last sync: 2024-Oct-03 17:51:34 UTC

Develop an incident response plan | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Develop an incident response plan
Id 2b4e134f-1e4c-2bff-573e-082d85479b6e
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0145 - Develop an incident response plan
Additional metadata Name/Id: CMA_0145 / CMA_0145
Category: Documentation
Title: Develop an incident response plan
Ownership: Customer
Description: Microsoft recommends that your organization develop an incident response plan that describes the structure and organization of the incident response capability. It is recommended that your organization distribute copies of the incident response plan to relevant incident response personnel and organizational elements. Your incident response plan should: - Provide a high-level approach for how the incident response capability fits into your overall organization - Provide a roadmap to implement the incident response capability - Define the reportable incidents - Specify the metrics for measuring the incident response capability, and meet the unique requirements of the organization, relating to your mission, size, structure, and functions. We recommend that your organization document and classify incidents into different categories for tracking purposes, such as false positive, security incident, potential security breach, and incident with privacy impact. It is also recommended to create incident definitions to determine incident severity and level of harm. Microsoft recommends that your policies provide guidance for addressing each category of incidents defined by your organization as well as a high-level description of the structure and organization of the incident response capabilities. It is suggested that your organization review, test, and approve the Security Response procedures and the Incident Response Plan at least every 12 months. Your organization should update the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing. Your organization should communicate any incident response plan changes to relevant incident response personnel and organizational elements. Your organization is also recommended to establish and implement a process for employees, contractors, and third-party users to report any security incidents through appropriate communication channels. It is recommended to provide support to these users who report incidents and to share the information with relevant roles and/or organizations according to applicable regulations. It is recommended that your organization track and handle the incidents related to unsuccessful backups and backup recovery. It is also recommended that your organization consider purchasing a cyber security insurance policy which includes coverage for incident response and recovery activities or provide a rationale for not purchasing one. Microsoft recommends that roles and responsibilities of staff involved in the incident management process are clearly documented in the procedures, including recording, analyzing, remediating and monitoring of problem and incidents. Your organization may also document escalation and resolution protocols and timelines. It is suggested that your organization notify the authorities of incidents and such notifications be tracked and reported in accordance with the service-level agreement (SLA). It is recommended that your organization employ automated-mechanism for efficient incident reporting and handling, and to increase the availability of incident response-related information and support. It is advised to include the following information when recording and tracking incidents: - Severity - Client information - Description of incident/problem - Date and time of incident/problem - Incident type - Applications, systems and/or network components impacted - Impact on customers - Escalation and approvals - Actions taken to resolve the incident or problem, including date and time action was taken - Post-mortem on incidents that includes root-cause analysis. The Motion Picture Association (MPA) Content Security Best Practices recommend organizations with 50 or more employees to provide anonymous reporting (e.g. internal, anonymous telephone number, email address, and / or website) to internal and third party personnel for reporting of content protection and piracy concerns (and to also provide it during security awareness training). NIST 800-184: Guide for Cybersecurity Event Recovery act requires that the organization should have Cyber Incident Response Plan (CIRP) integrated into its enterprise-wide Business Continuity Plan (BCP).
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 100 compliance controls are associated with this Policy definition 'Develop an incident response plan' (2b4e134f-1e4c-2bff-573e-082d85479b6e)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 4.6 CIS_Azure_1.1.0_4.6 CIS Microsoft Azure Foundations Benchmark recommendation 4.6 4 Database Services Ensure that 'Send alerts to' is set Shared The customer is responsible for implementing this recommendation. Provide the email address where alerts will be sent when anomalous activities are detected on SQL servers. link 3
CIS_Azure_1.1.0 4.7 CIS_Azure_1.1.0_4.7 CIS Microsoft Azure Foundations Benchmark recommendation 4.7 4 Database Services Ensure that 'Email service and co-administrators' is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable service and co-administrators to receive security alerts from the SQL server. link 3
CIS_Azure_1.1.0 5.2.1 CIS_Azure_1.1.0_5.2.1 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create Policy Assignment Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create Policy Assignment event. link 4
CIS_Azure_1.1.0 5.2.2 CIS_Azure_1.1.0_5.2.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. link 4
CIS_Azure_1.1.0 5.2.3 CIS_Azure_1.1.0_5.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group event. link 4
CIS_Azure_1.1.0 5.2.4 CIS_Azure_1.1.0_5.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Network Security Group Rule event. link 4
CIS_Azure_1.1.0 5.2.5 CIS_Azure_1.1.0_5.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 5 Logging and Monitoring Ensure that activity log alert exists for the Delete Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group Rule event. link 4
CIS_Azure_1.1.0 5.2.6 CIS_Azure_1.1.0_5.2.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Security Solution event. link 4
CIS_Azure_1.1.0 5.2.7 CIS_Azure_1.1.0_5.2.7 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Security Solution event. link 4
CIS_Azure_1.1.0 5.2.8 CIS_Azure_1.1.0_5.2.8 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. link 4
CIS_Azure_1.1.0 5.2.9 CIS_Azure_1.1.0_5.2.9 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 5 Logging and Monitoring Ensure that Activity Log Alert exists for Update Security Policy Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Update Security Policy event. link 4
CIS_Azure_1.3.0 5.2.1 CIS_Azure_1.3.0_5.2.1 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create Policy Assignment Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create Policy Assignment event. link 4
CIS_Azure_1.3.0 5.2.2 CIS_Azure_1.3.0_5.2.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Policy Assignment Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Policy Assignment event. link 4
CIS_Azure_1.3.0 5.2.3 CIS_Azure_1.3.0_5.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. link 4
CIS_Azure_1.3.0 5.2.4 CIS_Azure_1.3.0_5.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group event. link 4
CIS_Azure_1.3.0 5.2.5 CIS_Azure_1.3.0_5.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Network Security Group Rule event. link 4
CIS_Azure_1.3.0 5.2.6 CIS_Azure_1.3.0_5.2.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 5 Logging and Monitoring Ensure that activity log alert exists for the Delete Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group Rule event. link 4
CIS_Azure_1.3.0 5.2.7 CIS_Azure_1.3.0_5.2.7 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Security Solution event. link 4
CIS_Azure_1.3.0 5.2.8 CIS_Azure_1.3.0_5.2.8 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Security Solution event. link 4
CIS_Azure_1.3.0 5.2.9 CIS_Azure_1.3.0_5.2.9 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. link 4
CIS_Azure_1.4.0 5.2.1 CIS_Azure_1.4.0_5.2.1 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create Policy Assignment Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create Policy Assignment event. link 4
CIS_Azure_1.4.0 5.2.2 CIS_Azure_1.4.0_5.2.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Policy Assignment Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Policy Assignment event. link 4
CIS_Azure_1.4.0 5.2.3 CIS_Azure_1.4.0_5.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. link 4
CIS_Azure_1.4.0 5.2.4 CIS_Azure_1.4.0_5.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group event. link 4
CIS_Azure_1.4.0 5.2.5 CIS_Azure_1.4.0_5.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Network Security Group Rule event. link 4
CIS_Azure_1.4.0 5.2.6 CIS_Azure_1.4.0_5.2.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 5 Logging and Monitoring Ensure that activity log alert exists for the Delete Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group Rule event. link 4
CIS_Azure_1.4.0 5.2.7 CIS_Azure_1.4.0_5.2.7 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Security Solution event. link 4
CIS_Azure_1.4.0 5.2.8 CIS_Azure_1.4.0_5.2.8 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Security Solution event. link 4
CIS_Azure_1.4.0 5.2.9 CIS_Azure_1.4.0_5.2.9 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. link 4
CIS_Azure_2.0.0 5.2.1 CIS_Azure_2.0.0_5.2.1 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 5.2 Ensure that Activity Log Alert exists for Create Policy Assignment Shared n/a Create an activity log alert for the Create Policy Assignment event. Monitoring for create policy assignment events gives insight into changes done in "Azure policy - assignments" and can reduce the time it takes to detect unsolicited changes. link 4
CIS_Azure_2.0.0 5.2.2 CIS_Azure_2.0.0_5.2.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 5.2 Ensure that Activity Log Alert exists for Delete Policy Assignment Shared n/a Create an activity log alert for the Delete Policy Assignment event. Monitoring for delete policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes. link 4
CIS_Azure_2.0.0 5.2.3 CIS_Azure_2.0.0_5.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 5.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared n/a Create an Activity Log Alert for the Create or Update Network Security Group event. Monitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. link 4
CIS_Azure_2.0.0 5.2.4 CIS_Azure_2.0.0_5.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 5.2 Ensure that Activity Log Alert exists for Delete Network Security Group Shared n/a Create an activity log alert for the Delete Network Security Group event. Monitoring for "Delete Network Security Group" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. link 4
CIS_Azure_2.0.0 5.2.5 CIS_Azure_2.0.0_5.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 5.2 Ensure that Activity Log Alert exists for Create or Update Security Solution Shared n/a Create an activity log alert for the Create or Update Security Solution event. Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity. link 4
CIS_Azure_2.0.0 5.2.6 CIS_Azure_2.0.0_5.2.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 5.2 Ensure that Activity Log Alert exists for Delete Security Solution Shared n/a Create an activity log alert for the Delete Security Solution event. Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity. link 4
CIS_Azure_2.0.0 5.2.7 CIS_Azure_2.0.0_5.2.7 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 5.2 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Shared There will be a substantial increase in log size if there are a large number of administrative actions on a server. Create an activity log alert for the Create or Update SQL Server Firewall Rule event. Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. link 4
CIS_Azure_2.0.0 5.2.8 CIS_Azure_2.0.0_5.2.8 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 5.2 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Shared There will be a substantial increase in log size if there are a large number of administrative actions on a server. Create an activity log alert for the "Delete SQL Server Firewall Rule." Monitoring for Delete SQL Server Firewall Rule events gives insight into SQL network access changes and may reduce the time it takes to detect suspicious activity. link 4
FedRAMP_High_R4 IR-4 FedRAMP_High_R4_IR-4 FedRAMP High IR-4 Incident Response Incident Handling Shared n/a The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: Executive Order 13587; NIST Special Publication 800-61. link 24
FedRAMP_High_R4 IR-4(1) FedRAMP_High_R4_IR-4(1) FedRAMP High IR-4 (1) Incident Response Automated Incident Handling Processes Shared n/a The organization employs automated mechanisms to support the incident handling process. Supplemental Guidance: Automated mechanisms supporting incident handling processes include, for example, online incident management systems. link 3
FedRAMP_High_R4 IR-7(1) FedRAMP_High_R4_IR-7(1) FedRAMP High IR-7 (1) Incident Response Automation Support For Availability Of Information / Support Shared n/a The organization employs automated mechanisms to increase the availability of incident response- related information and support. Supplemental Guidance: Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. link 7
FedRAMP_High_R4 IR-8 FedRAMP_High_R4_IR-8 FedRAMP High IR-8 Incident Response Incident Response Plan Shared n/a The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. Control Enhancements: None. References: NIST Special Publication 800-61. link 6
FedRAMP_High_R4 IR-9 FedRAMP_High_R4_IR-9 FedRAMP High IR-9 Incident Response Information Spillage Response Shared n/a The organization responds to information spills by: a. Identifying the specific information involved in the information system contamination; b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; c. Isolating the contaminated information system or system component; d. Eradicating the information from the contaminated information system or component; e. Identifying other information systems or system components that may have been subsequently contaminated; and f. Performing other [Assignment: organization-defined actions]. Supplemental Guidance: Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. References: None. link 7
FedRAMP_High_R4 SI-4(5) FedRAMP_High_R4_SI-4(5) FedRAMP High SI-4 (5) System And Information Integrity System-Generated Alerts Shared n/a The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization- defined compromise indicators]. Supplemental Guidance: Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers. Related controls: AU-5, PE-6. link 3
FedRAMP_Moderate_R4 IR-4 FedRAMP_Moderate_R4_IR-4 FedRAMP Moderate IR-4 Incident Response Incident Handling Shared n/a The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: Executive Order 13587; NIST Special Publication 800-61. link 24
FedRAMP_Moderate_R4 IR-4(1) FedRAMP_Moderate_R4_IR-4(1) FedRAMP Moderate IR-4 (1) Incident Response Automated Incident Handling Processes Shared n/a The organization employs automated mechanisms to support the incident handling process. Supplemental Guidance: Automated mechanisms supporting incident handling processes include, for example, online incident management systems. link 3
FedRAMP_Moderate_R4 IR-7(1) FedRAMP_Moderate_R4_IR-7(1) FedRAMP Moderate IR-7 (1) Incident Response Automation Support For Availability Of Information / Support Shared n/a The organization employs automated mechanisms to increase the availability of incident response- related information and support. Supplemental Guidance: Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. link 7
FedRAMP_Moderate_R4 IR-8 FedRAMP_Moderate_R4_IR-8 FedRAMP Moderate IR-8 Incident Response Incident Response Plan Shared n/a The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. Control Enhancements: None. References: NIST Special Publication 800-61. link 6
FedRAMP_Moderate_R4 IR-9 FedRAMP_Moderate_R4_IR-9 FedRAMP Moderate IR-9 Incident Response Information Spillage Response Shared n/a The organization responds to information spills by: a. Identifying the specific information involved in the information system contamination; b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; c. Isolating the contaminated information system or system component; d. Eradicating the information from the contaminated information system or component; e. Identifying other information systems or system components that may have been subsequently contaminated; and f. Performing other [Assignment: organization-defined actions]. Supplemental Guidance: Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. References: None. link 7
FedRAMP_Moderate_R4 SI-4(5) FedRAMP_Moderate_R4_SI-4(5) FedRAMP Moderate SI-4 (5) System And Information Integrity System-Generated Alerts Shared n/a The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization- defined compromise indicators]. Supplemental Guidance: Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers. Related controls: AU-5, PE-6. link 3
hipaa 0205.09j2Organizational.2-09.j hipaa-0205.09j2Organizational.2-09.j 0205.09j2Organizational.2-09.j 02 Endpoint Protection 0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code Shared n/a Malicious code that is identified is blocked, quarantined, and an alert is sent to the administrators. 10
hipaa 1216.09ab3System.12-09.ab hipaa-1216.09ab3System.12-09.ab 1216.09ab3System.12-09.ab 12 Audit Logging & Monitoring 1216.09ab3System.12-09.ab 09.10 Monitoring Shared n/a Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies. 20
hipaa 1217.09ab3System.3-09.ab hipaa-1217.09ab3System.3-09.ab 1217.09ab3System.3-09.ab 12 Audit Logging & Monitoring 1217.09ab3System.3-09.ab 09.10 Monitoring Shared n/a Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations. 5
hipaa 1218.09ab3System.47-09.ab hipaa-1218.09ab3System.47-09.ab 1218.09ab3System.47-09.ab 12 Audit Logging & Monitoring 1218.09ab3System.47-09.ab 09.10 Monitoring Shared n/a Automated systems support near real-time analysis and alerting of events (e.g., malicious code, potential intrusions) and integrate intrusion detection into access and flow control mechanisms. 7
hipaa 1222.09ab3System.8-09.ab hipaa-1222.09ab3System.8-09.ab 1222.09ab3System.8-09.ab 12 Audit Logging & Monitoring 1222.09ab3System.8-09.ab 09.10 Monitoring Shared n/a The organization analyzes and correlates audit records across different repositories using a security information and event management (SIEM) tool or log analytics tools for log aggregation and consolidation from multiple systems/machines/devices, and correlates this information with input from non-technical sources to gain and enhance organization-wide situational awareness. Using the SIEM tool, the organization devise profiles of common events from given systems/machines/devices so that it can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts. 10
hipaa 1501.02f1Organizational.123-02.f hipaa-1501.02f1Organizational.123-02.f 1501.02f1Organizational.123-02.f 15 Incident Management 1501.02f1Organizational.123-02.f 02.03 During Employment Shared n/a Sanctions are fairly applied to employees following violations of the information security policies once a breach is verified and includes consideration of multiple factors. The organization documents personnel involved in incidents, steps taken, and the timeline associated with those steps, steps taken for notification, the rationale for discipline, and the final outcome for each incident. 11
hipaa 1503.02f2Organizational.12-02.f hipaa-1503.02f2Organizational.12-02.f 1503.02f2Organizational.12-02.f 15 Incident Management 1503.02f2Organizational.12-02.f 02.03 During Employment Shared n/a A contact in HR is appointed to handle employee security incidents and notify the CISO or a designated representative of the application of a formal employee sanctions process, identifying the individual and the reason for the sanction. 11
hipaa 1504.06e1Organizational.34-06.e hipaa-1504.06e1Organizational.34-06.e 1504.06e1Organizational.34-06.e 15 Incident Management 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements Shared n/a Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. 16
hipaa 1505.11a1Organizational.13-11.a hipaa-1505.11a1Organizational.13-11.a 1505.11a1Organizational.13-11.a 15 Incident Management 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a A formal security incident response program has been established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving such organizations in computer incidents. 19
hipaa 1506.11a1Organizational.2-11.a hipaa-1506.11a1Organizational.2-11.a 1506.11a1Organizational.2-11.a 15 Incident Management 1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a There is a point of contact for reporting information security events who is made known throughout the organization, always available, and able to provide adequate and timely response. The organization also maintains a list of third-party contact information (e.g., the email addresses of their information security officers), which can be used to report a security incident. 10
hipaa 1508.11a2Organizational.1-11.a hipaa-1508.11a2Organizational.1-11.a 1508.11a2Organizational.1-11.a 15 Incident Management 1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a The organization provides a process/mechanism to anonymously report security issues. 8
hipaa 1509.11a2Organizational.236-11.a hipaa-1509.11a2Organizational.236-11.a 1509.11a2Organizational.236-11.a 15 Incident Management 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a The incident management program formally defines information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The organization formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. 17
hipaa 1510.11a2Organizational.47-11.a hipaa-1510.11a2Organizational.47-11.a 1510.11a2Organizational.47-11.a 15 Incident Management 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a Reports and communications are made without unreasonable delay and no later than 60 days after the discovery of an incident, unless otherwise stated by law enforcement orally or in writing, and include the necessary elements. 11
hipaa 1511.11a2Organizational.5-11.a hipaa-1511.11a2Organizational.5-11.a 1511.11a2Organizational.5-11.a 15 Incident Management 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a All employees, contractors and third-party users receive mandatory incident response training to ensure they are aware of their responsibilities to report information security events as quickly as possible, the procedure for reporting information security events, and the point(s) of contact, including the incident response team, and the contact information is published and made readily available. 13
hipaa 1512.11a2Organizational.8-11.a hipaa-1512.11a2Organizational.8-11.a 1512.11a2Organizational.8-11.a 15 Incident Management 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a Intrusion detection/information protection system (IDS/IPS) alerts are utilized for reporting information security events. 17
hipaa 1515.11a3Organizational.3-11.a hipaa-1515.11a3Organizational.3-11.a 1515.11a3Organizational.3-11.a 15 Incident Management 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a Incidents (or a sample of incidents) are reviewed to identify necessary improvement to the security controls. 11
ISO27001-2013 A.12.4.1 ISO27001-2013_A.12.4.1 ISO 27001:2013 A.12.4.1 Operations Security Event Logging Shared n/a Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. link 53
ISO27001-2013 A.16.1.1 ISO27001-2013_A.16.1.1 ISO 27001:2013 A.16.1.1 Information Security Incident Management Responsibilities and procedures Shared n/a Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. link 7
ISO27001-2013 A.16.1.4 ISO27001-2013_A.16.1.4 ISO 27001:2013 A.16.1.4 Information Security Incident Management Assessment of and decision on information security events Shared n/a Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. link 23
ISO27001-2013 A.16.1.5 ISO27001-2013_A.16.1.5 ISO 27001:2013 A.16.1.5 Information Security Incident Management Response to information security incidents Shared n/a Information security incidents shall be responded to in accordance with the documented procedures. link 12
ISO27001-2013 A.16.1.6 ISO27001-2013_A.16.1.6 ISO 27001:2013 A.16.1.6 Information Security Incident Management Learning from information security incidents Shared n/a Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. link 13
mp.eq.3 Protection of portable devices mp.eq.3 Protection of portable devices 404 not found n/a n/a 71
NIST_SP_800-171_R2_3 .6.1 NIST_SP_800-171_R2_3.6.1 NIST SP 800-171 R2 3.6.1 Incident response Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. [SP 800-61] provides guidance on incident handling. [SP 800-86] and [SP 800-101] provide guidance on integrating forensic techniques into incident response. [SP 800-161] provides guidance on supply chain risk management. link 12
NIST_SP_800-53_R4 IR-4 NIST_SP_800-53_R4_IR-4 NIST SP 800-53 Rev. 4 IR-4 Incident Response Incident Handling Shared n/a The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: Executive Order 13587; NIST Special Publication 800-61. link 24
NIST_SP_800-53_R4 IR-4(1) NIST_SP_800-53_R4_IR-4(1) NIST SP 800-53 Rev. 4 IR-4 (1) Incident Response Automated Incident Handling Processes Shared n/a The organization employs automated mechanisms to support the incident handling process. Supplemental Guidance: Automated mechanisms supporting incident handling processes include, for example, online incident management systems. link 3
NIST_SP_800-53_R4 IR-7(1) NIST_SP_800-53_R4_IR-7(1) NIST SP 800-53 Rev. 4 IR-7 (1) Incident Response Automation Support For Availability Of Information / Support Shared n/a The organization employs automated mechanisms to increase the availability of incident response- related information and support. Supplemental Guidance: Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. link 7
NIST_SP_800-53_R4 IR-8 NIST_SP_800-53_R4_IR-8 NIST SP 800-53 Rev. 4 IR-8 Incident Response Incident Response Plan Shared n/a The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. Control Enhancements: None. References: NIST Special Publication 800-61. link 6
NIST_SP_800-53_R4 IR-9 NIST_SP_800-53_R4_IR-9 NIST SP 800-53 Rev. 4 IR-9 Incident Response Information Spillage Response Shared n/a The organization responds to information spills by: a. Identifying the specific information involved in the information system contamination; b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; c. Isolating the contaminated information system or system component; d. Eradicating the information from the contaminated information system or component; e. Identifying other information systems or system components that may have been subsequently contaminated; and f. Performing other [Assignment: organization-defined actions]. Supplemental Guidance: Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. References: None. link 7
NIST_SP_800-53_R4 SI-4(5) NIST_SP_800-53_R4_SI-4(5) NIST SP 800-53 Rev. 4 SI-4 (5) System And Information Integrity System-Generated Alerts Shared n/a The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization- defined compromise indicators]. Supplemental Guidance: Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers. Related controls: AU-5, PE-6. link 3
NIST_SP_800-53_R5 IR-4 NIST_SP_800-53_R5_IR-4 NIST SP 800-53 Rev. 5 IR-4 Incident Response Incident Handling Shared n/a a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. link 24
NIST_SP_800-53_R5 IR-4(1) NIST_SP_800-53_R5_IR-4(1) NIST SP 800-53 Rev. 5 IR-4 (1) Incident Response Automated Incident Handling Processes Shared n/a Support the incident handling process using [Assignment: organization-defined automated mechanisms]. link 3
NIST_SP_800-53_R5 IR-7(1) NIST_SP_800-53_R5_IR-7(1) NIST SP 800-53 Rev. 5 IR-7 (1) Incident Response Automation Support for Availability of Information and Support Shared n/a Increase the availability of incident response information and support using [Assignment: organization-defined automated mechanisms]. link 7
NIST_SP_800-53_R5 IR-8 NIST_SP_800-53_R5_IR-8 NIST SP 800-53 Rev. 5 IR-8 Incident Response Incident Response Plan Shared n/a a. Develop an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8. Addresses the sharing of incident information; 9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and 10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and e. Protect the incident response plan from unauthorized disclosure and modification. link 6
NIST_SP_800-53_R5 IR-9 NIST_SP_800-53_R5_IR-9 NIST SP 800-53 Rev. 5 IR-9 Incident Response Information Spillage Response Shared n/a Respond to information spills by: a. Assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills; b. Identifying the specific information involved in the system contamination; c. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; d. Isolating the contaminated system or system component; e. Eradicating the information from the contaminated system or component; f. Identifying other systems or system components that may have been subsequently contaminated; and g. Performing the following additional actions: [Assignment: organization-defined actions]. link 7
NIST_SP_800-53_R5 SI-4(5) NIST_SP_800-53_R5_SI-4(5) NIST SP 800-53 Rev. 5 SI-4 (5) System and Information Integrity System-generated Alerts Shared n/a Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]. link 3
op.exp.7 Incident management op.exp.7 Incident management 404 not found n/a n/a 103
op.exp.8 Recording of the activity op.exp.8 Recording of the activity 404 not found n/a n/a 67
op.exp.9 Incident management record op.exp.9 Incident management record 404 not found n/a n/a 30
org.2 Security regulations org.2 Security regulations 404 not found n/a n/a 100
PCI_DSS_v4.0 11.5.1 PCI_DSS_v4.0_11.5.1 PCI DSS v4.0 11.5.1 Requirement 11: Test Security of Systems and Networks Regularly Network intrusions and unexpected file changes are detected and responded to Shared n/a Intrusion-detection and/or intrusionprevention techniques are used to detect and/or prevent intrusions into the network as follows: • All traffic is monitored at the perimeter of the CDE. • All traffic is monitored at critical points in the CDE. • Personnel are alerted to suspected compromises. • All intrusion-detection and prevention engines, baselines, and signatures are kept up to date. link 5
PCI_DSS_v4.0 11.5.1.1 PCI_DSS_v4.0_11.5.1.1 PCI DSS v4.0 11.5.1.1 Requirement 11: Test Security of Systems and Networks Regularly Network intrusions and unexpected file changes are detected and responded to Shared n/a Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels. link 3
PCI_DSS_v4.0 12.10.2 PCI_DSS_v4.0_12.10.2 PCI DSS v4.0 12.10.2 Requirement 12: Support Information Security with Organizational Policies and Programs Suspected and confirmed security incidents that could impact the CDE are responded to immediately Shared n/a At least once every 12 months, the security incident response plan is: • Reviewed and the content is updated as needed. • Tested, including all elements listed in Requirement 12.10.1. link 6
PCI_DSS_v4.0 12.10.5 PCI_DSS_v4.0_12.10.5 PCI DSS v4.0 12.10.5 Requirement 12: Support Information Security with Organizational Policies and Programs Suspected and confirmed security incidents that could impact the CDE are responded to immediately Shared n/a The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to: • Intrusion-detection and intrusion-prevention systems. • Network security controls. • Change-detection mechanisms for critical files. • The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. • Detection of unauthorized wireless access points. link 3
PCI_DSS_v4.0 12.10.7 PCI_DSS_v4.0_12.10.7 PCI DSS v4.0 12.10.7 Requirement 12: Support Information Security with Organizational Policies and Programs Suspected and confirmed security incidents that could impact the CDE are responded to immediately Shared n/a Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected, and include: • Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the currently defined CDE, as applicable. • Identifying whether sensitive authentication data is stored with PAN. • Determining where the account data came from and how it ended up where it was not expected. • Remediating data leaks or process gaps that resulted in the account data being where it was not expected. link 8
SOC_2 CC7.4 SOC_2_CC7.4 SOC 2 Type 2 CC7.4 System Operations Security incidents response Shared The customer is responsible for implementing this recommendation. Assigns Roles and Responsibilities — Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary. • Contains Security Incidents — Procedures are in place to contain security incidents that actively threaten entity objectives. • Mitigates Ongoing Security Incidents — Procedures are in place to mitigate the effects of ongoing security incidents. • Ends Threats Posed by Security Incidents — Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. • Restores Operations — Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives. • Develops and Implements Communication Protocols for Security Incidents — Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives. • Obtains Understanding of Nature of Incident and Determines Containment Strategy — An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. • Remediates Identified Vulnerabilities — Identified vulnerabilities are remediated through the development and execution of remediation activities. • Communicates Remediation Activities — Remediation activities are documented and communicated in accordance with the incident-response program. • Evaluates the Effectiveness of Incident Response — The design of incident-response activities is evaluated for effectiveness on a periodic basis. • Periodically Evaluates Incidents — Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes Communicates Unauthorized Use and Disclosure — Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. • Application of Sanctions — The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements 17
SOC_2 CC7.5 SOC_2_CC7.5 SOC 2 Type 2 CC7.5 System Operations Recovery from identified security incidents Shared The customer is responsible for implementing this recommendation. • Restores the Affected Environment — The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. • Communicates Information About the Event — Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external). • Determines Root Cause of the Event — The root cause of the event is determined. • Implements Changes to Prevent and Detect Recurrences — Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. • Improves Response and Recovery Procedures — Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. • Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results 19
SOC_2 P6.6 SOC_2_P6.6 SOC 2 Type 2 P6.6 Additional Criteria For Privacy Privacy incident notification Shared The customer is responsible for implementing this recommendation. • Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. • Provides Notice of Breaches and Incidents — The entity has a process for providing notice of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy. 2
SWIFT_CSCF_v2022 11.2 SWIFT_CSCF_v2022_11.2 SWIFT CSCF v2022 11.2 11. Monitor in case of Major Disaster Ensure a consistent and effective approach for the management of incidents (Problem Management). Shared n/a Ensure a consistent and effective approach for the management of incidents (Problem Management). link 20
SWIFT_CSCF_v2022 11.4 SWIFT_CSCF_v2022_11.4 SWIFT CSCF v2022 11.4 11. Monitor in case of Major Disaster Ensure an adequate escalation of operational malfunctions in case of customer impact. Shared n/a Ensure an adequate escalation of operational malfunctions in case of customer impact. link 14
SWIFT_CSCF_v2022 11.5 SWIFT_CSCF_v2022_11.5 SWIFT CSCF v2022 11.5 11. Monitor in case of Major Disaster Effective support is offered to customers in case they face problems during their business hours. Shared n/a Effective support is offered to customers in case they face problems during their business hours. link 10
SWIFT_CSCF_v2022 6.5A SWIFT_CSCF_v2022_6.5A SWIFT CSCF v2022 6.5A 6. Detect Anomalous Activity to Systems or Transaction Records Detect and contain anomalous network activity into and within the local or remote SWIFT environment. Shared n/a Intrusion detection is implemented to detect unauthorised network access and anomalous activity. link 17
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 2b4e134f-1e4c-2bff-573e-082d85479b6e
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC