Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

cp-9

information system backup

assessment objective:

Determine if the organization:

cp-9(a)

cp-9(a)[1]

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;

cp-9(a)[2]

conducts backups of user-level information contained in the information system with the organization-defined frequency;

cp-9(b)

cp-9(b)[1]

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;

cp-9(b)[2]

conducts backups of system-level information contained in the information system with the organization-defined frequency;

cp-9(c)

cp-9(c)[1]

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;

cp-9(c)[2]

conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and

cp-9(d)

protects the confidentiality, integrity, and availability of backup information at storage locations.

potential assessment methods and objects:

Examine: [select from: Contingency planning policy; procedures addressing information system backup; contingency plan; backup storage location(s); information system backup logs or records; other relevant documents or records].

Interview: [select from: Organizational personnel with information system backup responsibilities; organizational personnel with information security responsibilities].

Test: [SELECT FROM: Organizational processes for conducting information system backups; automated mechanisms supporting and/or implementing information system backups].