Back

Create an incident response report following an incident response.


CONTROL ID
12700
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579

This Control has the following implementation support Control(s):
  • Include any consequences to organizational reputation and confidence due to the incident in the incident response report., CC ID: 12728
  • Include the number of customers that were affected by the incident in the incident response report., CC ID: 12727
  • Include investments associated with the incident in the incident response report., CC ID: 12726
  • Include costs associated with the incident in the incident response report., CC ID: 12725
  • Include losses due to the incident in the incident response report., CC ID: 12724
  • Include a description of the impact the incident had on customer service in the incident response report., CC ID: 12735
  • Include foregone revenue from the incident in the incident response report., CC ID: 12723
  • Include the magnitude of the incident in the incident response report., CC ID: 12722
  • Include implications of the incident in the incident response report., CC ID: 12721
  • Include measures to prevent similar incidents from occurring in the incident response report., CC ID: 12720
  • Include breaches of regulatory requirements due to the incident in the incident response report., CC ID: 12719
  • Include information on all affected assets in the incident response report., CC ID: 12718
  • Include the scope of the incident in the incident response report., CC ID: 12717
  • Include the duration of the incident in the incident response report., CC ID: 12716
  • Include the extent of the incident in the incident response report., CC ID: 12715
  • Include measures to mitigate the root causes of the incident in the incident response report., CC ID: 12714
  • Include the reasons the incident occurred in the incident response report., CC ID: 12711
  • Include the frequency of similar incidents occurring in the incident response report., CC ID: 12712
  • Include lessons learned from the incident in the incident response report., CC ID: 12713
  • Include where the incident occurred in the incident response report., CC ID: 12710
  • Include when the incident occurred in the incident response report., CC ID: 12709
  • Include corrective action taken to eradicate the incident in the incident response report., CC ID: 12708
  • Include a description of the impact the incident had on regulatory compliance in the incident response report., CC ID: 12704
  • Include a description of the impact the incident had on operations in the incident response report., CC ID: 12703
  • Include an executive summary of the incident in the incident response report., CC ID: 12702
  • Include a root cause analysis of the incident in the incident response report., CC ID: 12701
  • Submit the incident response report to the proper authorities in a timely manner., CC ID: 12705


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The FI should maintain a record of past incidents which include lessons learnt to facilitate the diagnosis and resolution of future incidents with similar characteristics. (§ 7.8.2, Technology Risk Management Guidelines, January 2021)
  • Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions' information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appro… (3.4.5 38, Final Report EBA Guidelines on ICT and security risk management)
  • Reports of unscheduled deviations from standard operations (disruptions) and their causes shall, in a suitable way, be recorded, evaluated, prioritised with particular regard to potentially resulting risks, and escalated according to defined criteria. The processing, analysis of causes, and identifi… (II.7.50, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil. (§ 252.204-7012(c)(2), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
  • Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and t… (§ 164.308(a)(6)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Response programs that specify actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems, including appropriate reports to regulatory and law enforcement agencies; and (§ 748 Appendix A. III.C.1.g., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Catastrophic act report. Each federally insured credit union will notify the regional director within 5 business days of any catastrophic act that occurs at its office(s). A catastrophic act is any disaster, natural or otherwise, resulting in physical destruction or damage to the credit union or cau… (§ 748.1 (b), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies. (T0246, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Correlate incident data and perform cyber defense reporting. (T0400, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Prepare reports to document the investigation following legal standards and requirements. (T0523, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Write and publish cyber defense recommendations, reports, and white papers on incident findings to appropriate constituencies. (T0546, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies. (T0246, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Correlate incident data and perform cyber defense reporting. (T0400, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Prepare reports to document the investigation following legal standards and requirements. (T0523, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Write and publish cyber defense recommendations, reports, and white papers on incident findings to appropriate constituencies. (T0546, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop and implement a written post-event report assessing security drills or exercises and documenting corrective actions. (Table 1: Drills and Exercises Enhanced Security Measures Cell 2, Pipeline Security Guidelines)
  • documentation and reporting regarding Cybersecurity Events and related incident response activities; and (§ 500.16 Incident Response Plan (b)(6), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)