Back

Include addressing external communications in the incident response plan.


CONTROL ID
13351
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an incident response plan., CC ID: 12056

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Developing a process to communicate with internal parties and external organizations (e.g., regulator, media, law enforcement, customers) (Critical components of information security 10) (ii) e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A regulated institution would normally have clear accountability and communication strategies to limit the impact of IT security incidents. This would typically include defined mechanisms for escalation and reporting to the Board and senior management and customer communication where appropriate (re… (¶ 72, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • specific external communication plans for critical business functions and processes in order to: (3.5.1 60(f), Final Report EBA Guidelines on ICT and security risk management)
  • identifying and contacting the entities concerned; (Article 12 1 ¶ 1(a), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • set out plans for communication to staff, external stakeholders and media in accordance with Article 14 and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counte… (Art. 17.3.(d), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum. (12.10.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum. (12.10.1 Bullet 1, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum. (12.10.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum. (12.10.1 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum. (12.10.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum. (12.10.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • internal and external communication processes; (8.2 ¶ 4 Bullet 12, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • providing details of the organization's media response following an incident, including a communications strategy; (§ 8.4.3.1 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Public relations are managed. (RC.CO-1, CRI Profile, v1.2)
  • External and internal communications and information sharing; (Section 4.H(2)(d), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Documentation and reporting regarding Cybersecurity Events and related incident response activities; and (Section 4.H(2)(f), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • External and internal communications and information sharing; (§ 314.4 ¶ 1(h)(4), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Information system contingency plans are rarely developed or executed on their own. When an incident occurs that impacts information system operations, it often impacts the organization's personnel. Proper considerations for the safety, security, and well-being of personnel should be planned for in … (Appendix D ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Like internal communication, organizations should pay deliberate attention to the message being communicated to external parties. Again, an effective method is to designate a specific POC or team from the organization to be responsible for press releases and media communication. The POC or team's pr… (Appendix D Subsection 5 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The crisis communication plan typically addresses internal communication flows to personnel and management and external communication with the public. The most effective way to provide helpful information and to reduce rumors is to communicate clearly and often. The plan should also prepare the orga… (Appendix D Subsection 5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Manage public relations associated with an incident; and (IR-4(15)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Manage public relations associated with an incident; and (IR-4(15)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (Section 27-62-4(h)(2) f., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • External and internal communications and information sharing. (Section 27-62-4(h)(2) d., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • External and internal communications; (Part VI(c)(8)(B)(iv), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (Part VI(c)(8)(B)(vii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (§ 8604.(h)(2) f., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • External and internal communications and information sharing. (§ 8604.(h)(2) d., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • External and internal communications and information sharing; (§431:3B-207(b)(4), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§431:3B-207(b)(6), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • External and internal communications and information sharing. (Sec. 20.(b)(4), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (Sec. 20.(b)(6), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • External communications, internal communications, and information sharing related to a cybersecurity event. (507F.4 7.d., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (507F.4 7.f., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • External and internal communications and information sharing. (§2504.H.(2)(d), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (§2504.H.(2)(f), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • External and internal communications and information sharing; (§2264 8.D., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§2264 8.F., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • External and internal communications and information sharing. (Sec. 555.(8)(d), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • Documentation and reporting regarding cybersecurity events and related incident response activities. (Sec. 555.(8)(f), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • documentation and reporting regarding cybersecurity events and related incident response activities; and (§ 60A.9851 Subdivision 8(b)(6), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • external and internal communications and information sharing; (§ 60A.9851 Subdivision 8(b)(4), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • External and internal communications and information sharing; (§ 83-5-807 (8)(b)(iv), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§ 83-5-807 (8)(b)(vi), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§ 420-P:4 VIII.(b)(6), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • External and internal communications and information sharing; (§ 420-P:4 VIII.(b)(4), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • external and internal communications and information sharing; (§ 500.16 Incident Response and Business Continuity Management (a)(1)(iv), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (26.1-02.2-03. 9.(6), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • External and internal communications and information sharing; (26.1-02.2-03. 9.(4), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • External and internal communications and information sharing; (Section 3965.02 (H)(2)(d), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; (Section 3965.02 (H)(2)(f), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • external and internal communications and information sharing; (SECTION 38-99-20. (H)(2)(d), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • documentation and reporting regarding cybersecurity events and related incident response activities; and (SECTION 38-99-20. (H)(2)(f), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • External and internal communications and information sharing; (§ 56-2-1004 (8)(B)(iv), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§ 56-2-1004 (8)(B)(vi), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • External and internal communications and information sharing; (§ 38.2-623.G.4., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • Documentation and reporting regarding cybersecurity events and related incident response activities; and (§ 38.2-623.G.6., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • The external and internal communications and information sharing during and immediately following a cybersecurity event. (§ 601.952(5)(d), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
  • The reporting and documentation of a cybersecurity event and related incident response activities. (§ 601.952(5)(f), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)