Back

Establish, implement, and maintain an Incident Response program.


CONTROL ID
00579
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Create an incident response report following an incident response., CC ID: 12700
  • Employ tools and mechanisms to support the organization's Incident Response program., CC ID: 13182
  • Define target resolution times for incident response in the Incident Response program., CC ID: 13072
  • Analyze and respond to security alerts., CC ID: 12504
  • Mitigate reported incidents., CC ID: 12973
  • Establish, implement, and maintain an incident response plan., CC ID: 12056
  • Establish, implement, and maintain a cyber incident response plan., CC ID: 13286
  • Include incident response team structures in the Incident Response program., CC ID: 01237
  • Include coverage of all system components in the Incident Response program., CC ID: 11955
  • Prepare for incident response notifications., CC ID: 00584
  • Include incident response team services in the Incident Response program., CC ID: 11766
  • Establish, implement, and maintain an incident response policy., CC ID: 14024
  • Establish, implement, and maintain incident response procedures., CC ID: 01206
  • Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred., CC ID: 01213
  • Include business continuity procedures in the Incident Response program., CC ID: 06433
  • Include consumer protection procedures in the Incident Response program., CC ID: 12755
  • Include the reimbursement of customers for financial losses due to incidents in the Incident Response program., CC ID: 12756
  • Establish trust between the incident response team and the end user community during an incident., CC ID: 01217
  • Include business recovery procedures in the Incident Response program., CC ID: 11774
  • Establish, implement, and maintain a digital forensic evidence framework., CC ID: 08652
  • Disseminate and communicate the incident response procedures to all interested personnel and affected parties., CC ID: 01215
  • Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results., CC ID: 12306
  • Test the incident response procedures., CC ID: 01216


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should have in place a problem management system to respond promptly to IT operational incidents, to escalate reported incidents to relevant IT management staff and to record, analyse and keep track of all these incidents until rectification of the incidents. A helpdesk function can be set up to… (5.1.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • A licensed or registered person should establish written policies and procedures specifying the manner in which a suspected or actual cybersecurity incident should be escalated and reported internally (eg, to the responsible officer(s) or executive officer(s) in charge of internet trading) and exter… (3.2. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • Incident response and management (Critical components of information security 1) 2) q. xv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Implementation of internal and external intrusion detection system, incident response system and establishing 24x7 incident monitoring (Critical components of information security 24) viii. ¶ 1 f., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks can also consider incorporating DoS attack considerations in their ISP selection process. An incident response framework should be devised and validated periodically to facilitate fast response to a DDoS onslaught or an imminent attack. Banks may also need to be familiar with the ISPs' inciden… (Critical components of information security 26) c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization should develop processes for managing incidents that might impact services, including processes for detecting, identifying, containing, investigating, gathering evidence, resolving, returning to business, and reducing the risk of similar events. (¶ 71, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should document the procedures for managing data leakage, identity theft, and fraud. (Attach E ¶ 3(f), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Under CPS 234, an APRA-regulated entity is required to have robust mechanisms in place to detect and respond to actual or potential compromises of information security in a timely manner. The term 'potential' is used to highlight that information security incidents are commonly identified when an ev… (66., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • The organization should develop, implement, and maintain procedures to detect potential security incidents. One such procedure should be to implement intrusion detection strategies. The intrusion detection strategies should include implementing intrusion detection mechanisms; analyzing logs; auditin… (§ 2.7.38, § 2.8.17, § 3.7.5, Australian Government ICT Security Manual (ACSI 33))
  • responding to incidents; (ANNEX I ¶ 1(2)(a)(iii), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Policies and instructions with technical and organisational safeguards are documented, communicated and provided according to SA-01 in order to ensure a fast, effective and proper response to all known security incidents. On the part of the cloud provider, at least the roles listed in OIS-03 must be… (Section 5.13 SIM-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The processing of personal data by electronic means will only be allowed if the following minimum security measure is implemented with the technical specifications stated in Annex B of this Code: protecting data against unlawful data processing, unauthorized access, and specific software. (§ 34.1(e), Italy Personal Data Protection Code)
  • (§ VII, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the incident response plan provide a description of the authority and discretion the organization has when responding, e.g., key points of contact and communication channels (law enforcement, regulatory agencies, Public Relations, internal communications)? (Table Row XII.9, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1(a), Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.2)
  • Create the incident response plan to be implemented in the event of system breach. (§ 12.9.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Implement an incident response plan. Be prepared to respond immediately to a system breach. (12.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Spec… (12.10.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Spec… (12.10.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Spec… (12.10.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Interview personnel and review documentation from a sample of previously reported incidents or alerts to verify that the documented incident response plan and procedures were followed. (12.10.1.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Verify that the incident response plan includes: - Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup process… (12.10.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • The organization should implement internal fraud prevention measures and controls. (Pg 37, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The objective of an incident response framework is to provide a systematic approach in developing an incident response plan. A well-defined incident response plan will enable you to handle any incident efficiently and effectively with minimal impact to the business operations. When developing these … (§ 4.0, VISA Incident Response Procedure for Account Compromise, Version 1.2 2004)
  • The incident management plan should be flexible, feasible, and relevant; be easy to read and understand; be the basis for managing all potential issues; have top management support; and be supported by an appropriate budget. (§ 8.4, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The incorporation of specialty disciplines to the overall crisis management program is an aspect of an effective crisis management program in addition to escalation protocols and command and control of people, information, and processes. (§ 7 ¶ 5, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Good privacy management is supported by the implementation of intrusion detection and prevention technologies. (§ 4.5 (Privacy Best Practices), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The organization must develop and maintain documented objectives and targets to deter, avoid, mitigate, prevent, respond to, and recover from disruptive events. The targets and objectives must include the expectations for outside relationships that are critical to functional operations and the missi… (§ 4.3.3 ¶ 1, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Contains a list of the specifications for intrusion detection equipment to be used by all Federal agencies. (Ch 4 App A, Protection of Assets Manual, ASIS International)
  • If the organization does not maintain an incident reporting database, they may form an asset protection committee. This committee should be made up of personnel from the organization's departments. The should determine which incidents should be reported and which assets are vulnerable, assess the vu… (Rev Volume 1 Pg 2-II-21, Rev Volume 1 Pg 2-II-22, Protection of Assets Manual, ASIS International)
  • (Further Issues 5 § 3.2, ISF Security Audit of Networks)
  • Actual or suspected unauthorized disclosure of sensitive information to unauthorized parties should be reported to a particular individual or team responsible for handling confidentiality breaches (e.g., legal, compliance, or Risk Management). (CF.08.07.07, The Standard of Good Practice for Information Security)
  • A capability for governing the management of information security incidents (i.e., an event or chain of events that compromise the confidentiality, integrity, or availability of information) should be established. (CF.11.01.01, The Standard of Good Practice for Information Security)
  • Individuals responsible for managing information security incidents should be supported by tools (e.g., software for Security Information Management, evidence handling, back-up and recovery, and forensic investigation) to help complete each stage of the information security incident management Proce… (CF.11.01.10, The Standard of Good Practice for Information Security)
  • A capability for governing the management of information security incidents (i.e., an event or chain of events that compromise the confidentiality, integrity, or availability of information) should be established. (CF.11.01.01, The Standard of Good Practice for Information Security, 2013)
  • Individuals responsible for managing information security incidents should be supported by tools (e.g., software for Security Information Management, evidence handling, back-up and recovery, and forensic investigation) to help complete each stage of the information security incident management Proce… (CF.11.01.10, The Standard of Good Practice for Information Security, 2013)
  • Actual or suspected unauthorized disclosure of sensitive information to unauthorized parties should be reported to a particular individual or team responsible for handling confidentiality breaches (e.g., legal, compliance, or Risk Management). (CF.08.07.08, The Standard of Good Practice for Information Security, 2013)
  • The organization should establish the type of approach it will take when an incident is discovered. The two types of approaches are "contain, clean, and deny access" and "monitor and gather information." Each system can have its own approach. Top management must decide which approach to take before … (Action 1.1.5, SANS Computer Security Incident Handling, Version 2.3.1)
  • The organization should determine the level of authority the incident handling team has in making critical decisions during an incident, including the authority to disconnect networks and take servers offline. Contact information should be maintained for all system administrators and network persons… (Action 1.2.4, Action 1.4.1, SANS Computer Security Incident Handling, Version 2.3.1)
  • Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating… (CIS Control 19: Incident Response and Management, CIS Controls, 7.1)
  • Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating… (CIS Control 19: Incident Response and Management, CIS Controls, V7)
  • Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack. (CIS Control 17: Incident Response Management, CIS Controls, V8)
  • Incident Handling. Unwanted incidents are more likely to occur, and more serious adverse business impact to result, where there are network connections (as opposed to where there are none). Further, with network connections to other organizations in particular there could well be significant legal i… (¶ 13.2.6, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Incident management procedures shall be used to manage information security incidents. (§ 6.6.3 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall ensure personnel involved in the management process of service requests and incidents can access and use relevant information. (§ 8.1 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; (§ 4.1 ¶ 3 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. (§ 8.4.4 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The service provider should have an established information security incident management scheme that is fully compatible with ISO/IEC 18044:2004. Outsourced service providers should ensure logical security incidents are handled according to the information security incident management process referr… (§ 5.7.5, § 7.5.10, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Management should have assigned responsibilities and procedures to effectively respond to incidents. The procedures should cover the handling of different types of security incidents; analysis and identification of the cause; containment; implementation of corrective action; reporting to the appropr… (§ 13.2.1, ISO 27002 Code of practice for information security management, 2005)
  • Widely reported events, industry reports and cybersecurity incidents that have occurred outside the organization. (RC.IM-1.1(3), CRI Profile, v1.2)
  • The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed. (PR.IP-9.1, CRI Profile, v1.2)
  • Procedures exist to identify, report, and act on system security breaches and other incidents. (Security Prin. and Criteria Table § 3.7, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to identify, report, and act on system availability issues and related security breaches and other incidents. (Availability Prin. and Criteria Table § 3.10, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to identify, report, and act on system processing integrity issues and related security breaches and other incidents. (Processing Integrity Prin. and Criteria Table § 3.11, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to identify, report, and act on system confidentiality and security breaches and other incidents. (Confidentiality Prin. and Criteria Table § 3.13, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should establish and maintain a privacy incident and breach management program. (Generally Accepted Privacy Principles and Criteria § 1.2.7, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should establish and maintain a privacy incident and breach management program. (Table Ref 1.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should procedures to report incidents and breaches to a breach team member, who assesses and classifies the incident, initiates action, and determines personnel responsibilities. (Table Ref 1.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. (CC7.4, Trust Services Criteria)
  • The entity responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate. (CC7.4 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • A strategy to prevent incidents that threatens people, property, and the environment must be developed by the organization. Annex A.5.4.1 contains items the incident prevention strategy should include, and Annex A.5.4.2 contains techniques to consider for an incident prevention strategy. (§ 5.4, Annex A.5.4.1, Annex A.5.4.2, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Cyber Security Incident response (B. R1. 1.2 1.2.4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Incident reporting and response planning (CIP-008); (B. R1. 1.1 1.1.5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Incident reporting and response planning (CIP-008); (B. R1. 1.1 1.1.5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Cyber Security Incident response; (B. R1. 1.2 1.2.4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Is a response program maintained that includes policies and procedures to address privacy incidents and unauthorized disclosure, access, or breach of confidential information? (§ P.1.2, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • Administration of the Program. Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must: (§ 248.201 (e), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • Procedures must be established for evaluating bomb threats, sabotage, aircraft piracy, and interference with aircraft operations. (§ 1542.307, 49 CFR Part 1542, Airport Security)
  • Policies and procedures shall be implemented to address security incidents. (§ 164.308(a)(6)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • All significant security incidents and suspicious activities that occur in or near the facility must be identified, investigated, reported, and recorded. (§ 27.230(a)(16), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • A system must be in place to identify any abuses of the IT system, including tampering with, altering, or improperly accessing the business data. (Accountability, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria)
  • An agency shall use automated mechanisms for supporting the incident handling process, wherever feasible. (§ 5.3.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The effective management of the Incident Command System (ICS) must include establishing a chain of command and a unified command for incidents involving multiple jurisdictions; maintaining an up-to-date database of available resources and their utilization; developing a communications plan addressin… (Chap II.A.2, National Incident Management System (NIMS), Department of Homeland Security, December 2008)
  • Preparedness organizations can range from small committees to large organizations. They are responsible for meeting regularly and ensuring all preparedness requirements are met. The preparedness organization should set priorities; integrate and coordinate all activities; establish emergency plans; a… (Chap III.B.1, National Incident Management System (NIMS), Department of Homeland Security, December 2008)
  • Defining threat monitoring policies that provide for both continual and ad hoc monitoring of communications and systems, effective incident detection and response, and the use of monitoring reports in subsequent legal proceedings. (App A Objective 8.4.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The organization should develop an incident response policy and it should be integrated into the continuity plan. (Pg 31, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (Obj 1.5, Obj 4.3, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization must develop, document, and distribute an incident response policy and procedures for implementing incident response security controls. (§ 5.6.8, Exhibit 4 IR-1, Exhibit 4 SI-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • The organization must implement an incident handling policy. The policy must include the procedures for detecting, analyzing, containing, eradicating, and recovering from a security incident. (Exhibit 4 IR-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member; (§ 748.0 (b)(3), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Response programs that specify actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems, including appropriate reports to regulatory and law enforcement agencies; and (§ 748 Appendix A. III.C.1.g., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Millions of Americans, throughout the country, have been victims of identity theft. Identity thieves misuse personal information they obtain from a number of sources, including credit unions, to perpetrate identity theft. Therefore, credit unions should take preventative measures to safeguard member… (§ 748 Appendix B. II.i., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Has the Credit Union developed intrusion detection policies and procedures? (IT - IDS IPS Q 2, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • A computer security incident is defined as a violation or an imminent threat of violation of computer security policies, standard security practices, or acceptable use policies. Incident examples include Denial of Service, malicious code, inappropriate usage, and unauthorized access. Incident respon… (§ 2.1 ¶ 2, § 2.3.1, App A, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Anyone who discovers or suspects that an incident has occurred should be able to contact the incident response team. The incident handlers should then analyze the data, determine the impact, and act to limit damage and restore normal services. (§ 2.4, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Calls for System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor inform… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Calls for Incident Response (IR): Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure the organization has implemented a systemwide, centrally managed, intrusion-detection process. Organizational records and documents also should be examined to ensure automated tools are used to investigate, report, and respond to susp… (SI-4(1), SI-4(2), SI-4(3), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Organizational records and documents should be examined to ensure the organization is prepared for -- can detect, analyze, contain, eradicate, and recover from -- an incident; incident handling procedures are being followed and conducted on a timely basis; automated functions are used to help in han… (IR-4, IF-4(1), IR-4.8, IR-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization must develop and implement an Incident Response security policy. (SG.IR-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms for administering and supporting the incident handling process. (SG.IR-5 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, a formal, documented incident response policy that includes purpose, roles, responsibilities, scope, management commitment, compliance, and coordination among entities. (App F § IR-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (IR-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (IR-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (IR-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (IR-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • § 73.54(a)(1) Digital computer and communications systems and networks that are associated with the following must be protected by the licensee: security functions; safety-related and important-to-safety functions; emergency preparedness functions, including off site communications; and support sys… (§ 73.54(a)(1), § 73.54(a)(2), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
  • Response programs that specify actions to be taken when the national bank or Federal savings association suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and (§ III. C. 1.(g), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • The organization must provide assurance that it can prevent or detect unauthorized acquisition, use, and/or disposition of the organization's assets. (§ 240.15d-15(f)(3), 17 CFR Part 240.15d-15, Controls and Procedures)
  • Reference other company plans, policies and procedures such as insider threat, business continuity, incident response and recovery plans; (3.1 ¶ 1 Bullet 3, Pipeline Security Guidelines)
  • Develop internal and external notification requirements and procedures for security events. (Table 1: Communication Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • incident response. (§ 500.03 Cybersecurity Policy (n), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • have plans for response to incidents and solution; and (Art. 50 § 2 I(g), Brazilian Law No. 13709, of August 14, 2018)