Back

Establish, implement, and maintain incident response procedures.


CONTROL ID
01206
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579

This Control has the following implementation support Control(s):
  • Include references to industry best practices in the incident response procedures., CC ID: 11956
  • Include responding to alerts from security monitoring systems in the incident response procedures., CC ID: 11949
  • Automatically respond when an integrity violation is detected., CC ID: 10678


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Given that the risk of adverse incidents related to e-banking services cannot be completely eliminated, AIs should put in place formal incident response and management procedures for timely reporting and handling of different kinds of incidents (including suspected or actual security breaches, cyber… (§ 8.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • Given that the risk of adverse incidents related to e-banking services cannot be completely eliminated, AIs should put in place formal incident response and management procedures for timely reporting and handling of different kinds of incidents (including suspected or actual security breaches, cyber… (§ 8.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • the process for the CMT to assess the overall impact on the AI and to make quick decisions on the appropriate responses for action (i.e. staff safety, incident containment and specific crisis management procedures); (4.2.2 Bullet 2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • AIs should establish incident response and reporting procedures to handle information security-related incidents during or outside office hours. The incident response and reporting procedures should include timely reporting to the HKMA of any confirmed IT-related fraud cases or major security breach… (3.3.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Reviewing significant issues escalated from cybersecurity incident reporting; (3.1. ¶ 1 (d), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • App 2-1 Item Number IV.7(4): The organization must develop measures for handling hardware failures. This is a control item that constitutes a greater risk to financial information. This is an IT general control. App 2-1 Item Number IV.8(4): The organization must develop measures for handling network… (App 2-1 Item Number IV.7(4), App 2-1 Item Number IV.8(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization should include the following types of items in its procedures for responding to failure of an ATM in a convenience store: how to explain and announce the failure to customers; return cards to customers; guide customers to other working locations; handle extended service hours; conta… (O95.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Performing or delegating the following - day-to-day security administration, approval of exception access requests, appropriate actions on security violations when notified by the security administration, the review and approval of all changes to the application prior to being placed in the producti… (Application owner ¶ 1 Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • IT incidents, if handled inappropriately, may escalate into situations that have a severe impact on the FI’s operations or its customers. The FI should evaluate the recovery plan and incident response procedures at least annually and update them as and when changes to business operations, systems … (§ 8.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The DC's physical security and environmental controls should be monitored on a 24 by 7 basis. Appropriate escalation, response plans and procedures for physical and environmental incidents at DCs should be established and tested. (§ 8.5.5, Technology Risk Management Guidelines, January 2021)
  • The incident response plan should include the expected response for each type of cyber security incident. (Control: 0059 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization must include a requirement for notifying the information technology security manager of any data spillage and Access to unauthorized data in the standard procedures for all personnel with system access. (Control: 0130, Australian Government Information Security Manual: Controls)
  • The organization should report the cyber security incident and perform the other procedures stated in the incident response plan, whenever malicious code is detected. (Control: 0917 Bullet 8, Australian Government Information Security Manual: Controls)
  • The level of detail of response plans would be sufficient to minimise the amount of decision-making required and provide clarity regarding roles and responsibilities when experiencing an information security incident. (72., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • design detection and response controls based on the assumption that preventive controls have failed. This is typically referred as the principle of 'assumed breach'. (Attachment A(j)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Orderly response to information security incidents (Attachment G Control Objective Row 8, APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • An APRA-regulated entity must have robust mechanisms in place to detect and respond to information security incidents in a timely manner. (23., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the ro… (3.5.1 60, Final Report EBA Guidelines on ICT and security risk management)
  • incident response procedures to mitigate the impacts related to the incidents and to ensure that the service becomes operational and secure in a timely manner; (3.5.1 60(e), Final Report EBA Guidelines on ICT and security risk management)
  • After an information security incident, the impact on information security shall be analysed and appropriate followup measures approved. (II.4.21, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • incident detection and response; (§ 7.11 Bullet 6, SS2/21 Outsourcing and third party risk management, March 2021)
  • policies and procedures to detect activities that may impact firms' information security (eg data breaches, incidents, or misuse of access by third parties) and respond to these incidents appropriately (including appropriate mechanisms for investigation and evidence collection after an incident); an… (§ 7.11 Bullet 12, SS2/21 Outsourcing and third party risk management, March 2021)
  • The entity has established policies and procedures for identifying, classifying and prioritizing the criticality of its collected PI. The entity also has procedures for evaluating potential vulnerabilities and the risk of unauthorized privacy information access, removal and destruction. The entity h… (M1.3, Privacy Management Framework, Updated March 1, 2020)
  • The entity has established policies and procedures that prevent, detect and react to system outages, incidents and events that disrupt system processing, or results in the loss, accidental disclosure or unauthorized modification of the entity's PI. (S7.4 Continuity of physical and environmental protections, Privacy Management Framework, Updated March 1, 2020)
  • Does the incident response plan provide guidance on what to do if there is an attack? (Table Row XII.1, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The organization should follow marketing and sales practices which should include responding promptly to detected problems and taking corrective action as needed. (CORE - 10(d), URAC Health Utilization Management Standards, Version 6)
  • Verify through observation and review of policies, that there is 24/7 incident response and monitoring coverage. (§ 12.9.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify the shared hosting provider has written policies that provide for a timely forensics investigation of servers in the event of a compromise. (App A Testing Procedures § A.1.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers, 3)
  • Interview responsible personnel and/or inspect recent wireless scan results and the responses to verify appropriate action is taken when an unauthorized Wireless Access Point is detected. (Testing Procedures § 11.1.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify the incident response plan includes the specific incident response procedures. (Testing Procedures § 12.10.1.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify the incident response plan includes reference to or inclusion of the incident response procedures for the payment brands. (Testing Procedures § 12.10.1.a Bullet 7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify through observation and review of policies, that there is 24/7 incident response and monitoring coverage. (§ 12.9.3 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • A process must be implemented to respond to alerts that are generated by the change detection software. (PCI DSS Requirements § 11.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The incident response plan must include specific incident response procedures. (PCI DSS Requirements § 12.10.1 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The incident response plan must include a reference to or the inclusion of the incident response procedures from the payment brands. (PCI DSS Requirements § 12.10.1 Bullet 7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Review and test the plan, including all elements listed in Requirement 12.10.1, at least annually. (12.10.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Review and test the plan, including all elements listed in Requirement 12.10.1, at least annually. (12.10.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations? (12.5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations? (12.5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations? (12.5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations? (12.5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations? (12.5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations? (12.5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Has an incident response plan been implemented in preparation to respond immediately to a system breach, as follows: (12.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations? (12.5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Has an incident response plan been created to be implemented in the event of system breach? (12.10.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Response procedures are implemented to be initiated upon the detection of attempts to remove cleartext PAN from the CDE via an unauthorized channel, method, or process. Response procedures include: (A3.2.6.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documented incident response procedures to verify that procedures for responding to the detection of stored PAN anywhere it is not expected to exist, ready to be initiated, and include all elements specified in this requirement. (12.10.7.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Is a process in place to respond to any alerts generated by the change detection solution? (PCI DSS Question 11.5.1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected? (PCI DSS Question 11.1.2(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Is a process in place to respond to any alerts generated by the change detection solution? (PCI DSS Question 11.5.1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected? (PCI DSS Question 11.1.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is a process in place to respond to any alerts generated by the change detection solution? (PCI DSS Question 11.5.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected? (PCI DSS Question 11.1.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is a process in place to respond to any alerts generated by the change detection solution? (PCI DSS Question 11.5.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • A predetermined site should be defined for where an incident will be handled from. This site will be the focal point of the response after the incident has occurred. An alternate site should be defined in case the primary site cannot be accessed. The site should have the appropriate resources availa… (§ 8.5.7, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The incident management team should be contacted immediately after the service desk is made aware of an incident. The person making the contact should record who he/she contacted and the response. Leaving a phone message is not an acceptable response. (§ 8.4.3, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Contingency planning or disaster recovery planning, including responding to security incidents should be considered in physical and environmental security. This planning should include the coordination and logistics of the full scope of business activities. A plan that has not been successfully test… (§ 5.3.4 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Assisting employees who are affected by disasters, including the provision of family, mental health, or financial support and travel incentives or temporary relocation during an emergency, are aspects of an effective crisis management program in addition to escalation protocols and command and contr… (§ 7 ¶ 5, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The organization must develop logistical procedures and capabilities to acquire, locate, maintain, distribute, store, test, and account for resources, employees, services, facilities, and materials that are provided or produced to support the organizational resilience management system. (§ 4.4.1 ¶ 4(b), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organization must establish, implement, and maintain procedures, with regard to the hazards, threats, risks, and organizational resilience management system, for using a national or regional threat or risk advisory system. (§ 4.4.3 ¶ 1(e), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The incident reporting policy should identify which types of incidents should be reported; state individual's responsibilities; describe the reporting format; define when reports should be submitted; state to whom forms should be submitted; and define the consequences of not making reports in a time… (Pg 12-III-3, Revised Volume 1 Pg 2-II-15, Revised Volume 4 Pg 1-I-11, Protection of Assets Manual, ASIS International)
  • Security incidents should be placed into a central database. If incidents are maintained in departmental databases and not organization-wide, events may appear to be unique when in fact they may be linked to each other. The incident report database should include the following fields: the lost asset… (Revised Volume 1 Pg 2-II-16, Revised Volume 1 Pg 2-II-18, Revised Volume 1 Pg 2-II-19, Protection of Assets Manual, ASIS International)
  • Security-related event log analysis should include responding to key security-related events (e.g., passing the relevant event log details to an information security incident management team). (CF.10.04.08c, The Standard of Good Practice for Information Security)
  • There should be a Process for managing individual information security incidents, which includes responding to information security incidents (e.g., escalation to the information security incident management team, investigation, containment, and eradication of the cause of the information security i… (CF.11.01.03b, The Standard of Good Practice for Information Security)
  • The crisis management process should include clearly defined steps to be taken in a crisis or emergency situations. (CF.20.04.03a, The Standard of Good Practice for Information Security)
  • Security-related event log analysis should include responding to key security-related events (e.g., passing the relevant event log details to an information security incident management team). (CF.10.04.08c, The Standard of Good Practice for Information Security, 2013)
  • There should be a Process for managing individual information security incidents, which includes responding to information security incidents (e.g., escalation to the information security incident management team, investigation, containment, and eradication of the cause of the information security i… (CF.11.01.03b, The Standard of Good Practice for Information Security, 2013)
  • The crisis management process should include clearly defined steps to be taken in a crisis or emergency situations. (CF.20.04.03a, The Standard of Good Practice for Information Security, 2013)
  • The organization must have policies and procedures in place to handle situations if the attacker tries to contact the organization. The policies and procedures must state when the organization will report to and ask for assistance from law enforcement, who will make that decision, and who will conta… (Action 4.4.4, SANS Computer Security Incident Handling, Version 2.3.1)
  • The on-site team should have a response kit (or jump kit) that contains back-up hardware and software, blank floppies, boot diskettes, operating system distribution media, and portable printers. Procedures should be developed for both teams (the on-site incidental handling team and the command decis… (Action 1.4.7, Special Action 1.5, SANS Computer Security Incident Handling, Version 2.3.1)
  • Ensure that there are written incident response procedures that include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling. (Control 19.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should implement an Incident Response process which allows the security team to be supplied with sample malware currently running on the system to give to the virus vendor for creating and deploying new signatures. (Critical Control 5.13, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should establish and maintain an Incident Response and management capability. (Critical Control 18, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management. (CIS Control 19: Sub-Control 19.1 Document Incident Response Procedures, CIS Controls, 7.1)
  • Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management. (CIS Control 19: Sub-Control 19.1 Document Incident Response Procedures, CIS Controls, V7)
  • Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. (CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process, CIS Controls, V8)
  • Once a nonconformity is identified, it should be investigated to determine the cause(s), so that corrective action can be focused on the appropriate part of the environmental management system. In developing a plan for addressing a nonconformity, the organization should consider what actions it shou… (10.2 ¶ 5, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization shall document procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive incident. (§ 8.4.1 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • be specific regarding the immediate steps that are to be taken during a disruption, (§ 8.4.1 ¶ 3 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident. (§ 8.4.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • have processes, and procedures for the activation, operation, coordination, and communication of the response, (§ 8.4.2 ¶ 2 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of ke… (§ 9.3 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • plan actions that need to be undertaken; (§ 8.4.2.3 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall implement and maintain a response structure that will enable timely warning and communication to relevant interested parties. It shall provide plans and procedures to manage the organization during a disruption. The plans and procedures shall be used when required to activate … (§ 8.4.1 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Physical security incidents and weaknesses should be reported to the relevant authority promptly and then he/she should take the appropriate action. (§ 6.3.11, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Information security incidents shall be responded to in accordance with the documented procedures. (A.16.1.5 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • review the effectiveness of any corrective action taken; and (§ 10.1 ¶ 1 d), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • to ensure effective and timely response to security incidents; (§ 16.1.2 Health-specific controls ¶ 1(a), ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • resolved; (§ 8.7.3.3 ¶ 1(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • resolved; (§ 8.6.1 ¶ 1(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After … (§ 8.6.1 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Information security incidents should be responded to in accordance with the documented procedures. (§ 16.1.5 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Information security incidents should be responded to in accordance with the documented procedures. (§ 5.26 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The organization periodically reviews response strategy and exercises and updates them as necessary, based on: (RS.IM-2.1, CRI Profile, v1.2)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should have procedures in place to ensure noncompliance with privacy policies is reported and documented and corrective measures are taken in a timely manner. (ID 10.2.4, AICPA/CICA Privacy Framework)
  • The privacy incident and breach management program includes the required actions to take. (Generally Accepted Privacy Principles and Criteria § 1.2.7 Bullet 3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Reading incident response and recovery plan documentation to understand the service organization's processes for recovering from identified system events, including its incident response procedures, incident communication protocols, recovery procedures, alternate processing plans, and procedures for… (¶ 3.59 Bullet 12, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis. (CC7.3 Responds to Security Incidents, Trust Services Criteria)
  • Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. (CC7.4 Periodically Evaluates Incidents, Trust Services Criteria)
  • Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. (CC7.4 ¶ 2 Bullet 11 Periodically Evaluates Incidents, Trust Services Criteria, (includes March 2020 updates))
  • Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis. (CC7.3 ¶ 2 Bullet 1 Responds to Security Incidents, Trust Services Criteria, (includes March 2020 updates))
  • Principle: Firms should establish policies and procedures, as well as roles and responsibilities for escalating and responding to cybersecurity incidents. Effective practices for incident response include: - preparation of incident responses for those types of incidents to which the firm is most lik… (Incident Response Planning, Report on Cybersecurity Practices)
  • Documentation and reporting regarding Cybersecurity Events and related incident response activities; and (Section 4.H(2)(f), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • The organization must determine if it needs mutual aid/assistance, and if so, agreements must be made. Any mutual aid/assistance agreement must be referenced in the program plan. Annex A.5.7 gives further information on mutual aid/assistance agreements. (§ 5.7, Annex A.5.7, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident. (Section 4. 4.6, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • For cloud computing services, is there an online incident response status portal, which outlines planned outages and unplanned outages? (§ V.1.26, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • CMS business partners shall report the date and time of the security incident or when it was first discovered; the systems, programs, and networks that were affected; and submit an impact analysis when reporting confirmed security incidents. The organization shall only release information on an as-n… (§ 3.6.1 ¶ 3, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 1.4.2: Upon discovery, an employee must report improper inspections or disclosures of sensitive information to his/her supervisor, who will then contact CMS. CSR 1.6: The organization shall implement an incident response capability. CSR 3.1.1: The organization must define the measures for invest… (CSR 1.4.2, CSR 1.6, CSR 3.1.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization must use automated mechanisms to assist in reporting security incidents. (CSR 1.6.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization must implement processes for modifying incident handling procedures and control techniques after an incident occurs. (CSR 1.6.1(5), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Each agency must develop, document, and implement an information security program, which includes any information and information systems provided or managed by another agency or contractor. The program must include procedures to detect, report, and respond to security incidents, including notifying… (§ 3544(b)(7)(C), Federal Information Security Management Act of 2002)
  • The Director of the Office of Management and Budget must ensure the central Federal information security incident center provides timely technical assistance to agency information system operators with security incidents; compiles and analyzes incident information; informs information system operato… (§ 3546(a), Federal Information Security Management Act of 2002)
  • The Information Assurance Officer must coordinate any needed security incident support with CERT. (§ 3.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. (IR.2.092, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. (IR.2.092, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. (IR.2.092, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. (IR.2.092, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. (IR.L2-3.6.1 Incident Handling, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • When using cloud services, mission partners and contractors are responsible for following all guidance in this CC SRG related to the Mission Owner that is not specific to a DISN-provided capability (e.g. CAP) or an enterprise service. The appropriate impact level must be selected based on the DoD da… (Section 5.13 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • A plan must be developed and tested to respond to security incidents. (§ 27.230(a)(9), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • The agency shall implement formal event reporting and escalation procedures for security incidents. (§ 5.3.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall use automated mechanisms to help in reporting security incidents, wherever feasible. (§ 5.3.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The criminal justice information services systems agency information security officer shall develop, implement, and maintain internal incident response procedures and coordinate with other organizations that may or may not be affected. (§ 5.3.1.1.2(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • A consistent and effective approach shall be applied to the management of security incidents. Responsibilities and procedures shall be in place to handle security events and weaknesses effectively once they have been reported. (§ 5.3.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Develop, implement, and maintain internal incident response procedures and coordinate those procedures with other organizations that may or may not be affected. (§ 5.3.1.1.2 ¶ 1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • In addition to the requirements in Section 5.3 Incident Response, agencies shall develop additional or enhanced incident reporting and handling procedures to address mobile device operating scenarios. Rapid response to mobile device related incidents can significantly mitigate the risks associated w… (§ 5.13.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Resources must be effectively managed. The National Incident Management System manages the emergency resources with eight processes: identifying and categorizing the resources; certifying personnel; maintaining a resource inventory; identifying any requirements for the resources; acquiring any neede… (Chap IV, National Incident Management System (NIMS), Department of Homeland Security, December 2008)
  • Verify that event management processes include event response procedures that are appropriate to the event. (App A Objective 8:3c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The institution has documented how it will react and respond to cyber incidents. (Domain 5: Assessment Factor: Resillience Planning and Strategy, PLANNING Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Enable the use of response teams and responses depending on the type of event. (App A Objective 8.5.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Logs access and events, defines alerts for significant events, and develops processes to monitor and respond to anomalies and alerts. (App A Objective 6.22.f, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management has effective incident response processes, including the following: (App A Objective 8.6, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Restoration and follow-up strategies. (App A Objective 8.6.i, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Protocols defined in the incident response policy to declare and respond to an incident once identified. (App A Objective 8.6.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Policies and procedures to guide the response, assigning responsibilities to individuals; providing appropriate training; formalizing information flows; and selecting, installing, and understanding the tools used in the response effort. (App A Objective 8.6.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Developing, implementing, and periodically testing incident response procedures. (App A Objective 12:8 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The organization should maintain a contact list for communicating with various external groups during an emergency. The organization should coordinate and communicate its pandemic plans with outside parties. (Pg D-7, Pg G-6, Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Determine whether the BCP addresses management monitoring of alert systems that provide information regarding the threat and progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak. (Exam Tier I Obj 8.5, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (Obj 4.7, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The financial institution must adopt specific security measures for a response program that specifies actions to take when it suspects or detects that unauthorized access to customer information systems. The response program should, at a minimum, contain procedures for the following: to assess the n… (Supplement A.I Risk Assessment and Controls, Supplement A.II Components of a Response Program, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice)
  • Documentation and reporting regarding security events and related incident response activities; and (§ 314.4 ¶ 1(h)(6), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • The Identity Theft Prevention Program must include reasonable policies and procedures to respond to all detected Red Flags to prevent and mitigate identity theft. (§ 41.90(d)(2)(iii), § 222.90(d)(2)(iii), § 334.90(d)(2)(iii), § 571.90(d)(2)(iii), § 681.2(d)(2)(iii), § 717.90(d)(2)(iii), App J to Part 41.IV, App J to Part 222.IV, App J to Part 334.IV, App J to Part 571.IV, App A to Part 681.IV, App J to Part 717.IV, Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007)
  • (SP-3.4, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Incident response procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. (IR-1b.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Incident response procedures [FedRAMP Assignment: at least annually]. (IR-1b.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Incident response procedures [FedRAMP Assignment: at least annually]. (IR-1b.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization must provide advice on and assistance in handling and reporting security incidents to the users. (§ 5.6.8, Exhibit 4 IR-7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Has the Credit Union implemented response programs specifying the actions to take when unauthorized access to member Information Systems is detected or suspected, including reporting to law enforcement agencies and regulatory agencies? (IT - 748 Compliance Q 6g, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Do the incident response procedures address the loss of service due to cyber crimes? (IT - Business Continuity Q 21, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.6.2 Bullet 1: Maintain an incident response team when reasonable and appropriate given the the size, scope, and mission of the organization. § 4.6.3 Bullet 4: Update each incident response procedure as required based on changing organizational needs. (§ 4.6.2 Bullet 1, § 4.6.3 Bullet 4, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • § 4.6.3 Bullet 3: Collect suggestions and make appropriate changes to each incident response procedure. § 4.20.4 Bullet 3: Establish a reporting mechanism and a process for the plan sponsor to use when a security incident occurs. (§ 4.6.3 Bullet 3, § 4.20.4 Bullet 3, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Identify actions to take to improve each security control after a security incident. (§ 4.6.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The incident response team needs to notify appropriate individuals after an incident is analyzed and prioritized. The incident response policy should include what must be reported to whom and when. Parties that are usually notified include the CIO; information security head; local information securi… (§ 3.2.7, App J, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Table 3-1 contains a list of available tools and resources that may be valuable while handling an incident and includes information on communications and facilities, incident analysis software and hardware, incident analysis resources, and incident mitigation software. Many response teams create "ju… (§ 3.1.1, App G, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; (IR-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; (IR-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; (IR-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; (IR-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; (IR-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; (IR-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; (IR-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; (IR-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Protection processes are continuously improved. (PR.IP-7, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Response Actions. There are several responses that can be taken in the event of an incident. These range from doing nothing to full system shutdown (although full shutdown of an ICS is a highly unlikely response). The response taken will depend on the type of incident and its effect on the ICS syste… (§ 6.2.8 ICS-specific Recommendations and Guidance ¶ 3 Bullet 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs). (T0175, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should consider developing privacy policies and associated procedures for Personally Identifiable Information Incident Response and data breach notification. (§ 4.1.1 ¶ 1 Bullet 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization should integrate policies on determining when and if a breach is publicly reported into the existing incident handling response policies. (§ 5 ¶ 1, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The Incident Response security policy must include the objectives, roles, and responsibilities of the program. (SG.IR-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The Incident Response security policy must include the scope of the program. (SG.IR-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must coordinate the investigation results and review results with the incident response capability. (SG.PE-4 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must verify that the investigation and response to physical security incidents are included in the incident response capability. (SG.PE-4 Requirement 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. (3.6.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. (3.6.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. (3.6.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should incorporate detection of unauthorized, security-relevant configuration changes into the incident response capability to ensure the changes are tracked, monitored, corrected, and available for historical purposes. (App F § CM-6(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must incorporate the lessons learned from the incident handling activities into the incident response procedures, training, tests, and exercises, and implement the changes. (App F § IR-4.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should include dynamic reconfiguration in the incident response capabilities. (App F § IR-4(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should identify classes of incidents and define the actions to take to ensure organizational missions and business functions continue. (App F § IR-4(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. (IR-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes dynamic reconfiguration of {organizationally documented information system components} as part of the incident response capability. (IR-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization identifies {organizationally documented classes of incidents} and {organizationally documented actions to take in response to classes of incidents} to ensure continuation of organizational missions and business functions. (IR-4(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements incident handling capability for insider threats. (IR-4(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing. (IR-8d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization responds to information spills by performing other {organizationally documented actions}. (IR-9f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system {shuts the information system down} when anomalies are discovered. (SI-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system {restarts the information system} when anomalies are discovered. (SI-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system {organizationally documented alternative action(s)} when anomalies are discovered. (SI-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. (IR-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing. (IR-8d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system {shuts the information system down} when anomalies are discovered. (SI-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system {restarts the information system} when anomalies are discovered. (SI-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system {organizationally documented alternative action(s)} when anomalies are discovered. (SI-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. (IR-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing. (IR-8d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. (IR-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing. (IR-8d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; (IR-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Incident response procedures [Assignment: organization-defined frequency]. (IR-1b.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The cyber security plan must describe how licensees will maintain the capability to detect and respond to cyber attacks in a timely manner. (§ 73.54(e)(2)(i), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
  • Develop internal and external notification requirements and procedures for security events. (Table 1: Communication Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • Pipeline operators should follow the notification criteria in Appendix B (Table 2: Communications Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
  • Establish and maintain a process that supports 24 hours a day cyber incident response. (Table 2: Response Planning Enhanced Security Measures Cell 2, Pipeline Security Guidelines)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (Section 27-62-4(h)(2) f., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (Part VI(c)(8)(B)(vii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Implement, maintain and update security and breach investigation procedures that are appropriate given the nature of the information disclosed and that are reasonably designed to protect the confidential information from unauthorized access, use, modification, disclosure, manipulation or destruction… (¶ 4e-70(b)(5), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (§ 8604.(h)(2) f., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§431:3B-207(b)(6), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (Sec. 20.(b)(6), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (507F.4 7.f., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (§2504.H.(2)(f), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§2264 8.F., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (Sec. 555.(8)(f), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • documentation and reporting regarding cybersecurity events and related incident response activities; and (§ 60A.9851 Subdivision 8(b)(6), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§ 83-5-807 (8)(b)(vi), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§ 420-P:4 VIII.(b)(6), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • the evaluation and revision as necessary of the incident response plan following a Cybersecurity Event. (§ 500.16 Incident Response Plan (b)(7), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (26.1-02.2-03. 9.(6), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; (Section 3965.02 (H)(2)(f), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • documentation and reporting regarding cybersecurity events and related incident response activities; and (SECTION 38-99-20. (H)(2)(f), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§ 56-2-1004 (8)(B)(vi), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2., TX-RAMP Security Controls Baseline Level 1)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., TX-RAMP Security Controls Baseline Level 1)
  • Incident response procedures [TX-RAMP Assignment: at least annually]. (IR-1b.2., TX-RAMP Security Controls Baseline Level 1)
  • Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and (IR-1a.2., TX-RAMP Security Controls Baseline Level 2)
  • Provides the organization with a roadmap for implementing its incident response capability; (IR-8a.1., TX-RAMP Security Controls Baseline Level 2)
  • Incident response procedures [TX-RAMP Assignment: at least annually]. (IR-1b.2., TX-RAMP Security Controls Baseline Level 2)
  • detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity; or (13-61-304 (1)(h)(i), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§ 38.2-623.G.6., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • The reporting and documentation of a cybersecurity event and related incident response activities. (§ 601.952(5)(f), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)