Back

Include addressing internal communications in the incident response plan.


CONTROL ID
13350
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an incident response plan., CC ID: 12056

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Developing a process to communicate with internal parties and external organizations (e.g., regulator, media, law enforcement, customers) (Critical components of information security 10) (ii) e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • a documented incident management and escalation process, that also provides guidance on the different incident management and escalation roles and responsibilities, the members of the crisis committee(s) and the chain of command in case of emergency; (Title 3 3.3.4(a) 54.b(iv), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • a documented security incident management and escalation process, that provides guidance on the different incident management and escalation roles and responsibilities, the members of the crisis committee(s) and the chain of command in case of security emergencies; (Title 3 3.3.4(b) 55.d, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • set out plans for communication to staff, external stakeholders and media in accordance with Article 14 and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counte… (Art. 17.3.(d), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Communication is an important cornerstone regarding the achievement of the set security objectives in all phases of the security process. Misunderstandings and lack of knowledge are the most common causes for security issues. A smooth flow of information regarding security incidents and security saf… (§ 4.2 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • It is recommended to install the position of the Information Security Officer as a staff department, i.e. a position directly allocated to the management level, which does not receive orders from other bodies. In any case the ISO must have the direct right of recitation at any time with the manageme… (§ 4.4 Subsection 4 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain a security incident response plan, which includes but is not limited to: relevant internal departments, impacted CSCs, and other business critical relationships (such as supply-chain) that may be impacted. (SEF-03, Cloud Controls Matrix, v4.0)
  • internal and external communication processes; (8.2 ¶ 4 Bullet 12, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • External and internal communications and information sharing; (Section 4.H(2)(d), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • External and internal communications and information sharing; (§ 314.4 ¶ 1(h)(4), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • The crisis communication plan typically addresses internal communication flows to personnel and management and external communication with the public. The most effective way to provide helpful information and to reduce rumors is to communicate clearly and often. The plan should also prepare the orga… (Appendix D Subsection 5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Ensure primary and alternate communication capabilities exist for internal and external reporting of appropriate security events and information. (Table 1: Communication Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
  • External and internal communications and information sharing. (Section 27-62-4(h)(2) d., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • External and internal communications; (Part VI(c)(8)(B)(iv), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • External and internal communications and information sharing. (§ 8604.(h)(2) d., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • External and internal communications and information sharing; (§431:3B-207(b)(4), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • External and internal communications and information sharing. (Sec. 20.(b)(4), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • External communications, internal communications, and information sharing related to a cybersecurity event. (507F.4 7.d., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • External and internal communications and information sharing. (§2504.H.(2)(d), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • External and internal communications and information sharing; (§2264 8.D., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • External and internal communications and information sharing. (Sec. 555.(8)(d), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • external and internal communications and information sharing; (§ 60A.9851 Subdivision 8(b)(4), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • External and internal communications and information sharing; (§ 83-5-807 (8)(b)(iv), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • External and internal communications and information sharing; (§ 420-P:4 VIII.(b)(4), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • external and internal communications and information sharing; (§ 500.16 Incident Response and Business Continuity Management (a)(1)(iv), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • External and internal communications and information sharing; (26.1-02.2-03. 9.(4), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • External and internal communications and information sharing; (Section 3965.02 (H)(2)(d), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • external and internal communications and information sharing; (SECTION 38-99-20. (H)(2)(d), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • External and internal communications and information sharing; (§ 56-2-1004 (8)(B)(iv), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • External and internal communications and information sharing; (§ 38.2-623.G.4., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • The external and internal communications and information sharing during and immediately following a cybersecurity event. (§ 601.952(5)(d), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)