Include security incident response procedures in the internal control framework.

Back

CONTROL ID
01359

CONTROL TYPE
Establish/Maintain Documentation

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain an internal control framework., CC ID: 00820

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

The organization should have defined procedures for the escalation of a security incident. (¶ 72, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
the identification of measures relating to preparedness, response and recovery, including cooperation between the public and private sectors; (Art. 7.1(c), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
Each Member State shall designate or establish one or more competent authorities responsible for the management of large-scale cybersecurity incidents and crises (cyber crisis management authorities). Member States shall ensure that those authorities have adequate resources to carry out, in an effec… (Article 9 1., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
the cyber crisis management procedures, including their integration into the general national crisis management framework and information exchange channels; (Article 9 4(c), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
Pursuant to federal statutory authority, including the Federal Information Security Modernisation Act of 2014, the OMB and the National Institute of Standards and Technology (NIST) have developed standards which are binding on federal agencies (including criminal law enforcement authorities) and tha… (3.1.1.2 (104), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
Verify that responsibility for creating and distributing security incident response and escalation procedures is formally assigned. (§ 12.5.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
Verify that responsibility for creating and distributing security incident response and escalation procedures is formally assigned. (§ 12.5.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Verify the responsibility for establishing, documenting, and distributing Security Incident Response and escalation procedures has been formally assigned in the Information Security policies and procedures. (Testing Procedures § 12.5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
The Information Security policies and procedures must formally assign an individual or team the responsibilities for establishing, documenting, and distributing Security Incident Response and escalation procedures to ensure all situations are handled timely and effectively. (PCI DSS Requirements § 12.5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Implement response procedures to be initiated upon the detection of clear-text PAN outside of the CDE to include: (A3.2.5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Is the information security management responsibilities for establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations formally assigned to an individual or a team? (PCI DSS Question 12.5.3, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
Is the information security management responsibilities for establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations formally assigned to an individual or a team? (PCI DSS Question 12.5.3, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
Is the information security management responsibilities for establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations formally assigned to an individual or a team? (PCI DSS Question 12.5.3, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Is the information security management responsibilities for establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations formally assigned to an individual or a team? (PCI DSS Question 12.5.3, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
Is the information security management responsibilities for establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations formally assigned to an individual or a team? (PCI DSS Question 12.5.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Is the information security management responsibilities for establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations formally assigned to an individual or a team? (PCI DSS Question 12.5.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Is the information security management responsibilities for establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations formally assigned to an individual or a team? (PCI DSS Question 12.5.3, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
The information security policy should require that breaches of the information security policy are reported. (CF.01.01.03f-1, The Standard of Good Practice for Information Security)
The information security policy should require that breaches of the information security policy are reported. (CF.01.01.03f-1, The Standard of Good Practice for Information Security, 2013)
Â¶ 8.1.3(1)(4) Incident Handling. An organization should implement safeguards which assure that everyone in the organization is aware of the need to report security incidents, including software malfunctions, and identified weaknesses, as quickly as possible. The organization should develop an incid… (¶ 8.1.3(1)(4), ¶ 8.2.4(1), ¶ 10.3.3, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
Documented procedures shall exist for escalating all security incidents. (§ 8.1 ¶ 1(e), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. (A.16.1.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. (§ 16.1.1 Control, ISO/IEC 27002:2013(E), Information technology â Security techniques â Code of practice for information security controls, Second Edition)
Each agency must develop, document, and implement an information security program, which must include any information and information systems provided or managed by another agency or contractor. The program must include procedures to detect, report, and respond to security incidents, including how t… (§ 3544(b)(7), Federal Information Security Management Act of 2002, Deprecated)
Measures appropriate to the sensitivity of the data and the size, scope, and complexity of the business entity's activities must be developed to detect all actual and attempted unlawful, fraudulent, or unauthorized access to or use, disclosure, or alteration of sensitive personally identifiable info… (§ 302(a)(4)(B)(ii), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
Establish a security incident response and reporting procedure to discover, investigate, document, and report to the CSA, the affected criminal justice agency, and the FBI CJIS Division ISO major incidents that significantly endanger the security or integrity of CJI. (§ 3.2.8 ¶ 1 4., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Develop policies that address the concepts of information security incident response and resilience and test information security incident scenarios. (App A Objective 6.34.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Determine whether the institution has risk monitoring and reporting processes that address changing threat conditions in both the institution and the greater financial industry. Determine whether these processes address information security events faced by the institution, the effectiveness of manag… (App A Objective 7.1, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should do the following: - Identify personnel who will have critical information security roles during a disaster, and train personnel in those roles. - Define information security needs for backup sites and alternate communication networks. - Establish and maintain policies that addre… (II.C.21 Business Continuity Considerations, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Developing and implementing processes to identify, protect against, detect, respond to, and recover from security events and incidents. (App A Objective 12:8 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
A risk-based response program should be developed and implemented by every financial institution to address incidents of unauthorized access to customer information in customer information systems. The response program should be a key part of the information security program and should be appropriat… (Supplement A.II ¶ 1, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice)
Does management take timely action to address inappropriate activity once it has been detected? (IT - Security Program Q 29, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Document the incident response procedures to guide the day-to-day operations of the incident response team. (§ 4.6.3 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
The organization's policies and procedures must define how the emergency response plan is implemented. (SG.IR-11 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The cyber security program must be able to implement security controls to protect assets identified in section 73.54(b)(1) from cyber attacks; apply and maintain defense-in-depth protective strategies to detect, respond to, and recover from cyber attacks; reduce the severity of the adverse affects o… (§ 73.54(c), § 73.54(e)(2), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
A risk-based corporate security program should be established and implemented by each pipeline operator to address and document the organization's policies and procedures for managing security related threats, incidents, and responses. In addition, each operator should: (2 ¶ 1, Pipeline Security Guidelines)
The security plan shall include a capability to help users when a security incident occurs and to share information with other organizations. (§ A.3.a.2.d, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
The comprehensive information security program must include the documenting of all actions taken in connection with a security incident. (§ 17.03(3)12, Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)
the internal processes for responding to a Cybersecurity Event; (§ 500.16 Incident Response Plan (b)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
Incident response plan. Incident response plans shall be reasonably designed to enable prompt response to, and recovery from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the covered entity's information systems or the continuing functionality of any… (§ 500.16 Incident Response and Business Continuity Management (a)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)