Back

Include a root cause analysis of the incident in the incident response report.


CONTROL ID
12701
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Create an incident response report following an incident response., CC ID: 12700

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • to perform a post-mortem review of the incident, covering the identification of the root cause and the generation of action plans for rectification actions needed (e.g. preventive and detective controls, mitigating controls). (§ 8.2.1(vi), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • For the EUC system, it is necessary to consolidate the management system for collecting, analyzing, troubleshooting, and reporting failure information according to the importance of business to be handled, and the degree of influence of such in the case of failure. (P72.7., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Conducting post-mortem analysis and reviews to identify causes of information security incidents, developing corrective actions and reassessing risk, and adjusting controls suitably to reduce the related risks in the future (Critical components of information security 10) (ii) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A provider of information and communications services, etc. shall explain just cause under the main sentence of and proviso to paragraph (1) to the Korea Communications Commission. (Article 27-3(3), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • an analysis of the root cause which triggered the relevant incident; (Technology Risk Management ¶ 8 (b), Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Amendment 2018)
  • an analysis of the root cause which triggered the relevant incident; (Technology Risk Management ¶ 8 (b), Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02)
  • Incidents would typically be subject to root cause analysis, where the underlying cause(s) of the incident is identified and analysed and controls adjusted to reduce the likelihood and impact of a future occurrence. (¶ 73, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • To minimise the impact of adverse events and enable timely recovery, financial institutions should establish appropriate processes and organisational structures to ensure a consistent and integrated monitoring, handling and follow-up of operational and security incidents and to make sure that the ro… (3.5.1 60, Final Report EBA Guidelines on ICT and security risk management)
  • problem management procedures to identify, analyse and solve the root cause behind one or more incidents — a financial institution should analyse operational or security incidents likely to affect the financial institution that have been identified or have occurred within and/or outside the organi… (3.5.1 60(c), Final Report EBA Guidelines on ICT and security risk management)
  • the type of threat or root cause that is likely to have triggered the incident; (Article 23 4 ¶ 1(d)(ii), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • a final report, when the root cause analysis has been completed, regardless of whether mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates. (Art. 19.4.(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Events which could represent a security incident are classified, prioritised and subjected to a cause analysis by qualified personnel of the cloud provider or in connection with external security service providers. (Section 5.13 SIM-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • When an incident occurs, steps are taken to understand its root causes and to ensure appropriate remediating action is taken to protect against future incidents. (D2. ¶ 1, NCSC CAF guidance, 3.1)
  • When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken. (D2.a ¶ 1, NCSC CAF guidance, 3.1)
  • The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. (§ 8.6.3 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • For each significant service disruption, the entity shall disclose the duration of the disruption, the extent of impact, and the root cause, as well as any corrective actions taken to prevent future disruptions. Where material, the entity shall indicate the associated cost incurred, such as remediat… (Note to TC-SI-550a.1 1, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • For each significant service interruption, the entity shall disclose the duration of the disruption, the extent of impact, and the root cause, as well as any corrective actions taken to prevent future disruptions. (Note to TC-TL-550a.1 1, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • The root cause of the incident is determined. (CC7.5 ¶ 2 Bullet 3 Determines Root Cause of the Incident, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The root cause of the event is determined. (CC7.5 Determines Root Cause of the Event, Trust Services Criteria)
  • The root cause of the event is determined. (CC7.5 ¶ 2 Bullet 3 Determines Root Cause of the Event, Trust Services Criteria, (includes March 2020 updates))
  • A copy of the Licensee's privacy policy and a statement outlining the steps the Licensee will take to investigate and notify Consumers affected by the Cybersecurity Event; and (Section 6.B(12), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • The attack vector used; and (CIP-008-6 Table R4 Part 4.1 Requirements ¶ 1 4.1.2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • the threats and threat actors, vulnerabilities, and impacts relating to the incident; (§ 3554(c)(1)(A)(i)(I), Federal Information Security Modernization Act of 2014)
  • Perform root cause analysis on incidents to determine underlying causes. (IR.2.097, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Perform root cause analysis on incidents to determine underlying causes. (IR.2.097, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Perform root cause analysis on incidents to determine underlying causes. (IR.2.097, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Perform root cause analysis on incidents to determine underlying causes. (IR.2.097, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Resolution of root causes rather than specific issues. (App A Tier 1 Objectives and Procedures Objective 2:5 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Catastrophic act report. Each federally insured credit union will notify the regional director within 5 business days of any catastrophic act that occurs at its office(s). A catastrophic act is any disaster, natural or otherwise, resulting in physical destruction or damage to the credit union or cau… (§ 748.1 (b), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • A copy of the privacy policy of the licensee and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event. (Section 27-62-6(b)(12), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and (Part VI(e)(2)(A)(xii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify a consumer affected by a cybersecurity event. (§ 8606.(b)(2) l., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and (§431:3B-302(b)(12), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event. (Sec. 21.(d)(12), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event. (§2506.B.(2)(l), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and (§2266 2.L., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event. (500.559 (2)(l), Michigan Compiled Laws Chapter 500 Act 218 of 1956 Chapter 5A Section 559, Notification of cybersecurity event involving nonpublic information; duty to update and supplement notifications to director; contents; application to third-party service provider; duties of ceding insurers with direct contractual relationship)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event. (Sec. 559.(2)(l), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and (§ 60A.9853 Subdivision 2(12), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • A copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and (§ 83-5-811 (2)(l), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event. (§ 420-P:6 II.(l), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and (26.1-02.2-05. 2.l., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; (Section 3965.04 (B)(1)(l), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • a copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and (SECTION 38-99-40. (B)(12), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • A copy of the licensee's privacy policy and a statement outlining the steps that the licensee will take to investigate which consumers were affected by the cybersecurity event and to notify affected consumers; (§ 56-2-1006 (b)(1)(L), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; (§ 38.2-625.B.10., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take, or has taken, to investigate and notify consumers affected by the cybersecurity event. (§ 601.954(1)(b)9., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)