cp-8(4)

telecommunications services  | provider contingency plan

assessment objective:

Determine if the organization:

cp-8(4)(a)

cp-8(4)(a)[1]

requires primary telecommunications service provider to have contingency plans;

cp-8(4)(a)[2]

requires alternate telecommunications service provider(s) to have contingency plans;

cp-8(4)(b)

reviews provider contingency plans to ensure that the plans meet organizational contingency requirements;

cp-8(4)(c)

cp-8(4)(c)[1]

defines the frequency to obtain evidence of contingency testing/training by providers; and

cp-8(4)(c)[2]

obtains evidence of contingency testing/training by providers with the organization-defined frequency.

potential assessment methods and objects:

Examine: [select from: Contingency planning policy; procedures addressing primary and alternate telecommunications services; contingency plan; provider contingency plans; evidence of contingency testing/training by providers; primary and alternate telecommunications service agreements; other relevant documents or records].

Interview: [select from: Organizational personnel with contingency planning, plan implementation, and testing responsibilities; primary and alternate telecommunications service providers; organizational personnel with information security responsibilities; organizational personnel with responsibility for acquisitions/contractual agreements].