Include compliance requirements in the incident response policy.

Back

CONTROL ID
14108

CONTROL TYPE
Establish/Maintain Documentation

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain an incident response policy., CC ID: 14024

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

Analysis of legal requirements for reporting compromises. (12.10.1 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Analysis of legal requirements for reporting compromises. (12.10.1 Bullet 5, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
Analysis of legal requirements for reporting compromises. (12.10.1 Bullet 5, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Analysis of legal requirements for reporting compromises. (12.10.1 Bullet 5, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
Analysis of legal requirements for reporting compromises. (12.10.1 Bullet 5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Analysis of legal requirements for reporting compromises. (12.10.1 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. (CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process, CIS Controls, V8)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), FedRAMP Security Controls High Baseline, Version 5)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), FedRAMP Security Controls Low Baseline, Version 5)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), FedRAMP Security Controls Moderate Baseline, Version 5)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1., TX-RAMP Security Controls Baseline Level 1)
An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IR-1a.1., TX-RAMP Security Controls Baseline Level 2)