Back

Establish, implement, and maintain help desk query escalation procedures.


CONTROL ID
00849
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a customer service program., CC ID: 00846

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O41.3: During the times when CD/ATM services are available, the organization should provide measures to allow immediate suspension of payment when notification from customers is accepted at the control center or other operating unit. When CD/ATM services are not available, the response should be imp… (O41.3, O105-1.5, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • If the accident notification is accepted, it is necessary to record the time when the accident notification is accepted, and register and manage the record immediately. If a phone call about robbery is received, it is necessary to establish a system to allow appropriate measures to be taken by the t… (P64.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To facilitate the classification process, the FI should clearly define criteria to categorise problems by severity level. To effectively monitor and escalate problems, the FI should establish target resolution time as well as appropriate escalation processes for each severity level. (§ 7.4.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • (§ 3.3.2.2, OGC ITIL: Security Management)
  • The purpose of the service request management practice is to support the agreed quality of a service by handling all pre-defined, user-initiated service requests in an effective and user-friendly manner. (5.2.16 ¶ 1, ITIL Foundation, 4 Edition)
  • Establish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyse all calls, reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on agreed-upon service levels relative to the app… (DS8.1 Service Desk, CobiT, Version 4.1)
  • Establish service desk procedures, so incidents that cannot be resolved immediately are appropriately escalated according to limits defined in the SLA and, if appropriate, workarounds are provided. Ensure that incident ownership and life cycle monitoring remain with the service desk for user-based i… (DS8.3 Incident Escalation, CobiT, Version 4.1)
  • The organization should send an e-mail confirmation after a transaction has been approved. This will allow the organization to check the validity of the e-mail address. If the e-mail address is incorrect, the transaction should be investigated for fraud. (Pg 57, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The organization shall authorize and record the reason for not following a customer complaint with corrective and/or preventive action. (§ 8.5.1 ¶ 4, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • Service complaint escalation shall be provided to customers when the compliant is not resolved through the normal channels. (§ 7.1 ¶ 6, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall investigate problems and identify their cause; use the risk management process to evaluate the problems' relevance to safety; document the investigation and evaluation result… (§ 9.2, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • closed. (§ 8.6.2 ¶ 1(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • To be effective, all incident capture should be performed using automation IAW IR-5(1). The CSP must provide an automated capability that supports incident capture and protection, which must support the CSP's investigation of incidents within their own infrastructure and in customer's CSO environmen… (Section 6.5.4.2 ¶ 8, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • A medical device manufacturer shall review and evaluate each complaint they receive and determine if it is necessary to perform an investigation. If an investigation is not done, a record shall be maintained stating the reason that an investigation was not conducted and the name of the individual wh… (§ 820.198(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)