compliance controls are associated with this Policy definition 'Eradicate contaminated information' (54a9c072-4a93-2a03-6a43-a060d30383d7)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
IR-4 |
FedRAMP_High_R4_IR-4 |
FedRAMP High IR-4 |
Incident Response |
Incident Handling |
Shared |
n/a |
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.
Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7.
References: Executive Order 13587; NIST Special Publication 800-61. |
link |
24 |
| FedRAMP_High_R4 |
IR-7(1) |
FedRAMP_High_R4_IR-7(1) |
FedRAMP High IR-7 (1) |
Incident Response |
Automation Support For Availability Of Information / Support |
Shared |
n/a |
The organization employs automated mechanisms to increase the availability of incident response- related information and support.
Supplemental Guidance: Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. |
link |
7 |
| FedRAMP_High_R4 |
IR-9 |
FedRAMP_High_R4_IR-9 |
FedRAMP High IR-9 |
Incident Response |
Information Spillage Response |
Shared |
n/a |
The organization responds to information spills by:
a. Identifying the specific information involved in the information system contamination;
b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
c. Isolating the contaminated information system or system component;
d. Eradicating the information from the contaminated information system or component;
e. Identifying other information systems or system components that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions].
Supplemental Guidance: Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.
References: None. |
link |
7 |
| FedRAMP_Moderate_R4 |
IR-4 |
FedRAMP_Moderate_R4_IR-4 |
FedRAMP Moderate IR-4 |
Incident Response |
Incident Handling |
Shared |
n/a |
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.
Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7.
References: Executive Order 13587; NIST Special Publication 800-61. |
link |
24 |
| FedRAMP_Moderate_R4 |
IR-7(1) |
FedRAMP_Moderate_R4_IR-7(1) |
FedRAMP Moderate IR-7 (1) |
Incident Response |
Automation Support For Availability Of Information / Support |
Shared |
n/a |
The organization employs automated mechanisms to increase the availability of incident response- related information and support.
Supplemental Guidance: Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. |
link |
7 |
| FedRAMP_Moderate_R4 |
IR-9 |
FedRAMP_Moderate_R4_IR-9 |
FedRAMP Moderate IR-9 |
Incident Response |
Information Spillage Response |
Shared |
n/a |
The organization responds to information spills by:
a. Identifying the specific information involved in the information system contamination;
b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
c. Isolating the contaminated information system or system component;
d. Eradicating the information from the contaminated information system or component;
e. Identifying other information systems or system components that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions].
Supplemental Guidance: Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.
References: None. |
link |
7 |
| hipaa |
1501.02f1Organizational.123-02.f |
hipaa-1501.02f1Organizational.123-02.f |
1501.02f1Organizational.123-02.f |
15 Incident Management |
1501.02f1Organizational.123-02.f 02.03 During Employment |
Shared |
n/a |
Sanctions are fairly applied to employees following violations of the information security policies once a breach is verified and includes consideration of multiple factors. The organization documents personnel involved in incidents, steps taken, and the timeline associated with those steps, steps taken for notification, the rationale for discipline, and the final outcome for each incident. |
|
11 |
| hipaa |
1503.02f2Organizational.12-02.f |
hipaa-1503.02f2Organizational.12-02.f |
1503.02f2Organizational.12-02.f |
15 Incident Management |
1503.02f2Organizational.12-02.f 02.03 During Employment |
Shared |
n/a |
A contact in HR is appointed to handle employee security incidents and notify the CISO or a designated representative of the application of a formal employee sanctions process, identifying the individual and the reason for the sanction. |
|
11 |
| hipaa |
1505.11a1Organizational.13-11.a |
hipaa-1505.11a1Organizational.13-11.a |
1505.11a1Organizational.13-11.a |
15 Incident Management |
1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
A formal security incident response program has been established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving such organizations in computer incidents. |
|
19 |
| hipaa |
1506.11a1Organizational.2-11.a |
hipaa-1506.11a1Organizational.2-11.a |
1506.11a1Organizational.2-11.a |
15 Incident Management |
1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
There is a point of contact for reporting information security events who is made known throughout the organization, always available, and able to provide adequate and timely response. The organization also maintains a list of third-party contact information (e.g., the email addresses of their information security officers), which can be used to report a security incident. |
|
10 |
| hipaa |
1508.11a2Organizational.1-11.a |
hipaa-1508.11a2Organizational.1-11.a |
1508.11a2Organizational.1-11.a |
15 Incident Management |
1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
The organization provides a process/mechanism to anonymously report security issues. |
|
8 |
| hipaa |
1509.11a2Organizational.236-11.a |
hipaa-1509.11a2Organizational.236-11.a |
1509.11a2Organizational.236-11.a |
15 Incident Management |
1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
The incident management program formally defines information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The organization formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. |
|
17 |
| hipaa |
1511.11a2Organizational.5-11.a |
hipaa-1511.11a2Organizational.5-11.a |
1511.11a2Organizational.5-11.a |
15 Incident Management |
1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
All employees, contractors and third-party users receive mandatory incident response training to ensure they are aware of their responsibilities to report information security events as quickly as possible, the procedure for reporting information security events, and the point(s) of contact, including the incident response team, and the contact information is published and made readily available. |
|
13 |
| hipaa |
1515.11a3Organizational.3-11.a |
hipaa-1515.11a3Organizational.3-11.a |
1515.11a3Organizational.3-11.a |
15 Incident Management |
1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
Incidents (or a sample of incidents) are reviewed to identify necessary improvement to the security controls. |
|
11 |
| hipaa |
1521.11c2Organizational.56-11.c |
hipaa-1521.11c2Organizational.56-11.c |
1521.11c2Organizational.56-11.c |
15 Incident Management |
1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
Testing exercises are planned, coordinated, executed, and documented periodically, at least annually, using reviews, analyses, and simulations to determine incident response effectiveness. Testing includes personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. |
|
16 |
| hipaa |
1522.11c3Organizational.13-11.c |
hipaa-1522.11c3Organizational.13-11.c |
1522.11c3Organizational.13-11.c |
15 Incident Management |
1522.11c3Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
An incident response support resource, who is an integral part of the organization's incident response capability, is available to offer advice and assistance to users of information systems for the handling and reporting of security incidents in a timely manner. |
|
6 |
| hipaa |
1561.11d2Organizational.14-11.d |
hipaa-1561.11d2Organizational.14-11.d |
1561.11d2Organizational.14-11.d |
15 Incident Management |
1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The organization has implemented an incident handling capability for security incidents that addresses: (i) policy (setting corporate direction) and procedures defining roles and responsibilities; (ii) incident handling procedures (business and technical); (iii) communication; (iv) reporting and retention; and, (v) references to a vulnerability management program. |
|
6 |
| hipaa |
1562.11d2Organizational.2-11.d |
hipaa-1562.11d2Organizational.2-11.d |
1562.11d2Organizational.2-11.d |
15 Incident Management |
1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The organization coordinates incident handling activities with contingency planning activities. |
|
12 |
| hipaa |
1587.11c2Organizational.10-11.c |
hipaa-1587.11c2Organizational.10-11.c |
1587.11c2Organizational.10-11.c |
15 Incident Management |
1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The incident management plan is reviewed and updated annually. |
|
9 |
| ISO27001-2013 |
A.16.1.4 |
ISO27001-2013_A.16.1.4 |
ISO 27001:2013 A.16.1.4 |
Information Security Incident Management |
Assessment of and decision on information security events |
Shared |
n/a |
Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. |
link |
23 |
| ISO27001-2013 |
A.16.1.5 |
ISO27001-2013_A.16.1.5 |
ISO 27001:2013 A.16.1.5 |
Information Security Incident Management |
Response to information security incidents |
Shared |
n/a |
Information security incidents shall be responded to in accordance with the documented procedures. |
link |
12 |
| ISO27001-2013 |
A.16.1.6 |
ISO27001-2013_A.16.1.6 |
ISO 27001:2013 A.16.1.6 |
Information Security Incident Management |
Learning from information security incidents |
Shared |
n/a |
Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. |
link |
13 |
| NIST_SP_800-171_R2_3 |
.6.1 |
NIST_SP_800-171_R2_3.6.1 |
NIST SP 800-171 R2 3.6.1 |
Incident response |
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. [SP 800-61] provides guidance on incident handling. [SP 800-86] and [SP 800-101] provide guidance on integrating forensic techniques into incident response. [SP 800-161] provides guidance on supply chain risk management. |
link |
12 |
| NIST_SP_800-53_R4 |
IR-4 |
NIST_SP_800-53_R4_IR-4 |
NIST SP 800-53 Rev. 4 IR-4 |
Incident Response |
Incident Handling |
Shared |
n/a |
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.
Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7.
References: Executive Order 13587; NIST Special Publication 800-61. |
link |
24 |
| NIST_SP_800-53_R4 |
IR-7(1) |
NIST_SP_800-53_R4_IR-7(1) |
NIST SP 800-53 Rev. 4 IR-7 (1) |
Incident Response |
Automation Support For Availability Of Information / Support |
Shared |
n/a |
The organization employs automated mechanisms to increase the availability of incident response- related information and support.
Supplemental Guidance: Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. |
link |
7 |
| NIST_SP_800-53_R4 |
IR-9 |
NIST_SP_800-53_R4_IR-9 |
NIST SP 800-53 Rev. 4 IR-9 |
Incident Response |
Information Spillage Response |
Shared |
n/a |
The organization responds to information spills by:
a. Identifying the specific information involved in the information system contamination;
b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
c. Isolating the contaminated information system or system component;
d. Eradicating the information from the contaminated information system or component;
e. Identifying other information systems or system components that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions].
Supplemental Guidance: Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.
References: None. |
link |
7 |
| NIST_SP_800-53_R5 |
IR-4 |
NIST_SP_800-53_R5_IR-4 |
NIST SP 800-53 Rev. 5 IR-4 |
Incident Response |
Incident Handling |
Shared |
n/a |
a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinate incident handling activities with contingency planning activities;
c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. |
link |
24 |
| NIST_SP_800-53_R5 |
IR-7(1) |
NIST_SP_800-53_R5_IR-7(1) |
NIST SP 800-53 Rev. 5 IR-7 (1) |
Incident Response |
Automation Support for Availability of Information and Support |
Shared |
n/a |
Increase the availability of incident response information and support using [Assignment: organization-defined automated mechanisms]. |
link |
7 |
| NIST_SP_800-53_R5 |
IR-9 |
NIST_SP_800-53_R5_IR-9 |
NIST SP 800-53 Rev. 5 IR-9 |
Incident Response |
Information Spillage Response |
Shared |
n/a |
Respond to information spills by:
a. Assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills;
b. Identifying the specific information involved in the system contamination;
c. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
d. Isolating the contaminated system or system component;
e. Eradicating the information from the contaminated system or component;
f. Identifying other systems or system components that may have been subsequently contaminated; and
g. Performing the following additional actions: [Assignment: organization-defined actions]. |
link |
7 |
| PCI_DSS_v4.0 |
12.10.7 |
PCI_DSS_v4.0_12.10.7 |
PCI DSS v4.0 12.10.7 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Suspected and confirmed security incidents that could impact the CDE are responded to immediately |
Shared |
n/a |
Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected, and include:
• Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the currently defined CDE, as applicable.
• Identifying whether sensitive authentication data is stored with PAN.
• Determining where the account data came from and how it ended up where it was not expected.
• Remediating data leaks or process gaps that resulted in the account data being where it was not expected. |
link |
8 |
| SOC_2 |
CC7.4 |
SOC_2_CC7.4 |
SOC 2 Type 2 CC7.4 |
System Operations |
Security incidents response |
Shared |
The customer is responsible for implementing this recommendation. |
Assigns Roles and Responsibilities — Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary.
• Contains Security Incidents — Procedures are in place to contain security incidents
that actively threaten entity objectives.
• Mitigates Ongoing Security Incidents — Procedures are in place to mitigate the effects of ongoing security incidents.
• Ends Threats Posed by Security Incidents — Procedures are in place to end the
threats posed by security incidents through closure of the vulnerability, removal of
unauthorized access, and other remediation actions.
• Restores Operations — Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives.
• Develops and Implements Communication Protocols for Security Incidents — Protocols for communicating security incidents and actions taken to affected parties
are developed and implemented to meet the entity's objectives.
• Obtains Understanding of Nature of Incident and Determines Containment Strategy
— An understanding of the nature (for example, the method by which the incident
occurred and the affected system resources) and severity of the security incident is
obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach.
• Remediates Identified Vulnerabilities — Identified vulnerabilities are remediated
through the development and execution of remediation activities.
• Communicates Remediation Activities — Remediation activities are documented
and communicated in accordance with the incident-response program.
• Evaluates the Effectiveness of Incident Response — The design of incident-response
activities is evaluated for effectiveness on a periodic basis.
• Periodically Evaluates Incidents — Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and
identifies the need for system changes based on incident patterns and root causes
Communicates Unauthorized Use and Disclosure — Events that resulted in unauthorized use or disclosure of personal information are communicated to the data
subjects, legal and regulatory authorities, and others as required.
• Application of Sanctions — The conduct of individuals and organizations operating
under the authority of the entity and involved in the unauthorized use or disclosure
of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements |
|
17 |
| SOC_2 |
CC7.5 |
SOC_2_CC7.5 |
SOC 2 Type 2 CC7.5 |
System Operations |
Recovery from identified security incidents |
Shared |
The customer is responsible for implementing this recommendation. |
• Restores the Affected Environment — The activities restore the affected environment
to functional operation by rebuilding systems, updating software, installing patches,
and changing configurations, as needed.
• Communicates Information About the Event — Communications about the nature of
the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal
and external).
• Determines Root Cause of the Event — The root cause of the event is determined.
• Implements Changes to Prevent and Detect Recurrences — Additional architecture
or changes to preventive and detective controls, or both, are implemented to prevent
and detect recurrences on a timely basis.
• Improves Response and Recovery Procedures — Lessons learned are analyzed and
the incident-response plan and recovery procedures are improved.
• Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system
components from across the entity that can impair availability; (3) scenarios that
consider the potential for the lack of availability of key personnel; and (4) revision
of continuity plans and systems based on test results |
|
19 |
| SWIFT_CSCF_v2022 |
11.2 |
SWIFT_CSCF_v2022_11.2 |
SWIFT CSCF v2022 11.2 |
11. Monitor in case of Major Disaster |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
Shared |
n/a |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
link |
20 |
| SWIFT_CSCF_v2022 |
11.4 |
SWIFT_CSCF_v2022_11.4 |
SWIFT CSCF v2022 11.4 |
11. Monitor in case of Major Disaster |
Ensure an adequate escalation of operational malfunctions in case of customer impact. |
Shared |
n/a |
Ensure an adequate escalation of operational malfunctions in case of customer impact. |
link |
14 |
| SWIFT_CSCF_v2022 |
11.5 |
SWIFT_CSCF_v2022_11.5 |
SWIFT CSCF v2022 11.5 |
11. Monitor in case of Major Disaster |
Effective support is offered to customers in case they face problems during their business hours. |
Shared |
n/a |
Effective support is offered to customers in case they face problems during their business hours. |
link |
10 |