| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
IR-1 |
FedRAMP_High_R4_IR-1 |
FedRAMP High IR-1 |
Incident Response |
Incident Response Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-61, 800-83, 800-100. |
link |
1 |
| FedRAMP_Moderate_R4 |
IR-1 |
FedRAMP_Moderate_R4_IR-1 |
FedRAMP Moderate IR-1 |
Incident Response |
Incident Response Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-61, 800-83, 800-100. |
link |
1 |
| hipaa |
0115.04b2Organizational.123-04.b |
hipaa-0115.04b2Organizational.123-04.b |
0115.04b2Organizational.123-04.b |
01 Information Protection Program |
0115.04b2Organizational.123-04.b 04.01 Information Security Policy |
Shared |
n/a |
The owner of the security policies has management approval and assigned responsibility to develop, review, update (based on specific input), and approve the security policies; and such reviews, updates, and approvals occur no less than annually. |
|
20 |
| hipaa |
1518.11c2Organizational.13-11.c |
hipaa-1518.11c2Organizational.13-11.c |
1518.11c2Organizational.13-11.c |
15 Incident Management |
1518.11c2Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The organization formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and compliance requirements for its incident management program. |
|
1 |
| hipaa |
1561.11d2Organizational.14-11.d |
hipaa-1561.11d2Organizational.14-11.d |
1561.11d2Organizational.14-11.d |
15 Incident Management |
1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The organization has implemented an incident handling capability for security incidents that addresses: (i) policy (setting corporate direction) and procedures defining roles and responsibilities; (ii) incident handling procedures (business and technical); (iii) communication; (iv) reporting and retention; and, (v) references to a vulnerability management program. |
|
6 |
| ISO27001-2013 |
A.12.1.1 |
ISO27001-2013_A.12.1.1 |
ISO 27001:2013 A.12.1.1 |
Operations Security |
Documented operating procedures |
Shared |
n/a |
Operating procedures shall be documented and made available to all users who need them. |
link |
31 |
| ISO27001-2013 |
A.16.1.1 |
ISO27001-2013_A.16.1.1 |
ISO 27001:2013 A.16.1.1 |
Information Security Incident Management |
Responsibilities and procedures |
Shared |
n/a |
Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. |
link |
7 |
| ISO27001-2013 |
A.18.1.1 |
ISO27001-2013_A.18.1.1 |
ISO 27001:2013 A.18.1.1 |
Compliance |
Identification applicable legislation and contractual requirements |
Shared |
n/a |
All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. |
link |
30 |
| ISO27001-2013 |
A.18.2.2 |
ISO27001-2013_A.18.2.2 |
ISO 27001:2013 A.18.2.2 |
Compliance |
Compliance with security policies and standards |
Shared |
n/a |
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
link |
36 |
| ISO27001-2013 |
A.5.1.1 |
ISO27001-2013_A.5.1.1 |
ISO 27001:2013 A.5.1.1 |
Information Security Policies |
Policies for information security |
Shared |
n/a |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
link |
42 |
| ISO27001-2013 |
A.5.1.2 |
ISO27001-2013_A.5.1.2 |
ISO 27001:2013 A.5.1.2 |
Information Security Policies |
Review of the policies for information security |
Shared |
n/a |
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. |
link |
29 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
C.5.1.b |
ISO27001-2013_C.5.1.b |
ISO 27001:2013 C.5.1.b |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
b) ensuring the integration of the information security management system requirements into the
organization’s processes. |
link |
28 |
| ISO27001-2013 |
C.5.2.c |
ISO27001-2013_C.5.2.c |
ISO 27001:2013 C.5.2.c |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
c) includes a commitment to satisfy applicable requirements related to information security. |
link |
23 |
| ISO27001-2013 |
C.5.2.d |
ISO27001-2013_C.5.2.d |
ISO 27001:2013 C.5.2.d |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
d) includes a commitment to continual improvement of the information security management system. |
link |
23 |
| NIST_SP_800-53_R4 |
IR-1 |
NIST_SP_800-53_R4_IR-1 |
NIST SP 800-53 Rev. 4 IR-1 |
Incident Response |
Incident Response Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-61, 800-83, 800-100. |
link |
1 |
| NIST_SP_800-53_R5 |
IR-1 |
NIST_SP_800-53_R5_IR-1 |
NIST SP 800-53 Rev. 5 IR-1 |
Incident Response |
Policy and Procedures |
Shared |
n/a |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (OneOrMore): Organization-level;Mission/business process-level;System-level] incident response policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and
c. Review and update the current incident response:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
link |
1 |
| SOC_2 |
CC7.3 |
SOC_2_CC7.3 |
SOC 2 Type 2 CC7.3 |
System Operations |
Security incidents detection |
Shared |
The customer is responsible for implementing this recommendation. |
Responds to Security Incidents — Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a
periodic basis.
• Communicates and Reviews Detected Security Events — Detected security events
are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary.
• Develops and Implements Procedures to Analyze Security Incidents — Procedures
are in place to analyze security incidents and determine system impact
Additional points of focus that apply only in an engagement using the trust services criteria for
privacy:
• Assesses the Impact on Personal Information — Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or
use of personal information and whether there has been a failure to comply with
applicable laws or regulations.
• Determines Personal Information Used or Disclosed — When an unauthorized use
or disclosure of personal information has occurred, the affected information is identified |
|
1 |
| SWIFT_CSCF_v2022 |
11.2 |
SWIFT_CSCF_v2022_11.2 |
SWIFT CSCF v2022 11.2 |
11. Monitor in case of Major Disaster |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
Shared |
n/a |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
link |
20 |
| SWIFT_CSCF_v2022 |
7.1 |
SWIFT_CSCF_v2022_7.1 |
SWIFT CSCF v2022 7.1 |
7. Plan for Incident Response and Information Sharing |
Ensure a consistent and effective approach for the management of cyber incidents. |
Shared |
n/a |
The user has a defined and tested cyber-incident response plan. |
link |
8 |