Back

Establish, implement, and maintain Responding to Failures in Security Controls procedures.


CONTROL ID
12514
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

This Control has the following implementation support Control(s):
  • Include resuming security system monitoring and logging operations in the Responding to Failures in Security Controls procedure., CC ID: 12521
  • Include implementing mitigating controls to prevent the root cause of the failure of a security control in the Responding to Failures in Security Controls procedure., CC ID: 12520
  • Include performing a risk assessment to determine whether further actions are required because of the failure of a security control in the Responding to Failures in Security Controls procedure., CC ID: 12519
  • Include identification of the root cause of the failure of a security control in the Responding to Failures in Security Controls procedure., CC ID: 15481
  • Include correcting security issues caused by the failure of a security control in the Responding to Failures in Security Controls procedure., CC ID: 12518
  • Include documenting the duration of the failure of a security control in the Responding to Failures in Security Controls procedure., CC ID: 12517
  • Include restoring security functions in the Responding to Failures in Security Controls procedure., CC ID: 12515


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) … (10.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: (A3.3.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause (A3.3.1.1 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) of the security failure - Identifying and documen… (10.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are processes for responding to critical security control failures defined and implemented, and include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) of the security failure - Identifying and documenting cause(s) of failure, including root ca… (10.8.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are failures in critical security controls documented, including: - Identification of cause(s) of the failure, including root cause - Duration (date and time start and end) of the security failure - Details of the remediation required to address the root cause? (10.8.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Does the failure of a critical security control result in the generation of an alert? (10.8(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • For service providers only: Are failures of any critical security controls responded to in a timely manner, as follows: (10.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure, and include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) of the security failure - I… (10.8.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Failures of any critical security control systems are responded to promptly. Processes for responding to failures in security control systems include: (A3.3.1.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Additional requirement for service providers only: Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: (10.7.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: (10.7.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Failures of any critical security controls systems are responded to promptly, including but not limited to: (10.7.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of: (A3.3.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond promptly to a security control failure in accordance with all elements specified in this requirement. (A3.3.1.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine detection and alerting processes, and interview personnel to verify that processes are implemented for all critical security controls specified in this requirement and that each failure of a critical security control results in the generation of an alert. (A3.3.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine records to verify that failures of critical security control systems are documented to include: (10.7.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Additional testing procedure for service provider assessments only: Examine documentation to verify that processes are defined for the prompt detection and addressing of failures of critical security control systems, including but not limited to failure of all elements specified in this requirement. (10.7.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documentation to verify that processes are defined for the prompt detection and addressing of failures of critical security control systems, including but not limited to failure of all elements specified in this requirement. (10.7.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documentation and interview personnel to verify that processes are defined and implemented to respond to a failure of any critical security control system and include at least all elements specified in this requirement. (10.7.3.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Additional testing procedure for service provider assessments only: Observe detection and alerting processes and interview personnel to verify that failures of critical security control systems are detected and reported, and that failure of a critical security control results in the generation of an… (10.7.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Observe detection and alerting processes and interview personnel to verify that failures of critical security control systems are detected and reported, and that failure of a critical security control results in the generation of an alert. (10.7.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documented policies and procedures to verify that processes are defined to promptly detect, alert, and address critical security control failures in accordance with all elements specified in this requirement. (A3.3.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: (10.7.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Failures of any critical security controls systems are responded to promptly, including but not limited to: (10.7.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: (10.7.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Failures of any critical security controls systems are responded to promptly, including but not limited to: (10.7.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Additional requirement for service providers only: Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: (10.7.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations. (CC7.3 Assesses the Impact on Personal Information, Trust Services Criteria)
  • Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations. (CC7.3 ¶ 3 Bullet 1 Assesses the Impact on Personal Information, Trust Services Criteria, (includes March 2020 updates))
  • Verify that corrective actions have been implemented and that retesting occurs in a timely fashion to address deficiencies in meeting the entity's objectives. (App A Objective 10:29, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Vulnerability cataloging and remediation tracking. (App A Objective 8.1.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Credit or operating losses primarily attributable (or thought to be attributable) to IT (e.g., system problems, fraud occurring due to poor controls, and improperly implemented changes to systems). (App A Objective 1.3.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • System failures. (App A Objective 11:2 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Take the following actions in response to identified faults, errors, or compromises: [Assignment: organization-defined actions]. (SC-36(1)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. (AC-4(8)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls; (§ 500.16 Incident Response Plan (b)(5), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • detects, prevents and responds to attacks or system failures; and (§ 899-bb. 2(b)(ii)(B)(3), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)