← Frameworks / PRA Operational Resilience / Control Mappings

PRA SS1/21 & SS2/21 — Operational Resilience and Outsourcing

UK Prudential Regulation Authority requirements for operational resilience at PRA-regulated firms. PRA SS1/21 covers identification of important business services, impact tolerance setting, resource mapping, scenario testing, and self-assessment. PRA SS2/21 covers outsourcing governance, materiality assessment, due diligence, contractual requirements, sub-outsourcing chains, intra-group outsourcing, and exit strategies. Packaged under PRA Policy Statement PS6/21.

Controls: 68

Total Mappings: 149

Publisher: Bank of England / PRA Version: 2021 (PS6/21)

PRA Operational Resilience → SP 800-53 SP 800-53 → PRA Operational Resilience Coverage Analysis

AC (2) AT (2) AU (3) CA (5) CM (5) CP (5) IR (5) MP (2) PE (2) PL (4) PM (14) PS (3) RA (3) SA (4) SC (4) SI (1) SR (4)

AC Access Control

Control	Name	PRA Operational Resilience References
AC-04	Information Flow Enforcement	SS2/21-11.1
AC-20	Use Of External Information Systems	SS2/21-14.1SS2/21-9.1

AT Awareness and Training

Control	Name	PRA Operational Resilience References
AT-03	Security Training	SS2/21-17.1
AT-06	Training Feedback	SS1/21-6.2

AU Audit and Accountability

Control	Name	PRA Operational Resilience References
AU-01	Audit And Accountability Policy And Procedures	SS2/21-6.2
AU-06	Audit Monitoring, Analysis, And Reporting	SS2/21-15.1
AU-11	Audit Record Retention	SS2/21-13.1

CA Security Assessment and Authorization

Control	Name	PRA Operational Resilience References
CA-02	Security Assessments	SS1/21-7.1SS2/21-6.2
CA-03	Information System Connections	SS2/21-9.1
CA-05	Plan Of Action And Milestones	PS6/21-1.1SS1/21-6.2
CA-07	Continuous Monitoring	SS1/21-7.1SS2/21-7.1
CA-08	Penetration Testing	SS1/21-6.1

CM Configuration Management

Control	Name	PRA Operational Resilience References
CM-03	Configuration Change Control	SS1/21-11.1
CM-04	Monitoring Configuration Changes	SS1/21-11.1
CM-08	Information System Component Inventory	SS1/21-5.2SS2/21-13.1
CM-12	Information Location	SS1/21-3.1SS1/21-5.2SS2/21-14.1
CM-13	Data Action Mapping	SS1/21-3.1SS1/21-5.2SS1/21-9.1

CP Contingency Planning

Control	Name	PRA Operational Resilience References
CP-01	Contingency Planning Policy And Procedures	SS2/21-10.1
CP-02	Contingency Plan	SS1/21-10.1SS1/21-3.1SS1/21-4.1SS1/21-5.1SS1/21-8.1SS2/21-10.1SS2/21-12.1
CP-04	Contingency Plan Testing And Exercises	SS1/21-6.1SS1/21-6.2SS2/21-10.1
CP-06	Alternate Storage Site	SS1/21-5.3SS2/21-10.1
CP-07	Alternate Processing Site	SS1/21-5.3SS2/21-10.1

IR Incident Response

Control	Name	PRA Operational Resilience References
IR-01	Incident Response Policy And Procedures	SS1/21-8.1
IR-03	Incident Response Testing And Exercises	SS1/21-6.1SS1/21-6.2
IR-04	Incident Handling	SS1/21-8.1
IR-06	Incident Reporting	SS1/21-8.1SS2/21-15.1
IR-07	Incident Response Assistance	SS1/21-8.1

MP Media Protection

Control	Name	PRA Operational Resilience References
MP-04	Media Storage	SS2/21-11.1
MP-05	Media Transport	SS2/21-11.1

PE Physical and Environmental Protection

Control	Name	PRA Operational Resilience References
PE-01	Physical And Environmental Protection Policy And Procedures	SS1/21-5.3
PE-17	Alternate Work Site	SS1/21-5.3

PL Planning

Control	Name	PRA Operational Resilience References
PL-01	Security Planning Policy And Procedures	SS1/21-3.2
PL-08	Security and Privacy Architectures	SS1/21-5.2SS1/21-9.1
PL-10	Baseline Selection	PS6/21-2.1
PL-11	Baseline Tailoring	PS6/21-2.1

PM Program Management

Control	Name	PRA Operational Resilience References
PM-01	Information Security Program Plan	PS6/21-1.1SS1/21-3.2SS2/21-3.1
PM-02	Information Security Program Leadership Role	SS1/21-3.2SS2/21-17.1
PM-04	Plan of Action and Milestones Process	PS6/21-1.1
PM-05	System Inventory	SS2/21-13.1
PM-06	Measures of Performance	SS1/21-6.2SS1/21-7.1
PM-08	Critical Infrastructure Plan	SS1/21-3.1
PM-09	Risk Management Strategy	PS6/21-2.1SS1/21-10.1SS1/21-3.2SS1/21-4.1SS2/21-12.1SS2/21-3.1SS2/21-4.1SS2/21-9.1
PM-11	Mission and Business Process Definition	SS1/21-11.1SS1/21-3.1SS1/21-4.1SS1/21-5.1SS1/21-9.1SS2/21-4.1
PM-13	Security and Privacy Workforce	SS1/21-5.1SS2/21-17.1
PM-14	Testing, Training, and Monitoring	SS1/21-6.1SS1/21-7.1SS2/21-7.1
PM-27	Privacy Reporting	SS2/21-15.1
PM-29	Risk Management Program Leadership Roles	SS1/21-3.2
PM-30	Supply Chain Risk Management Strategy	SS2/21-16.1
PM-31	Continuous Monitoring Strategy	PS6/21-1.1SS1/21-7.1

PS Personnel Security

Control	Name	PRA Operational Resilience References
PS-01	Personnel Security Policy And Procedures	SS1/21-5.1
PS-02	Position Categorization	SS1/21-5.1SS2/21-17.1
PS-07	Third-Party Personnel Security	SS2/21-5.1SS2/21-6.1

RA Risk Assessment

Control	Name	PRA Operational Resilience References
RA-02	Security Categorization	PS6/21-2.1
RA-03	Risk Assessment	SS1/21-10.1SS1/21-4.1SS1/21-6.1SS2/21-16.1SS2/21-4.1SS2/21-5.1
RA-09	Criticality Analysis	SS1/21-3.1SS1/21-5.2SS1/21-9.1SS2/21-4.1

SA System and Services Acquisition

Control	Name	PRA Operational Resilience References
SA-04	Acquisitions	SS2/21-3.1SS2/21-5.1SS2/21-6.1
SA-09	External Information System Services	SS1/21-5.2SS1/21-5.3SS1/21-9.1SS2/21-10.1SS2/21-11.1SS2/21-12.1SS2/21-13.1SS2/21-14.1SS2/21-16.1SS2/21-3.1SS2/21-5.1SS2/21-6.1SS2/21-6.2SS2/21-7.1SS2/21-8.1SS2/21-9.1
SA-10	Developer Configuration Management	SS1/21-11.1
SA-21	Developer Screening	SS2/21-5.1

SC System and Communications Protection

Control	Name	PRA Operational Resilience References
SC-07	Boundary Protection	SS2/21-14.1
SC-08	Transmission Integrity	SS2/21-11.1
SC-13	Use Of Cryptography	SS2/21-11.1
SC-28	Protection of Information at Rest	SS2/21-11.1

SI System and Information Integrity

Control	Name	PRA Operational Resilience References
SI-04	Information System Monitoring Tools And Techniques	SS2/21-7.1

SR Supply Chain Risk Management

Control	Name	PRA Operational Resilience References
SR-01	Policy and Procedures	SS1/21-5.3SS2/21-12.1SS2/21-16.1SS2/21-3.1SS2/21-8.1
SR-02	Supply Chain Risk Management Plan	SS1/21-5.3SS2/21-16.1SS2/21-3.1SS2/21-8.1
SR-03	Supply Chain Controls and Processes	SS2/21-14.1SS2/21-6.1SS2/21-8.1
SR-06	Supplier Assessments and Reviews	SS2/21-5.1SS2/21-6.1SS2/21-6.2SS2/21-7.1