Back

Establish, implement, and maintain an incident response plan.


CONTROL ID
12056
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579

This Control has the following implementation support Control(s):
  • Include addressing external communications in the incident response plan., CC ID: 13351
  • Include addressing internal communications in the incident response plan., CC ID: 13350
  • Include change control procedures in the incident response plan., CC ID: 15479
  • Include addressing information sharing in the incident response plan., CC ID: 13349
  • Include dynamic reconfiguration in the incident response plan., CC ID: 14306
  • Include a definition of reportable incidents in the incident response plan., CC ID: 14303
  • Include the management support needed for incident response in the incident response plan., CC ID: 14300
  • Include root cause analysis in the incident response plan., CC ID: 16423
  • Include how incident response fits into the organization in the incident response plan., CC ID: 14294
  • Include the resources needed for incident response in the incident response plan., CC ID: 14292


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • formulating contingent plans for personal information security emergencies and organizing the implementation of such plans; and (Article 51 ¶ 1(5), Personal Information Protection Law of the People's Republic of China)
  • Developing plans to respond to and document information security incidents (Critical components of information security 10) (ii) c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Prevention of and response to an intrusion; (Article 45-3(3)(3), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • the types of incidents likely to be encountered and the expected response to each type (Security Control: 0043; Revision: 3; Bullet 2, Australian Government Information Security Manual, March 2021)
  • An incident management policy, and associated incident response plan, is developed, implemented and maintained. (Control: ISM-0576; Revision: 9, Australian Government Information Security Manual, June 2023)
  • Following the identification of a cyber security incident, an organisation's incident response plan is enacted. (Control: ISM-1819; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Systems have an incident response plan that covers the following: (Control: ISM-0043; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Systems have a cyber security incident response plan that covers the following: (Control: ISM-0043; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Following the identification of a cyber security incident, an organisation's cyber security incident response plan is enacted. (Control: ISM-1819; Revision: 1, Australian Government Information Security Manual, September 2023)
  • A cyber security incident management policy, and associated cyber security incident response plan, is developed, implemented and maintained. (Control: ISM-0576; Revision: 10, Australian Government Information Security Manual, September 2023)
  • An APRA-regulated entity would maintain plans in line with information security incidents experienced, both internally and externally. Examples of information security incidents include: (70., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • An APRA-regulated entity must maintain plans to respond to information security incidents that the entity considers could plausibly occur (information security response plans). (24., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • approve, oversee and periodically review the implementation of the financial entity's ICT business continuity policy and ICT response and recovery plans, referred to, respectively, in Article 11(1) and (3), which may be adopted as a dedicated specific policy forming an integral part of the financial… (Art. 5.2. ¶ 2(e), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Financial entities shall regularly review their ICT business continuity policy and ICT response and recovery plans, taking into account the results of tests carried out in accordance with the first subparagraph and recommendations stemming from audit checks or supervisory reviews. (Art. 11.6. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • As part of the ICT risk management framework referred to in Article 6(1), financial entities shall implement associated ICT response and recovery plans which, in the case of financial entities other than microenterprises, shall be subject to independent internal audit reviews. (Art. 11.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • activate, without delay, dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and prevent further damage, as well as tailored response and recovery procedures established in accordance with Article 12; (Art. 11.2.(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Procedures are defined and documented to communicate the information received to the internal and external employees of the cloud provider and to be able to respond to it appropriately and in a timely manner. (Section 5.1 OIS-05 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The entity has a comprehensive privacy incident and breach management plan which provides examples of unauthorized uses and disclosures, as well as guidelines to determine whether an incident constitutes a breach. The plan is communicated to personnel who handle PI. (M1.3 Privacy incident response plan, Privacy Management Framework, Updated March 1, 2020)
  • Pursuant to federal statutory authority, including the Federal Information Security Modernisation Act of 2014, the OMB and the National Institute of Standards and Technology (NIST) have developed standards which are binding on federal agencies (including criminal law enforcement authorities) and tha… (3.1.1.2 (104), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Implement an incident response plan. Be prepared to respond immediately to a system breach. (12.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implement an incident response plan. Be prepared to respond immediately to a system breach. (12.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Has an incident response plan been implemented in preparation to respond immediately to a system breach, as follows: (12.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Has an incident response plan been implemented in preparation to respond immediately to a system breach, as follows: (12.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine the incident response plan and related procedures to verify entity is prepared to respond immediately to a system breach by performing the following: (12.10, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to: (12.10.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Reviewed and the content is updated as needed. (12.10.2 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine the incident response plan to verify that the plan exists and includes at least the elements specified in this requirement. (12.10.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel and examine documentation from previously reported incidents or alerts to verify that the documented incident response plan and procedures were followed. (12.10.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Reviewed and updated as needed. (12.10.2 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to: (12.10.1, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to: (12.10.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. (12.10.1, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. (12.10.1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to: (12.10.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. (12.10.1, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to: (12.10.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Reviewed and the content is updated as needed. (12.10.2 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Reviewed and the content is updated as needed. (12.10.2 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to: (12.10.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. (12.10.1, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain a security incident response plan, which includes but is not limited to: relevant internal departments, impacted CSCs, and other business critical relationships (such as supply-chain) that may be impacted. (SEF-03, Cloud Controls Matrix, v4.0)
  • Plan for Incident Response and Information Sharing (7, Swift Customer Security Controls Framework (CSCF), v2019)
  • It is the responsibility of each organization to establish emergency preparedness and response plans that suits its own particular needs. In establishing its plans, the organization should include consideration of: (8.2 ¶ 4, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • actual and potential external environmental conditions, including natural disasters; (8.2 ¶ 4 Bullet 1, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • the nature of on-site hazards, e.g. flammable liquid, storage tanks, compressed gases, and measures to be taken in the event of spillages or accidental releases; (8.2 ¶ 4 Bullet 2, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • the most likely type and scale of an emergency situation; (8.2 ¶ 4 Bullet 3, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • the potential for (an) emergency situation(s) at a nearby facility (e.g. plant, road, railway line); (8.2 ¶ 4 Bullet 5, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • the most appropriate method(s) for responding to an emergency situation; (8.2 ¶ 4 Bullet 6, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • information on hazardous materials, including each material's potential impact on the environment, and measures to be taken in the event of accidental release; (8.2 ¶ 4 Bullet 16, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • mitigation and response action(s) to be taken for different types of emergency situation(s); (8.2 ¶ 4 Bullet 13, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization should maintain documented information to the extent necessary to have confidence that the processes needed for emergency preparedness and response are carried out as planned. (8.2 ¶ 6, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization shall implement and maintain a response structure that will enable timely warning and communication to relevant interested parties. It shall provide plans and procedures to manage the organization during a disruption. The plans and procedures shall be used when required to activate … (§ 8.4.1 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • take action to control and correct it; (§ 10.2 ¶ 2 a) 1), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • deal with the consequences; (§ 10.2 ¶ 2 a) 2), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed. (PR.IP-9.1, CRI Profile, v1.2)
  • The organization's response plans are in place and executed during or after an incident. (RS.RP-1.1, CRI Profile, v1.2)
  • The organization refines its cyber resilience and incident response plans by actively identifying and incorporating crucial lessons learned from: (RC.IM-1.1, CRI Profile, v1.2)
  • Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed. (PR.IP-9, CRI Profile, v1.2)
  • The organization's response plans are in place and executed during or after an incident. (RS.RP-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization refines its cyber resilience and incident response plans by actively identifying and incorporating crucial lessons learned from: (RC.IM-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed. (PR.IP-9.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Develops an incident response plan that: (IR-8a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Develops an incident response plan that: (IR-8a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Develops an incident response plan that: (IR-8a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Develops an incident response plan that: (IR-8a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Reading incident response and recovery plan documentation to understand the service organization's processes for recovering from identified system events, including its incident response procedures, incident communication protocols, recovery procedures, alternate processing plans, and procedures for… (¶ 3.59 Bullet 12, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Reading incident response and recovery plan documentation to understand the service organization's processes for recovering from identified system events, including its incident response procedures, incident communication protocols, recovery procedures, alternate processing plans, and procedures for… (¶ 3.50 Bullet 6, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As part of its Information Security Program, each Licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event that compromises the confidentiality, integrity, or availability of Nonpublic Information in its possession, the Lice… (Section 4.H(1), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Members should create an incident response plan to provide a framework to manage detected security events or incidents, analyze their potential impact and take appropriate measures to contain and mitigate their threat. Members should consider in appropriate circumstances forming an incident response… (Information Security Program Bullet 4 Response and Recovery from Events that Threaten the Security of the Electronic Systems ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Each Responsible Entity shall maintain each of its Cyber Security Incident response plans according to each of the applicable requirement parts in CIP-008-5 Table R3 – Cyber Security Incident Response Plan Review, Update, and Communication. [Violation Risk Factor: Lower] [Time Horizon: Operations … (B. R3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • Each Responsible Entity shall document one or more Cyber Security Incident response plan(s) that collectively include each of the applicable requirement parts in CIP-008-5 Table R1 – Cyber Security Incident Response Plan Specifications. [Violation Risk Factor: Lower] [Time Horizon: Long Term Plann… (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • Each Responsible Entity shall implement each of its documented Cyber Security Incident response plans to collectively include each of the applicable requirement parts in CIP-008-5 Table R2 – Cyber Security Incident Response Plan Implementation and Testing. [Violation Risk Factor: Lower] [Time Hori… (B. R2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • Use the Cyber Security Incident response plan(s) under Requirement R1 when responding to a Reportable Cyber Security Incident or performing an exercise of a Reportable Cyber Security Incident. Document deviations from the plan(s) taken during the response to the incident or exercise. (CIP-008-5 Table R2 Part 2.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • Cyber Security Incident Response: Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include: (Section 4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Cyber Security Incident Response: Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include: (Attachment 1 Section 4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident. (Attachment 1 Section 4. 4.6, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • While Zones C and D are typically implemented in physical facilities and while various aspects may use virtualization, these zones may only be implemented in cloud services providing the required lack of connectivity to DoD production networks. This generally precludes on-premises CSOs connected to … (Section 5.14 ¶ 9, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • CSPs will provide, either as part of their Incident Response Plan or through an Incident Response Plan Addendum, their approach to fulfilling DoD Cyberspace Defense integration requirements. CSPs will make their plan or addendum available to DISA for review and approval as a condition of its PA and … (Section 6.5.1 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The security risk of both accidental and malicious attacks against government and private agencies, remains persistent in both physical and logical environments. To ensure protection of CJI, agencies shall: (i) establish operational incident handling procedures that include adequate preparation, det… (§ 5.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Determine whether management established an incident response process. As part of incident management planning, determine whether management does the following: (App A Objective 8:10, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control. Such incident response plan shall address the following areas: (§ 314.4 ¶ 1(h), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Develops an incident response plan that: (IR-8a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews the incident response plan [FedRAMP Assignment: at least annually]; (IR-8c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Describes the structure and organization of the incident response capability; (IR-8a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Describes the structure and organization of the incident response capability; (IR-8a.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops an incident response plan that: (IR-8a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews the incident response plan [FedRAMP Assignment: at least annually]; (IR-8c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops an incident response plan that: (IR-8a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Describes the structure and organization of the incident response capability; (IR-8a.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews the incident response plan [FedRAMP Assignment: at least annually]; (IR-8c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., FedRAMP Security Controls High Baseline, Version 5)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., FedRAMP Security Controls High Baseline, Version 5)
  • Develop an incident response plan that: (IR-8a., FedRAMP Security Controls High Baseline, Version 5)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., FedRAMP Security Controls High Baseline, Version 5)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [FedRAMP Assignment: at least annually]; and (IR-8a.9., FedRAMP Security Controls High Baseline, Version 5)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., FedRAMP Security Controls Low Baseline, Version 5)
  • Develop an incident response plan that: (IR-8a., FedRAMP Security Controls Low Baseline, Version 5)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., FedRAMP Security Controls Low Baseline, Version 5)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [FedRAMP Assignment: at least annually]; and (IR-8a.9., FedRAMP Security Controls Low Baseline, Version 5)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Develop an incident response plan that: (IR-8a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [FedRAMP Assignment: at least annually]; and (IR-8a.9., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Develop an incident response plan that: (IR-8a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and (IR-8a.9., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Develop an incident response plan that: (IR-8a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and (IR-8a.9., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Develop an incident response plan that: (IR-8a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and (IR-8a.9., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and (IR-8a.9., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Develop an incident response plan that: (IR-8a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and (IR-8a.9., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Develop an incident response plan that: (IR-8a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and (IR-8a.9., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Develop an incident response plan that: (IR-8a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Develop an incident response plan that: (IR-8a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and (IR-8a.9., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Develop an incident response plan that: (IR-8a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and (IR-8a.9., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed (PR.IP-9, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed (PR.IP-9, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Develops an incident response plan that: (IR-8a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develops an incident response plan that: (IR-8a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develops an incident response plan that: (IR-8a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Describes the structure and organization of the incident response capability; (IR-8a.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Describes the structure and organization of the incident response capability; (IR-8a.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Describes the structure and organization of the incident response capability; (IR-8a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • To minimize the effects of these intrusions, it is necessary to plan a response. Incident response planning defines procedures to be followed when an intrusion occurs. NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide [59], provides guidance on incident response planning, which mi… (§ 6.2.8 ICS-specific Recommendations and Guidance ¶ 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Response Actions. There are several responses that can be taken in the event of an incident. These range from doing nothing to full system shutdown (although full shutdown of an ICS is a highly unlikely response). The response taken will depend on the type of incident and its effect on the ICS syste… (§ 6.2.8 ICS-specific Recommendations and Guidance ¶ 3 Bullet 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develop and maintain deliberate and/or crisis plans. (T0654, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are established, in place, and managed. (PR.PO-P7, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Develop and maintain deliberate and/or crisis plans. (T0654, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develops an incident response plan that: (IR-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Develops an incident response plan that: (IR-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Develops an incident response plan that: (IR-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develops an incident response plan that: (IR-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service to provide an incident response plan. (SA-15(10) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develops and implements a Privacy Incident Response Plan; and (SE-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan. (SA-15(10) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop an incident response plan that: (IR-8a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and (IR-8a.9., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan. (SA-15(10) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop an incident response plan that: (IR-8a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and (IR-8a.9., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determin… (Bullet 6: Incident Response, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
  • Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may als… (CYBERSECURITY GUIDANCE ¶ 3 Bullet 3, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
  • Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include: (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered acce… (CYBERSECURITY GUIDANCE ¶ 3 Bullet 2, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
  • Develop and maintain security elements within the corporate incident response and recovery plan; (2 ¶ 1 Bullet 6, Pipeline Security Guidelines)
  • UPDATE FEDERAL INCIDENT RESPONSE PLANS AND PROCESSES (STRATEGIC OBJECTIVE 1.4, National Cybersecurity Strategy)
  • UPDATE FEDERAL INCIDENT RESPONSE PLANS AND PROCESSES (STRATEGIC OBJECTIVE 1.4, National Cybersecurity Strategy (Condensed))
  • As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the info… (Section 27-62-4(h)(1), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Except as provided in subdivision (10) of this subsection, each licensee shall, as part of such licensee's information security program, establish a written incident response plan that is designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality,… (Part VI(c)(8)(A), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • As part of a licensee's information security program, the licensee shall establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of any of the following: (§ 8604.(h)(1), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to and recover from any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licens… (§431:3B-207(a), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • As part of its information security program, a licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event. (Sec. 20.(a), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the lice… (§2504.H.(1), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Incident response plan. As part of its information security program, a licensee shall establish a written incident response plan designed to promptly respond to and recover from any cybersecurity event that compromises the confidentiality, integrity or availability of nonpublic information in its po… (§2264 8., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the lice… (Sec. 555.(8), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the lice… (§ 60A.9851 Subdivision 8(a), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity or availability of nonpublic information in its possession, the licen… (§ 83-5-807 (8)(a), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • As part of its program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity or availability of nonpublic information in its possession, the licensee's information sys… (§ 420-P:4 VIII.(a), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • As part of its cybersecurity program, each Covered Entity shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity's Information Systems or the… (§ 500.16 Incident Response Plan (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • As part of its cybersecurity program, each covered entity shall establish written plans that contain proactive measures to investigate and mitigate cybersecurity events and to ensure operational resilience, including but not limited to incident response, business continuity and disaster recovery pla… (§ 500.16 Incident Response and Business Continuity Management (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • updating of incident response plans as necessary. (§ 500.16 Incident Response and Business Continuity Management (a)(1)(ix), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • As part of the licensee's information security program, a licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in the licensee's p… (26.1-02.2-03. 8., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the lice… (Section 3965.02 (H)(1), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • As part of its information security program, a licensee must establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee's… (SECTION 38-99-20. (H)(1), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • As part of a licensee's information security program, a licensee must establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of the licensee's nonpublic information or inform… (§ 56-2-1004 (8)(A), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Develops an incident response plan that: (IR-8a., TX-RAMP Security Controls Baseline Level 1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8., TX-RAMP Security Controls Baseline Level 1)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d., TX-RAMP Security Controls Baseline Level 1)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., TX-RAMP Security Controls Baseline Level 1)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c., TX-RAMP Security Controls Baseline Level 1)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., TX-RAMP Security Controls Baseline Level 1)
  • Is reviewed and approved by [Assignment: organization-defined personnel or roles]; (IR-8a.8., TX-RAMP Security Controls Baseline Level 2)
  • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; (IR-8d., TX-RAMP Security Controls Baseline Level 2)
  • Describes the structure and organization of the incident response capability; (IR-8a.2., TX-RAMP Security Controls Baseline Level 2)
  • Develops an incident response plan that: (IR-8a., TX-RAMP Security Controls Baseline Level 2)
  • Reviews the incident response plan [Assignment: organization-defined frequency]; (IR-8c., TX-RAMP Security Controls Baseline Level 2)
  • Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; (IR-8a.4., TX-RAMP Security Controls Baseline Level 2)
  • Incident response plan. As part of its information security program, a licensee shall develop an incident response plan to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information, the licensee's informatio… (§ 601.952(5), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)