Back

Include corrective action taken to eradicate the incident in the incident response report.


CONTROL ID
12708
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Create an incident response report following an incident response., CC ID: 12700

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In addition, AIs should implement effective controls for prompt detection of unusual downloading activities that may involve customer data. For instance, AIs could enable logging of data downloading to those media and perform periodic sample checks on whether customer data have been downloaded witho… (Annex E. ¶ 2, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • to perform a post-mortem review of the incident, covering the identification of the root cause and the generation of action plans for rectification actions needed (e.g. preventive and detective controls, mitigating controls). (§ 8.2.1(vi), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • Conducting post-mortem analysis and reviews to identify causes of information security incidents, developing corrective actions and reassessing risk, and adjusting controls suitably to reduce the related risks in the future (Critical components of information security 10) (ii) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Countermeasures to be taken by a provider of information and communications services or similar; (Article 27-3(1)(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Immediate corrective action to be taken to address consequences of the incident. Priority should be placed on addressing customers’ concerns and / or compensation; (§ 7.3.12.c.i., Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The register of cyber security incidents should include the actions that were taken. (Control: 0126 Bullet 4, Australian Government Information Security Manual: Controls)
  • The organization should ensure all personnel who are involved in the incident investigation maintains a record of the actions they took to support the investigation. (Control: 0138 Bullet 2, Australian Government Information Security Manual: Controls)
  • Member States shall ensure that their competent authorities under this Directive and their competent authorities under Directive (EU) 2022/2557 cooperate and exchange information on a regular basis with regard to the identification of critical entities, on risks, cyber threats, and incidents as well… (Article 13 5., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • upon the request of a CSIRT or, where applicable, the competent authority, an intermediate report on relevant status updates; (Article 23 4 ¶ 1(c), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • applied and ongoing mitigation measures; (Article 23 4 ¶ 1(d)(iii), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • the potential impact of such changes on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures. (Art. 5.2. ¶ 2(i)(iii), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The cloud customer is informed by the cloud provider of the status of the incidents affecting them in a regular and an appropriate form that corresponds to the contractual agreements or is involved into corresponding remedial actions. As soon as an incident was remedied from the cloud provider's poi… (Section 5.6 RB-20 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • After a security incident has been processed, the solution is documented according to the contractual agreements and the report is forwarded for final information or, if necessary, as confirmation to the customers affected. (Section 5.13 SIM-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The organization must log all actions taken. (¶ 1 Pg 9, VISA CISP: What to Do If Compromised Visa Fraud Control and Investigation Procedures, Version 1.0 December 2008)
  • Forms should be prepared to collect all the incident information. This will ensure that the incident notes are thorough and all of the required information is captured. Notes should be kept of all steps that have been taken, including who did what, when they did it, how they did it, and why they did… (Action 1.5.8, Action 2.1.2, Pg 44 thru 59, SANS Computer Security Incident Handling, Version 2.3.1)
  • Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. (CIS Control 17: Safeguard 17.8 Conduct Post-Incident Reviews, CIS Controls, V8)
  • recording the details of the disruption, the actions taken and the decisions made. (§ 8.4.3.1 f), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. (§ 8.6.3 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The entity shall describe the corrective actions taken in response to specific incidents, such as changes in operations, management, processes, products, business partners, training, or technology. (Note to TC-IM-230a.1 1, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
  • The entity shall describe the corrective actions taken in response to data breaches, such as changes in operations, management, processes, products, business partners, training, or technology. (Note to TC-SI-230a.1 1, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • The entity shall describe the corrective actions taken in response to data breaches, such as changes in operations, management, processes, products, business partners, training, or technology. (Note to TC-TL-230a.1 1, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • Remediation activities are documented and communicated in accordance with the incident-response program. (CC7.4 ¶ 3 Bullet 9 Communicates Remediation Activities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. (CC7.3 Communicates and Reviews Detected Security Events, Trust Services Criteria)
  • Remediation activities are documented and communicated in accordance with the incident response program. (CC7.4 Communicates Remediation Activities, Trust Services Criteria)
  • Remediation activities are documented and communicated in accordance with the incident response program. (CC7.4 ¶ 2 Bullet 9 Communicates Remediation Activities, Trust Services Criteria, (includes March 2020 updates))
  • Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. (CC7.3 ¶ 2 Bullet 2 Communicates and Reviews Detected Security Events, Trust Services Criteria, (includes March 2020 updates))
  • Description of efforts being undertaken to remediate the situation which permitted the Cybersecurity Event to occur; (Section 6.B(11), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and (§242.1002(c)(1)(ii)(C), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and w… (§242.1002(c)(2), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, o… (§242.1002(b)(2)(ii), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; t… (§242.1002(b)(4)(ii)(A), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Catastrophic act report. Each federally insured credit union will notify the regional director within 5 business days of any catastrophic act that occurs at its office(s). A catastrophic act is any disaster, natural or otherwise, resulting in physical destruction or damage to the credit union or cau… (§ 748.1 (b), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • The incident response team must immediately start recording all facts once the team suspects that an incident is occurring or has occurred. Every step taken should be documented and timestamped, including system events, telephone conversations, and observed file changes. Documents about the incident… (§ 3.2.5, App C, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Perform cyber defense incident triage, to include determining scope, urgency, and potential impact, identifying the specific vulnerability, and making recommendations that enable expeditious remediation. (T0163, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Gather and analyze data (e.g., measures of effectiveness) to determine effectiveness, and provide reporting for follow-on activities. (T0703, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Event Documentation. All recovery and reconstitution events should be well documented, including actions taken and problems encountered during the recovery and reconstitution efforts. An after-action report with lessons learned should be documented and included for updating the ISCP. (§ 4.4 ¶ 3 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Like internal communication, organizations should pay deliberate attention to the message being communicated to external parties. Again, an effective method is to designate a specific POC or team from the organization to be responsible for press releases and media communication. The POC or team's pr… (Appendix D Subsection 5 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Gather and analyze data (e.g., measures of effectiveness) to determine effectiveness, and provide reporting for follow-on activities. (T0703, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Perform cyber defense incident triage, to include determining scope, urgency, and potential impact, identifying the specific vulnerability, and making recommendations that enable expeditious remediation. (T0163, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur. (Section 27-62-6(b)(11), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Document response actions taken on an incident. This will be useful to your organization and to law enforcement, if involved. (Part II ¶ 11, California OPP Recommended Practices on Notification of Security Breach, May 2008)
  • Mandatory post-incident review by the company following any actual or suspected breach of security, and documentation of actions the company takes in response to such breach, including any changes the company makes to its business practices relating to the safeguarding of personal information; and (§ 38a-999b(b)(2)(K), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • A description of any efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur; (Part VI(e)(2)(A)(xi), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur. (§ 8606.(b)(2) k., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • The remedial action taken by the person or entity to include steps taken to assist District residents affected by the breach; (§ 28?3852. (b-1)(7), Code of the District of Columbia Title 28 Chapter 38 Subchapter II, Consumer Security Breach Notification)
  • Steps that have been taken to rectify the breach. (501.171 (3)(c) 3., Florida Statutes, Title XXXIII Chapter 501 Section 171, Security of confidential personal information)
  • A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur; (§431:3B-302(b)(11), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • State agencies that collect personal information must submit a report to the General Assembly within 5 business days of the discovery or notification of a security breach of system data or written material. This report must list the breaches and outline corrective measures taken to prevent future se… (§ 530/25, Illinois Compiled Statutes, Chapter 815, ILCS 530/Personal Information Protection Act.)
  • A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur (Sec. 21.(d)(11), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • A description of the licensee’s efforts to remediate the circumstances that allowed the cybersecurity event. (507F.7 2.j., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur. (§2506.B.(2)(k), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur; (§2266 2.K., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur. (500.559 (2)(k), Michigan Compiled Laws Chapter 500 Act 218 of 1956 Chapter 5A Section 559, Notification of cybersecurity event involving nonpublic information; duty to update and supplement notifications to director; contents; application to third-party service provider; duties of ceding insurers with direct contractual relationship)
  • A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur. (Sec. 559.(2)(k), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur; (§ 60A.9853 Subdivision 2(11), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur; (§ 83-5-811 (2)(k), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur. (§ 420-P:6 II.(k), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • documentation and reporting regarding Cybersecurity Events and related incident response activities; and (§ 500.16 Incident Response Plan (b)(6), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur; (26.1-02.2-05. 2.k., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur; (Section 3965.04 (B)(1)(k), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • a description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur; (SECTION 38-99-40. (B)(11), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • A description of the efforts to remediate the situation that permitted the cybersecurity event to occur; (§ 56-2-1006 (b)(1)(K), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur; (§ 38.2-625.B.11., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • A description of efforts to address the circumstances that allowed the cybersecurity event to occur. (§ 601.954(1)(b)6., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)