Back

Provide and display incident management contact information to customers.


CONTROL ID
06386
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a customer service program., CC ID: 00846

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O41.6: The organization should inform customers on its website, brochures, storefront posters, cards, and bankbooks of the phone number or locations for reporting loss or theft of devices, cards, or the like. O41.7: The organization should use appropriate search terms to facilitate an operator's se… (O41.6, O41.7, O105.5, O105-1.5, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Financial institutions should establish and maintain a proper system to immediately accept notifications from customers and eliminate unauthorized use due to accidents. (P64.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Customers should be informed well of the locations for acceptance of notifications of accidents (contact telephone number, etc.). (P64.6. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The organization should assign an e-mail address of itsa@agency for its Information Technology Security Advisor. (Control: 0025, Australian Government Information Security Manual: Controls)
  • PSPs should provide PSUs with assistance on all questions, requests for support and notifications of anomalies or issues regarding security matters related to payment services. PSUs should be appropriately informed about how such assistance can be obtained. (3.8 98, Final Report EBA Guidelines on ICT and security risk management)
  • contact information for the reporting of issues; and (Provision 5.2-1 Bullet 1, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • The purpose of the service desk practice is to capture demand for incident resolution and service requests. It should also be the entry point and single point of contact for the service provider with all of its users. (5.2.14 ¶ 1, ITIL Foundation, 4 Edition)
  • Do users, including business associates and customers, know who to contact when they have problems with operating systems, laptops, access to new project data, passwords, security applications, or proprietary software? (Table Row II.15, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Payment service providers should have implemented procedures for trademark owners to report any websites using their network to process payments that are selling counterfeit products. (Best Practices for Payment Service Providers (PSPs) ¶ 2, Addressing the Sale of Counterfeits on the Internet)
  • Assemble and maintain information on third-party contact information to be used to report a security incident (e.g., maintain an e-mail address of security@organization.com or have a web page http://organization.com/security). (Control 19.5, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Assemble and maintain information on third- party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and Information Sharing and Analysis Center (ISAC) partners. (CIS Control 19: Sub-Control 19.5 Maintain Contact Information For Reporting Security Incidents, CIS Controls, 7.1)
  • Assemble and maintain information on third- party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and ISAC partners. (CIS Control 19: Sub-Control 19.5 Maintain Contact Information For Reporting Security Incidents, CIS Controls, V7)
  • As a part of the service specifications, the cloud service provider should define the allocation of information security incident management responsibilities and procedures between the cloud service customer and the cloud service provider. The cloud service provider should provide the cloud service … (§ 16.1.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The process for submitting complaints is communicated to the authorized users. (Security Prin. and Criteria Table § 2.4, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The process for submitting complaints is communicated to the authorized users. (Availability Prin. and Criteria Table § 2.4, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • For electronic commerce systems, the website provides customers with where they can obtain warranty, repair service, and support related to the goods and services purchased on the website. (Processing Integrity Prin. and Criteria Table § 2.1 c, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • For electronic commerce systems, the website provides procedures for resolving processing integrity issues, such as complaints about Quality of Service, accuracy, completeness, and the quality of the product, along with the consequences of failing to resolve the issue. (Processing Integrity Prin. and Criteria Table § 2.1 d, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The process for obtaining support and informing the entity about system processing integrity issues, errors, and omissions, and security breaches is communicated to the authorized users. (Processing Integrity Prin. and Criteria Table § 2.4, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The process for submitting complaints is communicated to the authorized users. (Confidentiality Prin. and Criteria Table § 2.4, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel. (CC2.2 Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters, Trust Services Criteria)
  • External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. (CC2.3 Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters, Trust Services Criteria)
  • Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel. (CC2.2 ¶ 4 Bullet 2 Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters, Trust Services Criteria, (includes March 2020 updates))
  • External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. (CC2.3 ¶ 6 Bullet 4 Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters, Trust Services Criteria, (includes March 2020 updates))
  • Internal and external users have been provided with information on how to report [insert the principle(s) addressed by the engagement: security, availability, processing integrity, confidentiality, or privacy, or any combination thereof] failures, incidents, concerns, and other complaints to appropr… (CC2.5, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Make the designated addresses or numbers, or means to obtain the designated addresses or numbers, readily available upon request of a customer at every place of business in California where the business or its agents regularly have contact with customers. (§ 1798.83(b)(1)(C) ¶ 1, California Civil Code Title 1.81 Customer Records § 1798.80-1798.84)