Prepare for incident response notifications.

Back

CONTROL ID
00584

CONTROL TYPE
Establish/Maintain Documentation

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain an Incident Response program., CC ID: 00579

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

The organization shall ensure unauthorized access attempts and other unusual conditions are automatically reported to security managers and other assigned personnel. (T45.2(6), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
Establishing escalation and communication processes and lines of authority (Critical components of information security 10) (ii) b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
The organization should have clear communication procedures to limit a security incident's impact. (¶ 72, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
The organization should develop and maintain procedures to detect security breaches; to determine the cause of the incident; to report the incident; to prevent the system from being compromised; and to document actions necessary to prevent a recurrence. (§ 2.8.43, Australian Government ICT Security Manual (ACSI 33))
For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authori… (Art. 19.1. ¶ 4, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
What notifications are provided and when? (Appendix D, Maintain an Information Security Policy Bullet 7 Sub-bullet 3, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
Verify the incident response plan includes the roles, responsibilities, and communication strategies for when a compromise occurs, including notifying the payment brands. (Testing Procedures § 12.10.1.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
The incident response plan must include the communication and contact strategies for a compromise, including notifying the payment brands. (PCI DSS Requirements § 12.10.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Does the incident response plan address the roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (PCI DSS Question 12.10.1(b) Bullet 1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Does the incident response plan address the roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (PCI DSS Question 12.10.1(b) Bullet 1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Does the incident response plan address the roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (PCI DSS Question 12.10.1(b) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Does the incident response plan address the roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (PCI DSS Question 12.10.1(b) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Security risks need to be managed effectively, including logical access controls to applications. Key logical access control considerations include reporting security breaches on a regular basis. (§ 5.2 (Logical Access), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
The organization should document the procedures employees and contractors to use for reporting computer anomalies and incidents to the incident handling team. (Critical Control 18.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
A formal reporting procedure should be implemented, along with an incident response and escalation procedure. Information security events should be reported as quickly as possible to the designated point of contact. Reporting forms should be used to help the reporting person remember all pertinent i… (§ 13.1.1, ISO 27002 Code of practice for information security management, 2005)
Principle: Firms should establish policies and procedures, as well as roles and responsibilities for escalating and responding to cybersecurity incidents. Effective practices for incident response include: - preparation of incident responses for those types of incidents to which the firm is most lik… (Incident Response Planning, Report on Cybersecurity Practices)
Does the incident response plan include a process for assessing and executing client and third party notification requirements (legal, regulatory, and contractual)? (§ J.1.2.9, Shared Assessments Standardized Information Gathering Questionnaire - J. Incident Event and Communications Management, 7.0)
The Agencies encourage financial institutions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies. (Supplement A § III.B.2, 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
IT personnel will maintain a constant awareness of cyber attacks and counterattacks that are occurring with automated systems throughout many industries to ensure the organization's system is protected from a breach. Alerts are given to system users to prevent virus attacks and improper release of i… (Pg 46, C-TPAT Supply Chain Security Best Practices Catalog)
Coordination of incident response policies and contractual notification requirements. (App A Objective 6.31.f, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
All members of the organization should be aware of the problem management process. (Pg 33, FFIEC IT Examination Handbook - Operations, July 2004)
Notice to FTC. Vendors of personal health records and PHR related entities shall provide notice to the Federal Trade Commission following the discovery of a breach of security. If the breach involves the unsecured PHR identifiable health information of 500 or more individuals, then such notice shall… (§ 318.5 (c), 16 CFR Part 318, Health Breach Notification Rule)
Â§ 4.20.4 Bullet 1: Amend plan documents to incorporate provisions to require the plan sponsor to report to the group health plan any security incident of which it becomes aware. Â§ 4.20.4 Bullet 2: Establish a specific policy for security incident reporting. (§ 4.20.4 Bullet 1, § 4.20.4 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
The Agencies encourage financial institutions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies. (Supp A § III. B. 2., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
Bank systems should reduce bank vulnerability to system failures, unauthorized intrusions, and other problems. Back-up systems should be maintained and tested on a regular basis to minimize the risk of system failures and unauthorized intrusions. System failures and unauthorized intrusions may resul… (¶ 38, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
Plan for and use measures to contain, control and correct any security incident that may involve personal information. (Part II ¶ 5, California OPP Recommended Practices on Notification of Security Breach, May 2008)
such person notifies, as applicable, such residents of this state, owners, and licensees required to be notified under and in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security, and (§ 36a-701b(f)(1), Connecticut State Law, Section 36a-701b, Breach of security re computerized data containing personal information. Disclosure of breach. Delay for criminal investigation. Means of notice. Unfair trade practice)
Determine sufficient contact information for the intended recipient of the notice; (646A.604 (3)(b)(A), Oregon Revised Statutes Volume 16 Title 50 Chapter 646A Section 604, Notice of breach of security; delay; methods of notification; contents of notice; application of notice requirement)
Affected individuals.--In the case of a breach of the security of the system involving personal information of an individual's user name or e-mail address in combination with a password or security question and answer that would permit access to an online account, the State agency contractor may com… (§ 2303. (a.4), Pennsylvania Statutes Title 73 Chapter 43, Breach of Personal Information Notification Act)