Back

Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred.


CONTROL ID
01213
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The incident response plan should include the criteria the responsible authority uses to initiate or request formal police or australian security intelligence organisation investigations of cyber security incidents. (Control: 0059 Bullet 4, Australian Government Information Security Manual: Controls)
  • The organization must report cyber security incidents to the Defence Signals Directorate. (Control: 0139, Australian Government Information Security Manual: Controls)
  • The organization must notify the Defence Signals Directorate of suspected compromise or loss of keying material that is associated with High Grade Cryptographic Equipment in accordance with australian communications security instruction 107. (Control: 0143, Australian Government Information Security Manual: Controls)
  • The organization should notify the accreditation authority if it is considering allowing intrusion activity to continue under controlled conditions in order to scope the intrusion. (Control: 1212, Australian Government Information Security Manual: Controls)
  • The organization should ensure requests for Defence Signals Directorate assistance are made as soon as possible after the detection of the cyber security incident and that no actions that could affect evidence integrity are conducted before the Defence Signals Directorate is involved. (Control: 0915, Australian Government Information Security Manual: Controls)
  • Security incidents should be reported to all appropriate authorities. (§ 2.8.35, § 2.8.43, Australian Government ICT Security Manual (ACSI 33))
  • The Finnish Communications Regulatory Authority must be notified by the telecommunications operator of all significant information security violations in and threats to communications and network services, significant faults and disruptions to the services, and the measures that have been implemente… (§ 21(2), Finland Act on the Protection of Privacy in Electronic Communications, Unofficial Translation)
  • The organization may consider reporting suspicious behavior or criminal activity to Law Enforcement agencies as part of its risk mitigation measures. (Annex III - Table Supply Chain Policy - Money Laundering Bullet 3, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Companies in the supply chain should fully cooperate with Law Enforcement agencies on gold transactions. (Supplement on Gold Step 1: § I.C.4, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Ensure legal review to facilitate action in response to the incident. (§ 10, A Ten Step Process for Forensic Readiness)
  • Verify the incident response plan includes procedures for notifying the appropriate individuals or organizations in the event of a compromise. (§ 12.9.1.a Bullet 2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify the incident response plan includes procedures for notifying the appropriate individuals or organizations in the event of a compromise, including response procedures from the payment brands. (§ 12.9.1.a Bullet 7 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify the incident response plan includes procedures for notifying the appropriate individuals or organizations in the event of a compromise, including response procedures from the payment brands. (§ 12.9.1.a Bullet 7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The organization should alert all necessary parties of a suspected or confirmed security breach. The compromised Visa account numbers should be provided to the Visa Fraud Control Group within 24 hours. (Pg 61, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The organization should maintain contact with the official local responder for civil emergencies to help it determine, implement, and validate the strategies for business continuity and incident management. These key-responders officially declare when a civil emergency has occurred and provides pre-… (§ 7.9, § 8.5.8 ¶ 1, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The best way to address concerns regarding coordination with external agencies is to ensure management is responsible for the business continuity management program and is communicating with external agencies. Communicating and coordinating with external agencies in advance is crucial to securing pa… (§ 5.10 ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Relationships with authorities and regulatory bodies must be deliberately developed and should be considered a resource. The organization should ensure the telephone numbers of fire, police, and other emergency services are displayed throughout the facilities. To aid in securing a parking facility, … (Pg 1-I-A2, Pg 14-II-6, Revised Volume 2 Pg 1-I-33, Revised Volume 2 Pg 1-I-45, Revised Volume 2 Pg 1-I-74, Protection of Assets Manual, ASIS International)
  • The information security function should maintain contact with government and law enforcement agencies. (CF.01.02.08b-2, The Standard of Good Practice for Information Security)
  • Threats relating to development of attacks should be mitigated by establishing and maintaining a formal relationship with groups who are typically involved when preparing for and responding to cybercrime-related attacks (e.g., 'cybercrime-intelligence service providers', law enforcement agencies, go… (CF.11.02.04a, The Standard of Good Practice for Information Security)
  • Threats relating to development of attacks should be mitigated by obtaining cybercrime-related intelligence from a range of different sources (including law enforcement agencies, external cybercrime-intelligence service organizations, and specialist security vendors) to help identify imminent or act… (CF.11.02.04b, The Standard of Good Practice for Information Security)
  • The crisis management process should ensure that, after a crisis (or emergency) has been resolved, action is taken to stop illegal activity (e.g., establishing injunctions against attacking Internet domains and having websites that are masquerading as the organization shutdown). (CF.20.04.08f, The Standard of Good Practice for Information Security)
  • The information security function should maintain contact with government and law enforcement agencies. (CF.01.02.08b-2, The Standard of Good Practice for Information Security, 2013)
  • Threats relating to development of attacks should be mitigated by establishing and maintaining a formal relationship with groups who are typically involved when preparing for and responding to cybercrime-related attacks (e.g., 'cybercrime-intelligence service providers', law enforcement agencies, go… (CF.11.02.04a, The Standard of Good Practice for Information Security, 2013)
  • Threats relating to development of attacks should be mitigated by obtaining cybercrime-related intelligence from a range of different sources (including law enforcement agencies, external cybercrime-intelligence service organizations, and specialist security vendors) to help identify imminent or act… (CF.11.02.04b, The Standard of Good Practice for Information Security, 2013)
  • The crisis management process should ensure that, after a crisis (or emergency) has been resolved, action is taken to stop illegal activity (e.g., establishing injunctions against attacking Internet domains and having websites that are masquerading as the organization shutdown). (CF.20.04.09f, The Standard of Good Practice for Information Security, 2013)
  • Secured communications should be available for communicating with the incident handling team, because both the computer systems and the PBX might be penetrated. Encrypted phones and faxes may be the only way to communicate without the perpetrator knowing every move as it happens. Before an incident … (Action 1.4.6, Action 1.9.2, Action 1.9.3, SANS Computer Security Incident Handling, Version 2.3.1)
  • Points of contact for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities shall be maintained and regularly updated (e.g., change in impacted-scope and/or a change in any compliance obligation) to ensure direct compliance liaisons have be… (SEF-01, Cloud Controls Matrix, v3.0)
  • The organization shall establish procedures to notify regulatory authorities when national or regional regulations require the organization to provide notification of adverse events. (§ 8.5.1 ¶ 5, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • Appropriate contacts with relevant authorities shall be maintained. (A.6.1.3 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Procedures should be in place to specify how and when an organization should contact authorities if illegal activity is suspected. Other contacts that should be kept up to date include emergency services, utilities, and regulatory bodies. (§ 6.1.6, ISO 27002 Code of practice for information security management, 2005)
  • Appropriate contacts with relevant authorities should be maintained. (§ 6.1.3 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Applicable policies and procedures to coordinate the response, continuity, and recovery activities with the appropriate resources and authorities, including activating and deactivating the incident management plan(s), must be developed by the organization, which must ensure the plan(s) complies with… (§ 5.9.4, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • The Transportation Security Administration must be notified of all threats immediately. (§ 1542.307(b)(3), 49 CFR Part 1542, Airport Security)
  • A covered entity shall immediately notify the Secretary of Health and Human Services of breaches disclosing the unsecured protected health information of 500 or more individuals; annually if less than 500 individuals are affected. (§ 13402(e)(3), American Recovery and Reinvestment Act of 2009, Division A Title XIII Health Information Technology)
  • Significant Bank Secrecy Act (BSA) violations should be referred to FinCEN to review the violations for possible criminal and/or civil penalties. Known or suspected violations and criminal activity must be reported to FinCEN on a Suspicious Activity Report form. (Pg 39, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • All unauthorized disclosures of information regarding restricted data (RD), formerly restricted data (FRD), and NATO-classified information must be reported to the cognizant security authority. (§ 9-102, § 10-718, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Covered entities shall notify the Secretary of Health and Human Services (HHS) when a breach of unsecured protected health information is discovered. When a breach involves more than 500 individuals, the covered entity shall provide the notice to the Secretary at the same time as it provides the not… (§ 164.408(a), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Exam Tier I Obj 4.3 Verify that appropriate policies, standards, and processes address business continuity planning issues including: ▪ Security; ▪ Project management; ▪ Change control process; ▪ Data synchronization, back-up, and recovery; ▪ Crises management (responsibility for disaster … (Exam Tier I Obj 4.3, Exam Tier I Obj 8.6, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The financial institution must adopt specific security measures for a response program that includes appropriate reports to regulatory agencies. The financial institution's response program should, at a minimum, contain procedures for notifying the primary Federal regulator as soon as possible after… (Supplement A.I Risk Assessment and Controls, Supplement A.II Components of a Response Program, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice)
  • Filing procedures—(i) Timing. A credit union must file a SAR with FinCEN no later than 30 calendar days from the date the suspicious activity is initially detected, unless there is no identified suspect on the date of detection. If no suspect is identified on the date of detection, a credit union … (§ 748.1 (c)(2)(i), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Does the Credit Union Security Incident Response policy include the persons to notify, including local law enforcement or the Federal Bureau of Investigation? (IT - Policy Checklist Q 37, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Federal agencies must report security incidents to the United States Computer Emergency Response Team (US-CERT). Other places the organization may notify include the CERT Coordination Center, law enforcement, and the media, as well as involved parties, such as the organization's Internet Service Pro… (§ 2.3.4, App J, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • The organization should build relationships with the local fire and police departments to achieve a trusting relationship and a thorough understanding of the first response procedures. If the situation warrants, federal officials or fire and police officials may assume authority over the facility. I… (App D (Relationships with Response Organizations), Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Organizational records and documents should be examined to ensure the organization maintains contacts with security groups, associations, and forums in order to stay current with security techniques and technologies. Interviews should be conducted with personnel involved in information security to s… (AT-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The Industrial Control System Security Center is maintained by the United States Computer Emergency Readiness Team. (App I § IR-6, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Collect 24/7 contact numbers for incident response team and provide to team members. Make arrangements with the credit reporting agencies during your preparations for giving notice, without delaying the notice for this reason. (Part II ¶ 3, Part III Contact Credit Reporting Agencies on Large Breaches of Financial-Related Information ¶ 1, California OPP Recommended Practices on Notification of Security Breach, May 2008)