Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) from Cybersecurity Fundamentals framework

SAMMY UI is optimized for resolutions with a width 1024px and higher.

ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)

Maturity Level 2

Maturity Level 3

ID.BE-5.1

ID.BE-5.1: To support cyber resilience and secure the delivery of critical services, the necessary requirements are identified, documented and their implementation tested and approved.

Consider implementing resiliency mechanisms to support normal and adverse operational situations (e.g., failsafe, load balancing, hot swap).
Consider aspects of business continuity management in e.g. Business Impact Analyse (BIA), Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP).

Description

To support cyber resilience and secure the delivery of critical services, the necessary requirements are identified, documented and their implementation tested and approved.

ID.BE-5.2

ID.BE-5.2: Information processing and supporting facilities shall implement redundancy to meet availability requirements, as defined by the organization and/or regulatory frameworks.

Consider provisioning adequate data and network redundancy (e.g. redundant network devices, servers with load balancing, raid arrays, backup services, 2 separate datacentres, fail-over network connections, 2 ISP's…).
Consider protecting critical equipment/services from power outages and other failures due to utility interruptions (e.g. UPS and NO-break, frequent test, service contracts that include regular maintenance, redundant power cabling, 2 different power service providers...).

Description

Information processing and supporting facilities shall implement redundancy to meet availability requirements, as defined by the organization and/or regulatory frameworks.

ID.BE-5.3

ID.BE-5.3: Recovery time and recovery point objectives for the resumption of essential ICT/OT system processes shall be defined.

Consider applying the 3-2-1 back-up rule to improve RPO and RTO (maintain at least 3 copies of your data, keep 2 of them at separate locations and one copy should be stored at an off-site location).
Consider implementing mechanisms such as hot swap, load balancing and failsafe to increase resilience.

Description

Recovery time and recovery point objectives for the resumption of =Levels!$C14 ICT/OT system processes shall be defined.