Resiliency Analysis

The process that assesses the ability of an organization to continue to deliver services in spite of the occurence of various events (e.g., loss of power, loss of network connectivity, etc).

Cloud Controls Matrix (CCM) Data

Array

RS-02 | Resiliency | Impact Analysis

Control Specification +-

There shall be a defined and documented method for determining the impact of any disruption to the organization which must incorporate the following: ? Identify critical products and services ? Identify all dependencies, including processes, applications, business partners and third party service providers ? Understand threats to critical products and services ? Determine impacts resulting from planned or unplanned disruptions and how these vary over time ? Establish the ma1imum tolerable period for disruption ? Establish priorities for recovery ? Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption ? Estimate the resources required for resumption

Architectural Relevance +-

PhysicalNetworkComputeAppData
True True True True True

Corp Gov Relevance +-

Corp Gov Relevance
True

Cloud Service Delivery Model Applicability +-

SaaSPaaSIaaS
True True True

Supplier Relationship +-

Service ProviderTenant / Consumer
True True

Scope Applicability +-

COBIT 4.1HIPAA / HITECH ActISO/IEC 27001-2005

45 CFR 164.308 (a)(7)(ii)(E)

ISO/IEC 27001:2005
A.14.1.2
A 14.1.4

NIST SP800-53 R3FedRAMP (Final 2012) Low ImpactFedRAMP (Final 2012) Moderate ImpactPCI DSS v2.0

RA-3

NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 CP-2
NIST SP 800-53 R3 RA-3

NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 CP-2
NIST SP 800-53 R3 RA-3

BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v5.0GAPP (Aug 2009)

K.2

Jericho ForumNERC CIP

Commandment #1
Commandment #2
Commandment #3

CIP-007-3 - R8 - R8.1 - R8.2 - R8.3

Array

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Resiliency (RS) | ID #RS-02.1

Do you provide tenants with ongoing visibility and reporting into your operational Service Level Agreement (SLA) performance?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

45 CFR 164.308 (a)(7)(ii)(E)

ISO/IEC 27001:2005
A.14.1.2
A 14.1.4

NIST SP800-53 R3 RA-3

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 RA-3

SIG v6.0:K.2

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Resiliency (RS) | ID #RS-02.2

Do you make standards-based information security metrics (CSA, CAMM, etc.) available to your tenants?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

45 CFR 164.308 (a)(7)(ii)(E)

ISO/IEC 27001:2005
A.14.1.2
A 14.1.4

NIST SP800-53 R3 RA-3

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 RA-3

SIG v6.0:K.2

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Resiliency (RS) | ID #RS-02.3

Do you provide customers with ongoing visibility and reporting into your SLA performance?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

45 CFR 164.308 (a)(7)(ii)(E)

ISO/IEC 27001:2005
A.14.1.2
A 14.1.4

NIST SP800-53 R3 RA-3

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 RA-3

SIG v6.0:K.2

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True