at least # crypto units Check whether Hyper Protect Crypto Services instance has at least # crypto units Check whether each Application Load Balancer for VPC is configured to use at least # zones Check whether an OpenShift cluster has worker nodes across multiple zones Check that any Cloud Object Storage buckets used by Activity Tracker Event Routing are configured as cross-region Check that Hyper Protect Crypto Services has failover units in at least 2 different regions that are Financial Services Validated Check whether each Virtual Private Cloud is configured to use at least # zones

NIST supplemental guidance

Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.