Back

Include lessons learned from the incident in the incident response report.


CONTROL ID
12713
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Create an incident response report following an incident response., CC ID: 12700

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • What lessons were learnt from this incident? (§ 7.3.12.a.v., Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should maintain a record of past incidents which include lessons learnt to facilitate the diagnosis and resolution of future incidents with similar characteristics. (§ 7.8.2, Technology Risk Management Guidelines, January 2021)
  • Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. (CIS Control 17: Safeguard 17.8 Conduct Post-Incident Reviews, CIS Controls, V8)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; (Section 6.B(10), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Document any lessons learned or document the absence of any lessons learned; (CIP-008-5 Table R3 Part 3.1 Requirements 3.1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • Contents of report. The report should address material matters related to the Program and evaluate issues such as: The effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and… (Appendix A-VI. (b)(2), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • Document lessons learned that convey the results of events and/or exercises. (T0836, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Event Documentation. All recovery and reconstitution events should be well documented, including actions taken and problems encountered during the recovery and reconstitution efforts. An after-action report with lessons learned should be documented and included for updating the ISCP. (§ 4.4 ¶ 3 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Document lessons learned that convey the results of events and/or exercises. (T0836, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed. (Section 27-62-6(b)(10), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • The results of an internal review identifying any lapse in automated controls or internal procedures, or confirming that all such controls and procedures were followed; (Part VI(e)(2)(A)(x), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • The results of an internal review identifying a lapse in either automated controls or internal procedures, or confirming that the automated controls or internal procedures were followed. (§ 8606.(b)(2) j., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; (§431:3B-302(b)(10), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • confirming that all automated controls or internal procedures were followed. (Sec. 21.(d)(10)(B), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • identifying a lapse in either automated controls or internal procedures; or (Sec. 21.(d)(10)(A), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • The results of any internal review conducted by the licensee that identified a lapse in the licensee’s automated controls or internal procedures, or that confirmed the licensee’s compliance with all automated controls or internal procedures. (507F.7 2.i., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed. (§2506.B.(2)(j), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • The results of any review conducted by or for the licensee identifying a lapse in either automated controls or internal procedures or confirming that all automated controls or internal procedures were followed; (§2266 2.J., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed. (500.559 (2)(j), Michigan Compiled Laws Chapter 500 Act 218 of 1956 Chapter 5A Section 559, Notification of cybersecurity event involving nonpublic information; duty to update and supplement notifications to director; contents; application to third-party service provider; duties of ceding insurers with direct contractual relationship)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed. (Sec. 559.(2)(j), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • the results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; (§ 60A.9853 Subdivision 2(10), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; (§ 83-5-811 (2)(j), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed. (§ 420-P:6 II.(j), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; (26.1-02.2-05. 2.j., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; (Section 3965.04 (B)(1)(j), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • the results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; (SECTION 38-99-40. (B)(10), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • The results of an internal review and whether the review identified whether automated controls or internal procedures were followed or adhered to; (§ 56-2-1006 (b)(1)(J), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; (§ 38.2-625.B.10., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • The results of any internal review related to the cybersecurity event, including the identification of a lapse in automated controls or internal procedures. (§ 601.954(1)(b)7., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)