Back

Establish, implement, and maintain a cyber incident response plan.


CONTROL ID
13286
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579

This Control has the following implementation support Control(s):
  • Disseminate and communicate the cyber incident response plan to interested personnel and affected parties., CC ID: 16838


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is necessary to review measures to prevent, detect, and respond to cyber attacks and to establish a framework to combat cyber attacks in order to prevent system interruption and illegal fund transfers caused by cyber attacks. (C5.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Establishing system backups and disaster recovery plans. Establish a disaster recovery plan that allows for rapid recovery from any emergency (including a cyber attack). (Critical components of information security 24) viii. ¶ 1 m., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • the process and procedure for handling IT incidents, including cyber related incidents; (§ 7.7.3(a), Technology Risk Management Guidelines, January 2021)
  • The FI should establish a cyber incident response and management plan to swiftly isolate and neutralise a cyber threat and to securely resume affected services. The plan should describe communication, coordination and response procedures to address plausible cyber threat scenarios. (§ 12.3.1, Technology Risk Management Guidelines, January 2021)
  • the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority (Security Control: 0043; Revision: 3; Bullet 6, Australian Government Information Security Manual, March 2021)
  • A denial of service response plan is developed and implemented that includes: (Security Control: 1019; Revision: 7, Australian Government Information Security Manual, March 2021)
  • A denial of service response plan for video conferencing and IP telephony services is developed, implemented and maintained. (Control: ISM-1019; Revision: 9, Australian Government Information Security Manual, June 2023)
  • A denial of service response plan for video conferencing and IP telephony services is developed, implemented and maintained. (Control: ISM-1019; Revision: 9, Australian Government Information Security Manual, September 2023)
  • Each Member State shall adopt a national large-scale cybersecurity incident and crisis response plan where the objectives of and arrangements for the management of large-scale cybersecurity incidents and crises are set out. That plan shall lay down, in particular: (Article 9 4., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • the objectives of national preparedness measures and activities; (Article 9 4(a), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • In order to facilitate cooperation referred to in paragraph 4, the CSIRTs shall promote the adoption and use of common or standardised practices, classification schemes and taxonomies in relation to: (Article 11 5., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (Article 21 2., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Financial entities shall monitor the effectiveness of the implementation of their digital operational resilience strategy set out in Article 6(8). They shall map the evolution of ICT risk over time, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-a… (Art. 13.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential function and covers a range of incident scenarios. (D1.a ¶ 1, NCSC CAF guidance, 3.1)
  • You have the capability to enact your incident response plan, including effective limitation of impact on the operation of your essential function. During an incident, you have access to timely information on which to base your response decisions. (D1.b ¶ 1, NCSC CAF guidance, 3.1)
  • You design the network and information systems supporting your essential function to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated. (B5.b ¶ 1, NCSC CAF guidance, 3.1)
  • Network security controls. (12.10.5 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Additional testing procedure for service provider assessments only: Examine the entity's incident-response plan (Requirement 12.10.1) to verify it requires and defines a response in the event that covert malware communication channels are detected. (11.5.1.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Network security controls. (12.10.5 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Network security controls. (12.10.5 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Ensure a consistent and effective approach for the management of cyber incidents. (7.1 Control Objective, Swift Customer Security Controls Framework (CSCF), v2019)
  • The organization's incident response plans are actively updated based on current cyber threat intelligence, information-sharing and lessons learned following a cyber event. (RS.IM-1.1, CRI Profile, v1.2)
  • Current cyber threat intelligence (both internal and external sources); (RS.IM-2.1(2), CRI Profile, v1.2)
  • The organization refines its cyber resilience and incident response plans by actively identifying and incorporating crucial lessons learned from: (RC.IM-1.1, CRI Profile, v1.2)
  • Lessons learned from cybersecurity incidents that have occurred (both within and outside the organization); (RC.IM-2.1(1), CRI Profile, v1.2)
  • Cybersecurity assessments and testing performed internally; and (RC.IM-1.1(2), CRI Profile, v1.2)
  • The cyber resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders during cybersecurity incidents and cyber attacks (e.g., propagation of malware or corrupted data). (DM.RS-1.3, CRI Profile, v1.2)
  • Organization is capable of operating critical business functions in the face of cyber-attacks and continuously enhance its cyber resilience. (DM.RS-1, CRI Profile, v1.2)
  • Response strategies are updated. (RS.IM-2, CRI Profile, v1.2)
  • The organization's incident response plans are actively updated based on current cyber threat intelligence, information-sharing and lessons learned following a cyber event. (RS.IM-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The internal process for responding to a Cybersecurity Event; (Section 4.H(2)(a), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Update the Cyber Security Incident response plan(s); and (CIP-008-5 Table R3 Part 3.2 Requirements 3.2.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • Update the Cyber Security Incident response plan based on any documented lessons learned associated with the plan; and (CIP-008-5 Table R3 Part 3.1 Requirements 3.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • Each Responsible Entity shall document one or more Cyber Security Incident response plan(s) that collectively include each of the applicable requirement parts in CIP-008-6 Table R1 – Cyber Security Incident Response Plan Specifications. [Violation Risk Factor: Lower] [Time Horizon: Long Term Plann… (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Update the Cyber Security Incident response plan(s); and (CIP-008-6 Table R3 Part 3.2 Requirements ¶ 1 3.2.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Each Responsible Entity shall implement each of its documented Cyber Security Incident response plans to collectively include each of the applicable requirement parts in CIP-008-6 Table R2 – Cyber Security Incident Response Plan Implementation and Testing. [Violation Risk Factor: Lower] [Time Hori… (B. R2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Each Responsible Entity shall maintain each of its Cyber Security Incident response plans according to each of the applicable requirement parts in CIP-008-6 Table R3 – Cyber Security Incident Response Plan Review, Update, and Communication. [Violation Risk Factor: Lower] [Time Horizon: Operations … (B. R3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Update the Cyber Security Incident response plan based on any documented lessons learned associated with the plan; and (CIP-008-6 Table R3 Part 3.1 Requirements ¶ 1 3.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Use the Cyber Security Incident response plan(s) under Requirement R1 when responding to a Reportable Cyber Security Incident, responding to a Cyber Security Incident that attempted to compromise a system identified in the "Applicable Systems" column for this Part, or performing an exercise of a Rep… (CIP-008-6 Table R2 Part 2.2 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Any other special instructions for handling computer security incidents affecting, or potentially affecting U.S. Government data; consistent with guidance and policy directives issued by DoD, NIST, US-CERT and CNSS for incident management, classification, and remediation; or other applicable law, re… (Section 6.5.1 ¶ 1 Bullet 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • CSPs will provide, either as part of their Incident Response Plan or through an Incident Response Plan Addendum, their approach to fulfilling DoD Cyberspace Defense integration requirements. CSPs will make their plan or addendum available to DISA for review and approval as a condition of its PA and … (Section 6.5.1 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The internal processes for responding to a security event; (§ 314.4 ¶ 1(h)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Contribute to crisis action planning for cyber operations. (T0627, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Maintain deployable cyber defense toolkit (e.g., specialized cyber defense software/hardware) to support Incident Response Team mission. (T0401, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Contribute to crisis action planning for cyber operations. (T0627, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved (ID.IM-04, The NIST Cybersecurity Framework, v2.0)
  • Responses to detected cybersecurity incidents are managed (Incident Management (RS.MA), The NIST Cybersecurity Framework, v2.0)
  • COUNTER CYBERCRIME, DEFEAT RANSOMWARE (STRATEGIC OBJECTIVE 2.5, National Cybersecurity Strategy)
  • COUNTER CYBERCRIME, DEFEAT RANSOMWARE (STRATEGIC OBJECTIVE 2.5, National Cybersecurity Strategy (Condensed))
  • The internal process for responding to a cybersecurity event. (Section 27-62-4(h)(2) a., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • The internal process for responding to a cybersecurity event; (Part VI(c)(8)(B)(i), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • The internal process for responding to a cybersecurity event. (§ 8604.(h)(2) a., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • The internal process for responding to a cybersecurity event; (§431:3B-207(b)(1), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • The internal process for responding to a cybersecurity event. (Sec. 20.(b)(1), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • As part of a licensee’s information security program, a licensee shall establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in the licensee’s p… (507F.4 7., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • The licensee’s internal process for responding to a cybersecurity event. (507F.4 7.a., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • The internal process for responding to a cybersecurity event. (§2504.H.(2)(a), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • The internal process for responding to a cybersecurity event; (§2264 8.A., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • The internal process for responding to a cybersecurity event. (Sec. 555.(8)(a), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • the internal process for responding to a cybersecurity event; (§ 60A.9851 Subdivision 8(b)(1), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • The internal process for responding to a cybersecurity event; (§ 83-5-807 (8)(b)(i), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • The internal process for responding to a cybersecurity event; (§ 420-P:4 VIII.(b)(1), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • As part of its cybersecurity program, each covered entity shall establish written plans that contain proactive measures to investigate and mitigate cybersecurity events and to ensure operational resilience, including but not limited to incident response, business continuity and disaster recovery pla… (§ 500.16 Incident Response and Business Continuity Management (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • The internal process for responding to a cybersecurity event; (26.1-02.2-03. 9.(1), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • The internal process for responding to a cybersecurity event; (Section 3965.02 (H)(2)(a), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • the internal process for responding to a cybersecurity event; (SECTION 38-99-20. (H)(2)(a), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • The licensee's internal process for responding to a cybersecurity event; (§ 56-2-1004 (8)(B)(i), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession; the lice… (§ 38.2-623.G., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • The internal process for responding to a cybersecurity event; (§ 38.2-623.G.1., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • The internal process for responding to a cybersecurity event. (§ 601.952(5)(b), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)