Back

Include the incident response point of contact's roles and responsibilities in the Incident Response program.


CONTROL ID
01877
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include the incident response team member's roles and responsibilities in the Incident Response program., CC ID: 01652

This Control has the following implementation support Control(s):
  • Open a priority incident request after a security breach is detected., CC ID: 04838
  • Activate the incident response notification procedures after a security breach is detected., CC ID: 04839
  • Notify interested personnel and affected parties that a security breach was detected., CC ID: 11788


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? (12.10.1 (b)(1), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • The incident management team should be contacted immediately after the service desk is made aware of an incident. The person making the contact should record who he/she contacted and the response. Leaving a phone message is not an acceptable response. (§ 8.4.3, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • A single point of contact for incident handling should be established. The method for selecting this individual should be predefined. The individual should have broad general knowledge and experience in handling incidents and determining problems. Several individuals should be identified, so someone… (Action 1.4.5, Action 2.1.1, Action 2.5.1, SANS Computer Security Incident Handling, Version 2.3.1)
  • Liaisons and points of contact with local authorities shall be maintained in accordance with business and customer requirements and compliance with legislative, regulatory, and contractual requirements. (CO-04, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Top management shall ensure an individual has been appointed to be responsible for managing major incidents. (§ 8.1 ¶ 6, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The Incident Response Operational Contact should be known to all members of the organization. He/she should always be available and should be able to provide a timely response. (§ 13.1.1, ISO 27002 Code of practice for information security management, 2005)
  • States that the technology operations center should serve as the central point of contact for reporting any suspected or confirmed breach of personal information on an individual. (Pg 11 Information Technology Operations Center ¶ 1, AICPA Incident Response Plan: Template for Breach of Personal Information)
  • The criminal justice information services systems agency information security officer shall assign a Point Of Contact in each state, federal, and international Law Enforcement organization for interfacing with the Federal Bureau of Investigation criminal justice information services division about i… (§ 5.3.1.1.2(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The criminal justice information services systems agency information security officer shall identify the individuals who are responsible for reporting security incidents inside their area of responsibility. (§ 5.3.1.1.2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The criminal justice information services systems agency information security officer shall act as the Point Of Contact for requesting incident response assistance. (§ 5.3.1.1.2(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Serve as a point-of-contact (POC) for computer incident notification and distribution of security alerts to the CSOs and ISOs. (§ 3.2.10 ¶ 1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Assign individuals in each state, federal, and international law enforcement organization to be the primary point of contact for interfacing with the FBI CJIS Division concerning incident handling and response. (§ 5.3.1.1.2 ¶ 1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Act as a single POC for their jurisdictional area for requesting incident response assistance. (§ 5.3.1.1.2 ¶ 1(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Act as a single POC for their jurisdictional area for requesting incident response assistance. (§ 5.3.1.1.2 ¶ 1 6., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Serve as a point-of-contact (POC) for computer incident notification and distribution of security alerts to the CSOs and ISOs. (§ 3.2.10 ¶ 1 4., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Assign individuals in each state, federal, and international law enforcement organization to be the primary point of contact for interfacing with the FBI CJIS Division concerning incident handling and response. (§ 5.3.1.1.2 ¶ 1 1., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • A process exists to contact personnel who are responsible for analyzing and responding to an incident. (Domain 5: Assessment Factor: Escalation and Reporting, ESCALATION AND REPORTING Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • The organization should maintain a list of the names, positions, and telephone numbers of the points of contact for reporting an incident. (Pg 33, FFIEC IT Examination Handbook - Operations, July 2004)
  • A single employee should be in charge of incident response, regardless of which structure the organization chooses. If the fully outsourced model is chosen, this person's responsibility is to oversee and evaluate the work of the outsourcer. (§ 2.4.3 ¶ 1, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Include critical suppliers in contingency planning, incident response, and disaster recovery planning and testing. (3.4.2. ¶ 1 Bullet 10, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The organization should establish a committee or person to be responsible for coordinating the organization's response to a breach. (§ 5.1 ¶ 4, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The OEP should also include procedures and multiple contact methods for collecting a personnel head count after the disaster. It is important for senior management to know who was in the building prior to the event and who has been accounted for (both onsite and offsite personnel) so that civil auth… (Appendix D Subsection 1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • One of the most important activities is internal communication within the organization. Staff and management need to know what has occurred, the status of the situation, what actions they should take, and who is in charge of the situation. One person or team should be responsible for internal commun… (Appendix D Subsection 5 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The System Security Plan must identify who will lead the response effort if an incident occurs. (SG.IR-2 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Designate one individual as responsible for coordinating your internal notification procedures. (Part II ¶ 2, California OPP Recommended Practices on Notification of Security Breach, May 2008)