compliance controls are associated with this Policy definition 'Provide information spillage training' (2d4d0e90-32d9-4deb-2166-a00d51ed57c0)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
IR-2 |
FedRAMP_High_R4_IR-2 |
FedRAMP High IR-2 |
Incident Response |
Incident Response Training |
Shared |
n/a |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8.
References: NIST Special Publications 800-16, 800-50. |
link |
1 |
| FedRAMP_High_R4 |
IR-9(2) |
FedRAMP_High_R4_IR-9(2) |
FedRAMP High IR-9 (2) |
Incident Response |
Training |
Shared |
n/a |
The organization provides information spillage response training [Assignment: organization- defined frequency]. |
link |
1 |
| FedRAMP_Moderate_R4 |
IR-2 |
FedRAMP_Moderate_R4_IR-2 |
FedRAMP Moderate IR-2 |
Incident Response |
Incident Response Training |
Shared |
n/a |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8.
References: NIST Special Publications 800-16, 800-50. |
link |
1 |
| FedRAMP_Moderate_R4 |
IR-9(2) |
FedRAMP_Moderate_R4_IR-9(2) |
FedRAMP Moderate IR-9 (2) |
Incident Response |
Training |
Shared |
n/a |
The organization provides information spillage response training [Assignment: organization- defined frequency]. |
link |
1 |
| hipaa |
1304.02e3Organizational.1-02.e |
hipaa-1304.02e3Organizational.1-02.e |
1304.02e3Organizational.1-02.e |
13 Education, Training and Awareness |
1304.02e3Organizational.1-02.e 02.03 During Employment |
Shared |
n/a |
Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities: (i) prior to being granted access to the organization’s systems and resources; (ii) when required by system changes; (iii) when entering into a new position that requires additional training; and, (iv) no less than annually thereafter. |
|
9 |
| hipaa |
1311.12c2Organizational.3-12.c |
hipaa-1311.12c2Organizational.3-12.c |
1311.12c2Organizational.3-12.c |
13 Education, Training and Awareness |
1311.12c2Organizational.3-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The organization’s employees are provided with crisis management awareness and training. |
|
3 |
| hipaa |
1313.02e1Organizational.3-02.e |
hipaa-1313.02e1Organizational.3-02.e |
1313.02e1Organizational.3-02.e |
13 Education, Training and Awareness |
1313.02e1Organizational.3-02.e 02.03 During Employment |
Shared |
n/a |
The organization provides incident response and contingency training to information system users consistent with assigned roles and responsibilities within 90 days of assuming an incident response role or responsibility; when required by information system changes; and within every 365 days thereafter. |
|
3 |
| hipaa |
1505.11a1Organizational.13-11.a |
hipaa-1505.11a1Organizational.13-11.a |
1505.11a1Organizational.13-11.a |
15 Incident Management |
1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
A formal security incident response program has been established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving such organizations in computer incidents. |
|
19 |
| hipaa |
1508.11a2Organizational.1-11.a |
hipaa-1508.11a2Organizational.1-11.a |
1508.11a2Organizational.1-11.a |
15 Incident Management |
1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
The organization provides a process/mechanism to anonymously report security issues. |
|
8 |
| hipaa |
1509.11a2Organizational.236-11.a |
hipaa-1509.11a2Organizational.236-11.a |
1509.11a2Organizational.236-11.a |
15 Incident Management |
1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
The incident management program formally defines information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The organization formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. |
|
17 |
| hipaa |
1510.11a2Organizational.47-11.a |
hipaa-1510.11a2Organizational.47-11.a |
1510.11a2Organizational.47-11.a |
15 Incident Management |
1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
Reports and communications are made without unreasonable delay and no later than 60 days after the discovery of an incident, unless otherwise stated by law enforcement orally or in writing, and include the necessary elements. |
|
11 |
| hipaa |
1511.11a2Organizational.5-11.a |
hipaa-1511.11a2Organizational.5-11.a |
1511.11a2Organizational.5-11.a |
15 Incident Management |
1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
All employees, contractors and third-party users receive mandatory incident response training to ensure they are aware of their responsibilities to report information security events as quickly as possible, the procedure for reporting information security events, and the point(s) of contact, including the incident response team, and the contact information is published and made readily available. |
|
13 |
| hipaa |
1516.11c1Organizational.12-11.c |
hipaa-1516.11c1Organizational.12-11.c |
1516.11c1Organizational.12-11.c |
15 Incident Management |
1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The security incident response program accounts for and prepares the organization for a variety of incidents. |
|
10 |
| hipaa |
1521.11c2Organizational.56-11.c |
hipaa-1521.11c2Organizational.56-11.c |
1521.11c2Organizational.56-11.c |
15 Incident Management |
1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
Testing exercises are planned, coordinated, executed, and documented periodically, at least annually, using reviews, analyses, and simulations to determine incident response effectiveness. Testing includes personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. |
|
16 |
| hipaa |
1589.11c1Organizational.5-11.c |
hipaa-1589.11c1Organizational.5-11.c |
1589.11c1Organizational.5-11.c |
15 Incident Management |
1589.11c1Organizational.5-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The organization tests and/or exercises its incident response capability regularly. |
|
4 |
| ISO27001-2013 |
A.7.2.2 |
ISO27001-2013_A.7.2.2 |
ISO 27001:2013 A.7.2.2 |
Human Resources Security |
Information security awareness, education and training |
Shared |
n/a |
All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. |
link |
15 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.per.1 Job characterization |
mp.per.1 Job characterization |
404 not found |
|
|
|
n/a |
n/a |
|
41 |
|
mp.per.3 Awareness |
mp.per.3 Awareness |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
|
mp.per.4 Training |
mp.per.4 Training |
404 not found |
|
|
|
n/a |
n/a |
|
14 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.s.3 Protection of web browsing |
mp.s.3 Protection of web browsing |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.si.3 Custody |
mp.si.3 Custody |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
| NIST_SP_800-171_R2_3 |
.6.1 |
NIST_SP_800-171_R2_3.6.1 |
NIST SP 800-171 R2 3.6.1 |
Incident response |
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. [SP 800-61] provides guidance on incident handling. [SP 800-86] and [SP 800-101] provide guidance on integrating forensic techniques into incident response. [SP 800-161] provides guidance on supply chain risk management. |
link |
12 |
| NIST_SP_800-53_R4 |
IR-2 |
NIST_SP_800-53_R4_IR-2 |
NIST SP 800-53 Rev. 4 IR-2 |
Incident Response |
Incident Response Training |
Shared |
n/a |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8.
References: NIST Special Publications 800-16, 800-50. |
link |
1 |
| NIST_SP_800-53_R4 |
IR-9(2) |
NIST_SP_800-53_R4_IR-9(2) |
NIST SP 800-53 Rev. 4 IR-9 (2) |
Incident Response |
Training |
Shared |
n/a |
The organization provides information spillage response training [Assignment: organization- defined frequency]. |
link |
1 |
| NIST_SP_800-53_R5 |
IR-2 |
NIST_SP_800-53_R5_IR-2 |
NIST SP 800-53 Rev. 5 IR-2 |
Incident Response |
Incident Response Training |
Shared |
n/a |
a. Provide incident response training to system users consistent with assigned roles and responsibilities:
1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access;
2. When required by system changes; and
3. [Assignment: organization-defined frequency] thereafter; and
b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
link |
1 |
| NIST_SP_800-53_R5 |
IR-9(2) |
NIST_SP_800-53_R5_IR-9(2) |
NIST SP 800-53 Rev. 5 IR-9 (2) |
Incident Response |
Training |
Shared |
n/a |
Provide information spillage response training [Assignment: organization-defined frequency]. |
link |
1 |
| PCI_DSS_v4.0 |
12.10.4 |
PCI_DSS_v4.0_12.10.4 |
PCI DSS v4.0 12.10.4 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Suspected and confirmed security incidents that could impact the CDE are responded to immediately |
Shared |
n/a |
Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities. |
link |
1 |
| PCI_DSS_v4.0 |
12.10.4.1 |
PCI_DSS_v4.0_12.10.4.1 |
PCI DSS v4.0 12.10.4.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Suspected and confirmed security incidents that could impact the CDE are responded to immediately |
Shared |
n/a |
The frequency of periodic training for incident response personnel is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. |
link |
1 |
| SWIFT_CSCF_v2022 |
11.2 |
SWIFT_CSCF_v2022_11.2 |
SWIFT CSCF v2022 11.2 |
11. Monitor in case of Major Disaster |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
Shared |
n/a |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
link |
20 |
| SWIFT_CSCF_v2022 |
7.1 |
SWIFT_CSCF_v2022_7.1 |
SWIFT CSCF v2022 7.1 |
7. Plan for Incident Response and Information Sharing |
Ensure a consistent and effective approach for the management of cyber incidents. |
Shared |
n/a |
The user has a defined and tested cyber-incident response plan. |
link |
8 |