Name/Id: ACF1358 / Microsoft Managed Control 1358 Category: Incident Response Title: Incident Response Testing Ownership: Customer, Microsoft Description: The organization tests the incident response capability for the information system At least every 6 months using Tests and exercises in accordance with NIST Special Publication 800-61 to determine the incident response effectiveness and documents the results. Requirements: Azure tests the incident management capability by using a process that is consistent with the NIST Special Publication 800-61, Revision 2, Computer Security Incident Handling Guide. The Azure incident management capability is exercised by the Security Response Team on a regular basis as security incidents are identified and reported. In addition, Red Team exercises are utilized generally every two weeks to test and identify weaknesses in the incident management process. Lastly, regular mandatory exercises in coordination with contingency planning activities are performed at least annually.
All issues and action items identified during the exercise are documented in an incident tracking system and worked on until resolved. During the post-exercise phase, lessons learned are discussed and incident management policies and procedures are updated accordingly.
After the exercises, a post-exercise summary is documented. The post-exercise summary documents the incident ticket number which details how Azure determined there was an incident all the way through the resolution of the incident. Each incident entry is documented in an incident tracking system including identifying the personnel that made updates to the ticket.
The Security Response Team regularly evaluates response methodology and tools to ensure optimal performance during incidents in Azure as part of the Post incident management (PIR) process.
The following 2 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1358 - Incident Response Testing' (effbaeef-5bf4-400d-895e-ef8cbc0e64c7)
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators: <, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx: Learn more
Where essential or important entities become aware of a significant incident, they should be required to submit an early warning without undue delay and in any event within 24 hours. That early warning should be followed by an incident notification. The entities concerned should submit an incident notification without undue delay and in any event within 72 hours of becoming aware of the significant incident, with the aim, in particular, of updating information submitted through the early warning and indicating an initial assessment of the significant incident, including its severity and impact, as well as indicators of compromise, where available. A final report should be submitted not later than one month after the incident notification. The early warning should only include the information necessary to make the CSIRT, or where applicable the competent authority, aware of the significant incident and allow the entity concerned to seek assistance, if required. Such early warning, where applicable, should indicate whether the significant incident is suspected of being caused by unlawful or malicious acts, and whether it is likely to have a cross-border impact. Member States should ensure that the obligation to submit that early warning, or the subsequent incident notification, does not divert the notifying entity’s resources from activities related to incident handling that should be prioritised, in order to prevent incident reporting obligations from either diverting resources from significant incident response handling or otherwise compromising the entity’s efforts in that respect. 27.12.2022 EN Official Journal of the European Union L 333/99 In the event of an ongoing incident at the time of the submission of the final report, Member States should ensure that entities concerned provide a progress report at that time, and a final report within one month of their handling of the significant incident
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators: <, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx: Learn more
