Function: Respond (RS)
Category: Communications (CO)
“Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.”
RS.CO-1: Personnel know their roles and order of operations when a response is needed
The incident response plan identifies the key personnel and provides a framework that includes preparation, detection and analysis, containment, eradication, and recovery operations. Additionally, responsible personnel should engage in the “lessons learned” step post-incident to acknowledge areas of the response plan where improvement is necessary and/or could benefit an effective response.
Testing the response plan reinforces the incident handling order of operations and communication with responsible personnel.
Audit Considerations
Auditors may review the incident response plan to verify that roles and responsibilities are defined. They may interview employees to determine if they know their assigned roles and responsibilities. Last, a review of incident response tests or training may be used to determine if the organization supports educating employees related to their roles.
Applicable CIS Critical Controls:
CIS Control 19 – Incident Response and Management
Incident response plans, defined roles, training, communications, and oversight are all components of an incident response infrastructure necessary to quickly discover an attack and effectively contain the damage, eradicate the attacker’s presence, and restore the network and systems.
Written incident response procedures must include definitions of personnel roles for handling incidents as well as defining the phases of incident handling. Testing the plan is a critical piece to reinforce the incident response plan and identify areas where improvements or additional training is required.
RS.CO-2: Events are reported consistent with established criteria
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal and state regulatory obligations. Providing multiple mechanisms for personnel to report incidents is an essential part of this requirement.
Audit Considerations
Auditors may review the incident response plan to determine if the reporting and communication structure is defined. Additionally, they may look to verify that employees are trained to report suspected security event and use copies of recent incident repots to validate communication and reporting structures.
Applicable CIS Critical Controls:
CIS Control 19 – Incident Response and Management
One of the foundational items in this control set is devising organization-wide standards for the time required for personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be provided. External reporting requirements also need to be identified and procedures built around notification to required 3rd parties.
RS.CO-3: Information is shared consistent with response plans
The response plan should define the appropriate procedures for sharing information with external parties who may have a need to know. These procedures should include how and who is responsible for sharing information with outside agencies. For instance, the public information office should coordinate all communications with the media.
Audit Considerations
Auditors may review the incident response plan to determine if information sharing is clearly defined as it relates to:
– Customers
– Law enforcement
– Regulators
– Media
– Information sharing organizations
Applicable CIS Critical Controls:
CIS Control 19 – Incident Response and Management
The organization should assemble and maintain information on third-party contact information to be used to report a security incident. Reaching out to local law enforcement to establish communication lines before an incident is recommended.
RS.CO-4: Coordination with stakeholders occurs consistent with response plans
As part of the communication plan, the procedures to communicate an incident with internal and external stakeholders should be defined in the incident response plan. Just as with previous controls, responsibilities for communication and who they will communicate with must be identified.
Audit Considerations
Auditors may determine if the organization has approved incident response and business continuity plans. Reports from previous incidents may be obtained to validate that the incident response plan, including the “lessons learned” components were executed.
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
Ongoing relationships with security groups and associations is important in an environment of rapidly changing technology and threats. Providing sanitized information related to an incident may help other organizations. The Research and Education Network – Information Sharing and Analysis Center (REN-ISAC) and the Multi-State – Information Sharing and Analysis Center (MS-ISAC) are good avenues to providing relevant information for overall cybersecurity awareness.
This may also include external third parties and customers following an incident. Having templates for notifications in place before an incident may help in producing this type of notification.
Audit Considerations
Auditors may review the incident response plan to determine if a process is in place to communicate with external stakeholders following an incident.