Back

Prepare for incident response notifications.


CONTROL ID
00584
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization shall ensure unauthorized access attempts and other unusual conditions are automatically reported to security managers and other assigned personnel. (T45.2(6), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Establishing escalation and communication processes and lines of authority (Critical components of information security 10) (ii) b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization should have clear communication procedures to limit a security incident's impact. (¶ 72, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should develop and maintain procedures to detect security breaches; to determine the cause of the incident; to report the incident; to prevent the system from being compromised; and to document actions necessary to prevent a recurrence. (§ 2.8.43, Australian Government ICT Security Manual (ACSI 33))
  • What notifications are provided and when? (Appendix D, Maintain an Information Security Policy Bullet 7 Sub-bullet 3, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Verify the incident response plan includes the roles, responsibilities, and communication strategies for when a compromise occurs, including notifying the payment brands. (Testing Procedures § 12.10.1.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The incident response plan must include the communication and contact strategies for a compromise, including notifying the payment brands. (PCI DSS Requirements § 12.10.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Does the incident response plan address the roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (PCI DSS Question 12.10.1(b) Bullet 1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Does the incident response plan address the roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (PCI DSS Question 12.10.1(b) Bullet 1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Does the incident response plan address the roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (PCI DSS Question 12.10.1(b) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Does the incident response plan address the roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (PCI DSS Question 12.10.1(b) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Security risks need to be managed effectively, including logical access controls to applications. Key logical access control considerations include reporting security breaches on a regular basis. (§ 5.2 (Logical Access), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization should document the procedures employees and contractors to use for reporting computer anomalies and incidents to the incident handling team. (Critical Control 18.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • A formal reporting procedure should be implemented, along with an incident response and escalation procedure. Information security events should be reported as quickly as possible to the designated point of contact. Reporting forms should be used to help the reporting person remember all pertinent i… (§ 13.1.1, ISO 27002 Code of practice for information security management, 2005)
  • Principle: Firms should establish policies and procedures, as well as roles and responsibilities for escalating and responding to cybersecurity incidents. Effective practices for incident response include: - preparation of incident responses for those types of incidents to which the firm is most lik… (Incident Response Planning, Report on Cybersecurity Practices)
  • Does the incident response plan include a process for assessing and executing client and third party notification requirements (legal, regulatory, and contractual)? (§ J.1.2.9, Shared Assessments Standardized Information Gathering Questionnaire - J. Incident Event and Communications Management, 7.0)
  • The Agencies encourage financial institutions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies. (Supplement A § III.B.2, 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • IT personnel will maintain a constant awareness of cyber attacks and counterattacks that are occurring with automated systems throughout many industries to ensure the organization's system is protected from a breach. Alerts are given to system users to prevent virus attacks and improper release of i… (Pg 46, C-TPAT Supply Chain Security Best Practices Catalog)
  • Coordination of incident response policies and contractual notification requirements. (App A Objective 6.31.f, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • All members of the organization should be aware of the problem management process. (Pg 33, FFIEC IT Examination Handbook - Operations, July 2004)
  • § 4.20.4 Bullet 1: Amend plan documents to incorporate provisions to require the plan sponsor to report to the group health plan any security incident of which it becomes aware. § 4.20.4 Bullet 2: Establish a specific policy for security incident reporting. (§ 4.20.4 Bullet 1, § 4.20.4 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The Agencies encourage financial institutions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies. (Supp A § III. B. 2., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Bank systems should reduce bank vulnerability to system failures, unauthorized intrusions, and other problems. Back-up systems should be maintained and tested on a regular basis to minimize the risk of system failures and unauthorized intrusions. System failures and unauthorized intrusions may resul… (¶ 38, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • Plan for and use measures to contain, control and correct any security incident that may involve personal information. (Part II ¶ 5, California OPP Recommended Practices on Notification of Security Breach, May 2008)
  • such person notifies, as applicable, such residents of this state, owners, and licensees required to be notified under and in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security, and (§ 36a-701b(f)(1), Connecticut State Law, Section 36a-701b, Breach of security re computerized data containing personal information. Disclosure of breach. Delay for criminal investigation. Means of notice. Unfair trade practice)