The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate
Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary
Procedures are in place to contain security incidents that actively threaten entity objectives
Procedures are in place to mitigate the effects of ongoing security incidents
Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions
Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives
Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives
An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach
Identified vulnerabilities are remediated through the development and execution of remediation activities
Remediation activities are documented and communicated in accordance with the incident response program
The design of incident response activities is evaluated for effectiveness on a periodic basis
Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes
Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required
The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements.
- IRO-01 - Incident Response Operations
- IRO-02 - Incident Handling
- IRO-04 - Incident Response Plan (IRP)
- IRO-07 - Integrated Security Incident Response Team (ISIRT)
- IRO-09 - Situational Awareness For Incidents
- IRO-10 - Incident Stakeholder Reporting
- IRO-10.2 - Cyber Incident Reporting for Sensitive Data
- IRO-10.4 - Supply Chain Coordination
- IRO-11.2 - Coordination With External Providers
- IRO-14 - Regulatory & Law Enforcement Contacts
- RSK-06 - Risk Remediation