last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Maintain incident response plan

Name Maintain incident response plan
Azure Portal
Id 37546841-8ea1-5be0-214d-8ac599588332
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0352 - Maintain incident response plan
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 30 compliance controls are associated with this Policy definition 'Maintain incident response plan' (37546841-8ea1-5be0-214d-8ac599588332)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IR-4 FedRAMP_High_R4_IR-4 FedRAMP High IR-4 Incident Response Incident Handling Shared n/a The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: Executive Order 13587; NIST Special Publication 800-61. link 25
FedRAMP_High_R4 IR-8 FedRAMP_High_R4_IR-8 FedRAMP High IR-8 Incident Response Incident Response Plan Shared n/a The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. Control Enhancements: None. References: NIST Special Publication 800-61. link 6
FedRAMP_Moderate_R4 IR-4 FedRAMP_Moderate_R4_IR-4 FedRAMP Moderate IR-4 Incident Response Incident Handling Shared n/a The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: Executive Order 13587; NIST Special Publication 800-61. link 25
FedRAMP_Moderate_R4 IR-8 FedRAMP_Moderate_R4_IR-8 FedRAMP Moderate IR-8 Incident Response Incident Response Plan Shared n/a The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. Control Enhancements: None. References: NIST Special Publication 800-61. link 6
hipaa 1501.02f1Organizational.123-02.f hipaa-1501.02f1Organizational.123-02.f 1501.02f1Organizational.123-02.f 15 Incident Management 1501.02f1Organizational.123-02.f 02.03 During Employment Shared n/a Sanctions are fairly applied to employees following violations of the information security policies once a breach is verified and includes consideration of multiple factors. The organization documents personnel involved in incidents, steps taken, and the timeline associated with those steps, steps taken for notification, the rationale for discipline, and the final outcome for each incident. 11
hipaa 1505.11a1Organizational.13-11.a hipaa-1505.11a1Organizational.13-11.a 1505.11a1Organizational.13-11.a 15 Incident Management 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a A formal security incident response program has been established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving such organizations in computer incidents. 19
hipaa 1509.11a2Organizational.236-11.a hipaa-1509.11a2Organizational.236-11.a 1509.11a2Organizational.236-11.a 15 Incident Management 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a The incident management program formally defines information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The organization formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. 17
hipaa 1510.11a2Organizational.47-11.a hipaa-1510.11a2Organizational.47-11.a 1510.11a2Organizational.47-11.a 15 Incident Management 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a Reports and communications are made without unreasonable delay and no later than 60 days after the discovery of an incident, unless otherwise stated by law enforcement orally or in writing, and include the necessary elements. 11
hipaa 1511.11a2Organizational.5-11.a hipaa-1511.11a2Organizational.5-11.a 1511.11a2Organizational.5-11.a 15 Incident Management 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a All employees, contractors and third-party users receive mandatory incident response training to ensure they are aware of their responsibilities to report information security events as quickly as possible, the procedure for reporting information security events, and the point(s) of contact, including the incident response team, and the contact information is published and made readily available. 13
hipaa 1515.11a3Organizational.3-11.a hipaa-1515.11a3Organizational.3-11.a 1515.11a3Organizational.3-11.a 15 Incident Management 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a Incidents (or a sample of incidents) are reviewed to identify necessary improvement to the security controls. 11
hipaa 1516.11c1Organizational.12-11.c hipaa-1516.11c1Organizational.12-11.c 1516.11c1Organizational.12-11.c 15 Incident Management 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The security incident response program accounts for and prepares the organization for a variety of incidents. 10
hipaa 1517.11c1Organizational.3-11.c hipaa-1517.11c1Organizational.3-11.c 1517.11c1Organizational.3-11.c 15 Incident Management 1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a There is a point of contact who is responsible for coordinating incident responses and has the authority to direct actions required in all phases of the incident response process. 6
hipaa 1520.11c2Organizational.4-11.c hipaa-1520.11c2Organizational.4-11.c 1520.11c2Organizational.4-11.c 15 Incident Management 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The incident response plan is communicated to the appropriate individuals throughout the organization. 8
hipaa 1521.11c2Organizational.56-11.c hipaa-1521.11c2Organizational.56-11.c 1521.11c2Organizational.56-11.c 15 Incident Management 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a Testing exercises are planned, coordinated, executed, and documented periodically, at least annually, using reviews, analyses, and simulations to determine incident response effectiveness. Testing includes personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. 16
hipaa 1560.11d1Organizational.1-11.d hipaa-1560.11d1Organizational.1-11.d 1560.11d1Organizational.1-11.d 15 Incident Management 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements Shared n/a The information gained from the evaluation of information security incidents is used to identify recurring or high-impact incidents, and update the incident response and recovery strategy. 8
hipaa 1563.11d2Organizational.3-11.d hipaa-1563.11d2Organizational.3-11.d 1563.11d2Organizational.3-11.d 15 Incident Management 1563.11d2Organizational.3-11.d 11.02 Management of Information Security Incidents and Improvements Shared n/a The organization incorporates lessons learned from ongoing incident handling activities and industry developments into incident response procedures, training and testing exercises, and implements the resulting changes accordingly. 4
hipaa 1587.11c2Organizational.10-11.c hipaa-1587.11c2Organizational.10-11.c 1587.11c2Organizational.10-11.c 15 Incident Management 1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The incident management plan is reviewed and updated annually. 9
ISO27001-2013 A.16.1.1 ISO27001-2013_A.16.1.1 ISO 27001:2013 A.16.1.1 Information Security Incident Management Responsibilities and procedures Shared n/a Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. link 7
ISO27001-2013 A.16.1.4 ISO27001-2013_A.16.1.4 ISO 27001:2013 A.16.1.4 Information Security Incident Management Assessment of and decision on information security events Shared n/a Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. link 23
ISO27001-2013 A.16.1.5 ISO27001-2013_A.16.1.5 ISO 27001:2013 A.16.1.5 Information Security Incident Management Response to information security incidents Shared n/a Information security incidents shall be responded to in accordance with the documented procedures. link 12
ISO27001-2013 A.16.1.6 ISO27001-2013_A.16.1.6 ISO 27001:2013 A.16.1.6 Information Security Incident Management Learning from information security incidents Shared n/a Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. link 13
NIST_SP_800-53_R4 IR-4 NIST_SP_800-53_R4_IR-4 NIST SP 800-53 Rev. 4 IR-4 Incident Response Incident Handling Shared n/a The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: Executive Order 13587; NIST Special Publication 800-61. link 25
NIST_SP_800-53_R4 IR-8 NIST_SP_800-53_R4_IR-8 NIST SP 800-53 Rev. 4 IR-8 Incident Response Incident Response Plan Shared n/a The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. Control Enhancements: None. References: NIST Special Publication 800-61. link 6
NIST_SP_800-53_R5 IR-4 NIST_SP_800-53_R5_IR-4 NIST SP 800-53 Rev. 5 IR-4 Incident Response Incident Handling Shared n/a a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. link 25
NIST_SP_800-53_R5 IR-8 NIST_SP_800-53_R5_IR-8 NIST SP 800-53 Rev. 5 IR-8 Incident Response Incident Response Plan Shared n/a a. Develop an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8. Addresses the sharing of incident information; 9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and 10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and e. Protect the incident response plan from unauthorized disclosure and modification. link 6
PCI_DSS_v4.0 12.10.2 PCI_DSS_v4.0_12.10.2 PCI DSS v4.0 12.10.2 Requirement 12: Support Information Security with Organizational Policies and Programs Suspected and confirmed security incidents that could impact the CDE are responded to immediately Shared n/a At least once every 12 months, the security incident response plan is: • Reviewed and the content is updated as needed. • Tested, including all elements listed in Requirement 12.10.1. link 6
PCI_DSS_v4.0 12.10.6 PCI_DSS_v4.0_12.10.6 PCI DSS v4.0 12.10.6 Requirement 12: Support Information Security with Organizational Policies and Programs Suspected and confirmed security incidents that could impact the CDE are responded to immediately Shared n/a The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments. link 2
SOC_2 CC7.4 SOC_2_CC7.4 SOC 2 Type 2 CC7.4 System Operations Security incidents response Shared The customer is responsible for implementing this recommendation. Assigns Roles and Responsibilities — Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary. • Contains Security Incidents — Procedures are in place to contain security incidents that actively threaten entity objectives. • Mitigates Ongoing Security Incidents — Procedures are in place to mitigate the effects of ongoing security incidents. • Ends Threats Posed by Security Incidents — Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. • Restores Operations — Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives. • Develops and Implements Communication Protocols for Security Incidents — Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives. • Obtains Understanding of Nature of Incident and Determines Containment Strategy — An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. • Remediates Identified Vulnerabilities — Identified vulnerabilities are remediated through the development and execution of remediation activities. • Communicates Remediation Activities — Remediation activities are documented and communicated in accordance with the incident-response program. • Evaluates the Effectiveness of Incident Response — The design of incident-response activities is evaluated for effectiveness on a periodic basis. • Periodically Evaluates Incidents — Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes Communicates Unauthorized Use and Disclosure — Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. • Application of Sanctions — The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements 17
SOC_2 CC7.5 SOC_2_CC7.5 SOC 2 Type 2 CC7.5 System Operations Recovery from identified security incidents Shared The customer is responsible for implementing this recommendation. • Restores the Affected Environment — The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. • Communicates Information About the Event — Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external). • Determines Root Cause of the Event — The root cause of the event is determined. • Implements Changes to Prevent and Detect Recurrences — Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. • Improves Response and Recovery Procedures — Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. • Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results 19
SWIFT_CSCF_v2022 11.2 SWIFT_CSCF_v2022_11.2 SWIFT CSCF v2022 11.2 11. Monitor in case of Major Disaster Ensure a consistent and effective approach for the management of incidents (Problem Management). Shared n/a Ensure a consistent and effective approach for the management of incidents (Problem Management). link 20
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 37546841-8ea1-5be0-214d-8ac599588332
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON
changes

JSON