Back

Include incident response team structures in the Incident Response program.


CONTROL ID
01237
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579

This Control has the following implementation support Control(s):
  • Include the incident response team member's roles and responsibilities in the Incident Response program., CC ID: 01652
  • Include personnel contact information in the event of an incident in the Incident Response program., CC ID: 06385
  • Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program., CC ID: 11789
  • Include identifying remediation actions in the incident response plan., CC ID: 13354
  • Include procedures for providing updated status information to the crisis management team in the incident response plan., CC ID: 12776


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is important to note that a disaster will evolve after occurrence. AIs should establish a CMT to respond to and manage the various stages of a crisis. The CMT should comprise members of the senior management and heads of major support functions (e.g. building facilities, IT, corporate communicati… (4.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Each relevant business and support function should establish a business recovery team which may have sub-teams to carry out the business resumption process. Appropriate recovery personnel with the required knowledge and skills should be assigned to the teams. AIs should ensure that alternate recover… (4.3.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The organization shall designate at least a primary and secondary responsible person to contact and come to the office when a failure and/or disaster occurs and review these selections regularly. For the computer center, the organization shall designate computer center operation managers and staff; … (O62.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Those with whom to make contact and ask to come to the offices in the event of failure and disaster should be selected as listed below and then reviewed on a regular basis. (P70.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Organizing, training and equipping teams to respond to information security incidents (Critical components of information security 10) (ii) g., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Establishing escalation and communication processes and lines of authority (Critical components of information security 10) (ii) b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization should determine if a team is needed to be assembled that includes representatives from the appropriate parts of the business. (Step 1 Bullet 3, Key Steps for Organizations in Responding to Privacy Breaches)
  • Policies and instructions with technical and organisational safeguards are documented, communicated and provided according to SA-01 in order to ensure a fast, effective and proper response to all known security incidents. On the part of the cloud provider, at least the roles listed in OIS-03 must be… (Section 5.13 SIM-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents. (12.10.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and interview responsible personnel occupying designated roles to verify that specific personnel are designated to be available on a 24/7 basis to respond to security incidents. (12.10.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents. (12.10.3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents. (12.10.3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents. (12.10.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents. (12.10.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The organization should establish a formal fraud control function, either an individual or a team. Their responsibilities should be clearly defined, and fraud prevention and detection should be the highest priority. (Pg 37, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • In any organization, an Incident Response Team ("IRT") should be made up of senior management and experienced people. The role of the IRT is to promptly handle an incident so that containment, investigation and recovery can quickly occur. The IRT should be empowered by the top management to have dec… (§ 4.1.1, § 4.1.2, VISA Incident Response Procedure for Account Compromise, Version 1.2 2004)
  • The organization should have an incident response structure defined. When an incident occurs, the organization should have a simple and quickly formed team to confirm the incident's nature and extent, take control of the situation, contain the incident, and communicate with stakeholders. This team s… (§ 8.2.1, § 8.2.2, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The incident response structure must allow for personnel to confirm the incident's extent and nature; trigger a continuity response; have procedures, processes, and plans for activating, operating, coordinating, and communicating the incident response; have resources to support the management of the… (§ 4.3.2.2, BS 25999-2, Business continuity management. Specification, 2007)
  • Organizations that have significant emergency response needs almost always use a structured approach for managing response efforts. Organizations that use an Incident Command Team model usually customize their approach, retaining the key principles of clearly defines roles and responsibilities and u… (§ 6 ¶ 4, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The handling of privacy breach incidents is as important as protecting privacy. A privacy incident response team should be developed and will act as a liaison to legal, administrative, operational, and technology areas, and to potential claimants, law enforcement, and the press. (§ 5.4 (Legal and Organizational Risks), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The organization must ensure that an organizational resilience management team has been assigned with the appropriate authority to oversee incident preparedness, response, and recovery. (§ 4.4.1 ¶ 4(a), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The crisis management process should be supported by a predetermined high-level team (e.g., a Crisis Management Team), which includes a member of the organization's governing body (e.g., members of the board or equivalent). (CF.20.04.02a, The Standard of Good Practice for Information Security)
  • The incident handling team should include trained representatives from human resources, risk management, information security, and the legal department. The contact information of each team member should be saved in a contact file. The incident response team is composed of two parts, a Command Decis… (Action 1.3.1, Action 1.3.2, Special Action 5.1, SANS Computer Security Incident Handling, Version 2.3.1)
  • The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident. (§ 8.4.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall implement and maintain a structure, identifying one or more teams responsible for responding to disruptions. (§ 8.4.2.1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall implement and maintain a response structure that will enable timely warning and communication to relevant interested parties. It shall provide plans and procedures to manage the organization during a disruption. The plans and procedures shall be used when required to activate … (§ 8.4.1 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Identifies organizational incident response team members to the external providers. (IR-7(2)(b), StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Identifies organizational incident response team members to the external providers. (IR-7(2)(b), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Identifies organizational incident response team members to the external providers. (IR-7(2)(b), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The definition of clear roles, responsibilities and levels of decision-making authority; (Section 4.H(2)(c), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Members should create an incident response plan to provide a framework to manage detected security events or incidents, analyze their potential impact and take appropriate measures to contain and mitigate their threat. Members should consider in appropriate circumstances forming an incident response… (Information Security Program Bullet 4 Response and Recovery from Events that Threaten the Security of the Electronic Systems ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • The incident response plan must include the establishment of an incident response team. (VIIR-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The alarm response team must investigate intrusions. If damage is detected, a cleared response team must be used to investigate classified areas. The response time for the alarm response team must not exceed 15 minutes. (§ 5-903, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The crisis management team should be involved in the testing process. The testing program should ensure the team can meet the objectives for responding to a disaster. (Pg H-2, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The definition of clear roles, responsibilities, and levels of decision-making authority; (§ 314.4 ¶ 1(h)(3), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • The service provider must define a list of incident response personnel (by role and/or name) and organizational elements, including designated federal risk and authorization management program personnel. (Column F: IR-8b, FedRAMP Baseline Security Controls)
  • The service provider must define a list of incident response personnel (by role and/or name) and organizational elements, including designated federal risk and authorization management program personnel. (Column F: IR-8e, FedRAMP Baseline Security Controls)
  • Identifies organizational incident response team members to the external providers. (IR-7(2)(b) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Identifies organizational incident response team members to the external providers. (IR-7(2)(b) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period]. (IR-4(11) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., FedRAMP Security Controls High Baseline, Version 5)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., FedRAMP Security Controls Low Baseline, Version 5)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., FedRAMP Security Controls Moderate Baseline, Version 5)
  • § 4.6.1 Bullet 4: Provide direct technical assistance when security incidents occur. § 4.6.2 Bullet 2: Identify the members of the incident response team. (§ 4.6.1 Bullet 4, § 4.6.2 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Possible structures for an incident response team include central incident response team (a single team that is effective for small organizations and large organizations with minimal geographic diversity of computing resources); distributed incident response teams (multiple incident response teams w… (§ 2.4.1, § 2.4.2, § 2.5, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period]. (IR-4(11) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Identify organizational incident response team members to the external providers. (IR-7(2)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Identify organizational incident response team members to the external providers. (IR-7(2)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period]. (IR-4(11) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Establish and maintain a cyber incident response team that can be deployed by the organization within [Assignment: organization-defined time period]. (3.6.2e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • The organization must establish a response team, including smart grid Information System owners and other process owners. (SG.IR-2 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should identify the incident response team members to the external providers. (App F § IR-7(2)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization identifies organizational incident response team members to the external providers. (IR-7(2)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization assigns {organizationally documented personnel} with responsibility for responding to information spills. (IR-9(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization assigns {organizationally documented roles} with responsibility for responding to information spills. (IR-9(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel. (IR-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Identifies organizational incident response team members to the external providers. (IR-7(2)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel. (IR-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Identify organizational incident response team members to the external providers. (IR-7(2)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period]. (IR-4(11) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identify organizational incident response team members to the external providers. (IR-7(2)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period]. (IR-4(11) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. (IR-8a.10., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The definition of clear roles, responsibilities, and levels of decision-making authority. (Section 27-62-4(h)(2) c., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • The definition of clear roles, responsibilities and levels of decision-making authority; (Part VI(c)(8)(B)(iii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • The definition of clear roles, responsibilities, and levels of decision-making authority. (§ 8604.(h)(2) c., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • The definition of clear roles, responsibilities, and levels of decision-making authority; (§431:3B-207(b)(3), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • The definition of clear roles, responsibilities, and levels of decision making authority. (Sec. 20.(b)(3), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • The assignment of clear roles, responsibilities, and levels of decision-making authority for the licensee’s personnel that participate in the incident response plan. (507F.4 7.c., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • The definition of clear roles, responsibilities, and levels of decisionmaking authority. (§2504.H.(2)(c), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • The definition of clear roles, responsibilities and levels of decision-making authority; (§2264 8.C., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • The definition of clear roles, responsibilities, and levels of decision-making authority. (Sec. 555.(8)(c), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • the definition of clear roles, responsibilities, and levels of decision-making authority; (§ 60A.9851 Subdivision 8(b)(3), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • The definition of clear roles, responsibilities and levels of decision-making authority; (§ 83-5-807 (8)(b)(iii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • The definition of clear roles, responsibilities, and levels of decision-making authority; (§ 420-P:4 VIII.(b)(3), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • the definition of clear roles, responsibilities and levels of decision-making authority; (§ 500.16 Incident Response Plan (b)(3), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • The definition of clear roles, responsibilities, and levels of decisionmaking authority; (26.1-02.2-03. 9.(3), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • The definition of clear roles, responsibilities, and levels of decision-making authority; (Section 3965.02 (H)(2)(c), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • the definition of clear roles, responsibilities and levels of decision-making authority; (SECTION 38-99-20. (H)(2)(c), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • The definition of roles, responsibilities, and levels of decision-making authority relating to a cybersecurity event; (§ 56-2-1004 (8)(B)(iii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Identifies organizational incident response team members to the external providers. (IR-7(2)(b), TX-RAMP Security Controls Baseline Level 2)
  • The definition of clear roles, responsibilities, and levels of decision-making authority; (§ 38.2-623.G.3., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • The identification of clear roles, responsibilities, and levels of decision-making authority during and immediately following a cybersecurity event. (§ 601.952(5)(c), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)