Back

Establish, implement, and maintain a cyber incident response plan.


CONTROL ID
13286
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Establishing system backups and disaster recovery plans. Establish a disaster recovery plan that allows for rapid recovery from any emergency (including a cyber attack). (Critical components of information security 24) viii. ¶ 1 m., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • the process and procedure for handling IT incidents, including cyber related incidents; (§ 7.7.3(a), Technology Risk Management Guidelines, January 2021)
  • The FI should establish a cyber incident response and management plan to swiftly isolate and neutralise a cyber threat and to securely resume affected services. The plan should describe communication, coordination and response procedures to address plausible cyber threat scenarios. (§ 12.3.1, Technology Risk Management Guidelines, January 2021)
  • the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority (Security Control: 0043; Revision: 3; Bullet 6, Australian Government Information Security Manual)
  • A denial of service response plan is developed and implemented that includes: (Security Control: 1019; Revision: 7, Australian Government Information Security Manual)
  • Network security controls. (12.10.5 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Additional testing procedure for service provider assessments only: Examine the entity's incident-response plan (Requirement 12.10.1) to verify it requires and defines a response in the event that covert malware communication channels are detected. (11.5.1.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Network security controls. (12.10.5 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Network security controls. (12.10.5 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Ensure a consistent and effective approach for the management of cyber incidents. (7.1 Control Objective, SWIFT Customer Security Controls Framework, Customer Security Programme, v2019)
  • The organization's incident response plans are actively updated based on current cyber threat intelligence, information-sharing and lessons learned following a cyber event. (RS.IM-1.1, CRI Profile, v1.2)
  • Current cyber threat intelligence (both internal and external sources); (RS.IM-2.1(2), CRI Profile, v1.2)
  • The organization refines its cyber resilience and incident response plans by actively identifying and incorporating crucial lessons learned from: (RC.IM-1.1, CRI Profile, v1.2)
  • Lessons learned from cybersecurity incidents that have occurred (both within and outside the organization); (RC.IM-2.1(1), CRI Profile, v1.2)
  • Cybersecurity assessments and testing performed internally; and (RC.IM-1.1(2), CRI Profile, v1.2)
  • The cyber resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders during cybersecurity incidents and cyber attacks (e.g., propagation of malware or corrupted data). (DM.RS-1.3, CRI Profile, v1.2)
  • Organization is capable of operating critical business functions in the face of cyber-attacks and continuously enhance its cyber resilience. (DM.RS-1, CRI Profile, v1.2)
  • Response strategies are updated. (RS.IM-2, CRI Profile, v1.2)
  • The organization's incident response plans are actively updated based on current cyber threat intelligence, information-sharing and lessons learned following a cyber event. (RS.IM-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The internal process for responding to a Cybersecurity Event; (Section 4.H(2)(a), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Update the Cyber Security Incident response plan(s); and (CIP-008-5 Table R3 Part 3.2 Requirements 3.2.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • Update the Cyber Security Incident response plan based on any documented lessons learned associated with the plan; and (CIP-008-5 Table R3 Part 3.1 Requirements 3.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • Each Responsible Entity shall document one or more Cyber Security Incident response plan(s) that collectively include each of the applicable requirement parts in CIP-008-6 Table R1 – Cyber Security Incident Response Plan Specifications. [Violation Risk Factor: Lower] [Time Horizon: Long Term Plann… (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Update the Cyber Security Incident response plan(s); and (CIP-008-6 Table R3 Part 3.2 Requirements ¶ 1 3.2.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Each Responsible Entity shall implement each of its documented Cyber Security Incident response plans to collectively include each of the applicable requirement parts in CIP-008-6 Table R2 – Cyber Security Incident Response Plan Implementation and Testing. [Violation Risk Factor: Lower] [Time Hori… (B. R2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Each Responsible Entity shall maintain each of its Cyber Security Incident response plans according to each of the applicable requirement parts in CIP-008-6 Table R3 – Cyber Security Incident Response Plan Review, Update, and Communication. [Violation Risk Factor: Lower] [Time Horizon: Operations … (B. R3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Update the Cyber Security Incident response plan based on any documented lessons learned associated with the plan; and (CIP-008-6 Table R3 Part 3.1 Requirements ¶ 1 3.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Use the Cyber Security Incident response plan(s) under Requirement R1 when responding to a Reportable Cyber Security Incident, responding to a Cyber Security Incident that attempted to compromise a system identified in the "Applicable Systems" column for this Part, or performing an exercise of a Rep… (CIP-008-6 Table R2 Part 2.2 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Any other special instructions for handling computer security incidents affecting, or potentially affecting U.S. Government data; consistent with guidance and policy directives issued by DoD, NIST, US-CERT and CNSS for incident management, classification, and remediation; or other applicable law, re… (Section 6.5.1 ¶ 1 Bullet 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • CSPs will provide, either as part of their Incident Response Plan or through an Incident Response Plan Addendum, their approach to fulfilling DoD Cyberspace Defense integration requirements. CSPs will make their plan or addendum available to DISA for review and approval as a condition of its PA and … (Section 6.5.1 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The internal processes for responding to a security event; (§ 314.4 ¶ 1(h)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Contribute to crisis action planning for cyber operations. (T0627, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Maintain deployable cyber defense toolkit (e.g., specialized cyber defense software/hardware) to support Incident Response Team mission. (T0401, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Contribute to crisis action planning for cyber operations. (T0627, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The internal process for responding to a cybersecurity event. (Section 27-62-4(h)(2) a., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • The internal process for responding to a cybersecurity event; (Part VI(c)(8)(B)(i), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • The internal process for responding to a cybersecurity event. (§ 8604.(h)(2) a., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • The internal process for responding to a cybersecurity event; (§431:3B-207(b)(1), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • The internal process for responding to a cybersecurity event. (Sec. 20.(b)(1), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • As part of a licensee’s information security program, a licensee shall establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in the licensee’s p… (507F.4 7., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • The licensee’s internal process for responding to a cybersecurity event. (507F.4 7.a., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • The internal process for responding to a cybersecurity event. (§2504.H.(2)(a), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • The internal process for responding to a cybersecurity event; (§2264 8.A., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • The internal process for responding to a cybersecurity event. (Sec. 555.(8)(a), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • the internal process for responding to a cybersecurity event; (§ 60A.9851 Subdivision 8(b)(1), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • The internal process for responding to a cybersecurity event; (§ 83-5-807 (8)(b)(i), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • The internal process for responding to a cybersecurity event; (§ 420-P:4 VIII.(b)(1), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • The internal process for responding to a cybersecurity event; (26.1-02.2-03. 9.(1), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • The internal process for responding to a cybersecurity event; (Section 3965.02 (H)(2)(a), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • the internal process for responding to a cybersecurity event; (SECTION 38-99-20. (H)(2)(a), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • The licensee's internal process for responding to a cybersecurity event; (§ 56-2-1004 (8)(B)(i), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession; the lice… (§ 38.2-623.G., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • The internal process for responding to a cybersecurity event; (§ 38.2-623.G.1., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • The internal process for responding to a cybersecurity event. (§ 601.952(5)(b), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)