compliance controls are associated with this Policy definition 'Conduct incident response testing' (3545c827-26ee-282d-4629-23952a12008b)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
IR-3 |
FedRAMP_High_R4_IR-3 |
FedRAMP High IR-3 |
Incident Response |
Incident Response Testing |
Shared |
n/a |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8.
References: NIST Special Publications 800-84, 800-115. |
link |
3 |
| FedRAMP_High_R4 |
IR-3(2) |
FedRAMP_High_R4_IR-3(2) |
FedRAMP High IR-3 (2) |
Incident Response |
Coordination With Related Plans |
Shared |
n/a |
The organization coordinates incident response testing with organizational elements responsible for related plans.
Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and
Occupant Emergency Plans. |
link |
3 |
| FedRAMP_Moderate_R4 |
IR-3 |
FedRAMP_Moderate_R4_IR-3 |
FedRAMP Moderate IR-3 |
Incident Response |
Incident Response Testing |
Shared |
n/a |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8.
References: NIST Special Publications 800-84, 800-115. |
link |
3 |
| FedRAMP_Moderate_R4 |
IR-3(2) |
FedRAMP_Moderate_R4_IR-3(2) |
FedRAMP Moderate IR-3 (2) |
Incident Response |
Coordination With Related Plans |
Shared |
n/a |
The organization coordinates incident response testing with organizational elements responsible for related plans.
Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and
Occupant Emergency Plans. |
link |
3 |
| hipaa |
12102.09ab1Organizational.4-09.ab |
hipaa-12102.09ab1Organizational.4-09.ab |
12102.09ab1Organizational.4-09.ab |
12 Audit Logging & Monitoring |
12102.09ab1Organizational.4-09.ab 09.10 Monitoring |
Shared |
n/a |
The organization periodically tests its monitoring and detection processes, remediates deficiencies, and improves its processes. |
|
7 |
| hipaa |
1331.02e3Organizational.4-02.e |
hipaa-1331.02e3Organizational.4-02.e |
1331.02e3Organizational.4-02.e |
13 Education, Training and Awareness |
1331.02e3Organizational.4-02.e 02.03 During Employment |
Shared |
n/a |
The organization trains workforce members on how to properly respond to perimeter security alarms. |
|
6 |
| hipaa |
1505.11a1Organizational.13-11.a |
hipaa-1505.11a1Organizational.13-11.a |
1505.11a1Organizational.13-11.a |
15 Incident Management |
1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
A formal security incident response program has been established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving such organizations in computer incidents. |
|
19 |
| hipaa |
1509.11a2Organizational.236-11.a |
hipaa-1509.11a2Organizational.236-11.a |
1509.11a2Organizational.236-11.a |
15 Incident Management |
1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
The incident management program formally defines information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The organization formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. |
|
17 |
| hipaa |
1510.11a2Organizational.47-11.a |
hipaa-1510.11a2Organizational.47-11.a |
1510.11a2Organizational.47-11.a |
15 Incident Management |
1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
Reports and communications are made without unreasonable delay and no later than 60 days after the discovery of an incident, unless otherwise stated by law enforcement orally or in writing, and include the necessary elements. |
|
11 |
| hipaa |
1516.11c1Organizational.12-11.c |
hipaa-1516.11c1Organizational.12-11.c |
1516.11c1Organizational.12-11.c |
15 Incident Management |
1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The security incident response program accounts for and prepares the organization for a variety of incidents. |
|
10 |
| hipaa |
1520.11c2Organizational.4-11.c |
hipaa-1520.11c2Organizational.4-11.c |
1520.11c2Organizational.4-11.c |
15 Incident Management |
1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The incident response plan is communicated to the appropriate individuals throughout the organization. |
|
8 |
| hipaa |
1521.11c2Organizational.56-11.c |
hipaa-1521.11c2Organizational.56-11.c |
1521.11c2Organizational.56-11.c |
15 Incident Management |
1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
Testing exercises are planned, coordinated, executed, and documented periodically, at least annually, using reviews, analyses, and simulations to determine incident response effectiveness. Testing includes personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. |
|
16 |
| hipaa |
1560.11d1Organizational.1-11.d |
hipaa-1560.11d1Organizational.1-11.d |
1560.11d1Organizational.1-11.d |
15 Incident Management |
1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The information gained from the evaluation of information security incidents is used to identify recurring or high-impact incidents, and update the incident response and recovery strategy. |
|
8 |
| hipaa |
1562.11d2Organizational.2-11.d |
hipaa-1562.11d2Organizational.2-11.d |
1562.11d2Organizational.2-11.d |
15 Incident Management |
1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The organization coordinates incident handling activities with contingency planning activities. |
|
12 |
| hipaa |
1563.11d2Organizational.3-11.d |
hipaa-1563.11d2Organizational.3-11.d |
1563.11d2Organizational.3-11.d |
15 Incident Management |
1563.11d2Organizational.3-11.d 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The organization incorporates lessons learned from ongoing incident handling activities and industry developments into incident response procedures, training and testing exercises, and implements the resulting changes accordingly. |
|
4 |
| hipaa |
1589.11c1Organizational.5-11.c |
hipaa-1589.11c1Organizational.5-11.c |
1589.11c1Organizational.5-11.c |
15 Incident Management |
1589.11c1Organizational.5-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The organization tests and/or exercises its incident response capability regularly. |
|
4 |
| NIST_SP_800-171_R2_3 |
.6.3 |
NIST_SP_800-171_R2_3.6.3 |
NIST SP 800-171 R2 3.6.3 |
Incident response |
Test the organizational incident response capability. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. [SP 800-84] provides guidance on testing programs for information technology capabilities. |
link |
3 |
| NIST_SP_800-53_R4 |
IR-3 |
NIST_SP_800-53_R4_IR-3 |
NIST SP 800-53 Rev. 4 IR-3 |
Incident Response |
Incident Response Testing |
Shared |
n/a |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8.
References: NIST Special Publications 800-84, 800-115. |
link |
3 |
| NIST_SP_800-53_R4 |
IR-3(2) |
NIST_SP_800-53_R4_IR-3(2) |
NIST SP 800-53 Rev. 4 IR-3 (2) |
Incident Response |
Coordination With Related Plans |
Shared |
n/a |
The organization coordinates incident response testing with organizational elements responsible for related plans.
Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and
Occupant Emergency Plans. |
link |
3 |
| NIST_SP_800-53_R5 |
IR-3 |
NIST_SP_800-53_R5_IR-3 |
NIST SP 800-53 Rev. 5 IR-3 |
Incident Response |
Incident Response Testing |
Shared |
n/a |
Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. |
link |
3 |
| NIST_SP_800-53_R5 |
IR-3(2) |
NIST_SP_800-53_R5_IR-3(2) |
NIST SP 800-53 Rev. 5 IR-3 (2) |
Incident Response |
Coordination with Related Plans |
Shared |
n/a |
Coordinate incident response testing with organizational elements responsible for related plans. |
link |
3 |
|
op.exp.7 Incident management |
op.exp.7 Incident management |
404 not found |
|
|
|
n/a |
n/a |
|
103 |
| SOC_2 |
CC7.5 |
SOC_2_CC7.5 |
SOC 2 Type 2 CC7.5 |
System Operations |
Recovery from identified security incidents |
Shared |
The customer is responsible for implementing this recommendation. |
• Restores the Affected Environment — The activities restore the affected environment
to functional operation by rebuilding systems, updating software, installing patches,
and changing configurations, as needed.
• Communicates Information About the Event — Communications about the nature of
the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal
and external).
• Determines Root Cause of the Event — The root cause of the event is determined.
• Implements Changes to Prevent and Detect Recurrences — Additional architecture
or changes to preventive and detective controls, or both, are implemented to prevent
and detect recurrences on a timely basis.
• Improves Response and Recovery Procedures — Lessons learned are analyzed and
the incident-response plan and recovery procedures are improved.
• Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system
components from across the entity that can impair availability; (3) scenarios that
consider the potential for the lack of availability of key personnel; and (4) revision
of continuity plans and systems based on test results |
|
19 |
| SWIFT_CSCF_v2022 |
11.2 |
SWIFT_CSCF_v2022_11.2 |
SWIFT CSCF v2022 11.2 |
11. Monitor in case of Major Disaster |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
Shared |
n/a |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
link |
20 |
| SWIFT_CSCF_v2022 |
9.1 |
SWIFT_CSCF_v2022_9.1 |
SWIFT CSCF v2022 9.1 |
9. Ensure Availability through Resilience |
Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. |
Shared |
n/a |
Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. |
link |
8 |