← Controls / IR

IR-04 Incident Handling

Incident Response

Low Moderate High Privacy

Description

The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

Supplemental Guidance

Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. The organization incorporates the lessons learned from ongoing incident handling activities into the incident response procedures and implements the procedures accordingly. Related security controls: AU-06, PE-06.

Changes from Rev 4

Modifies text from ‘security incidents’ to more general ‘incidents’ Adds text to ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization Discussion expanded to explain that for federal agencies, an incident that involves PII is considered a breach

Enhancements

(1) The organization employs automated mechanisms to support the incident handling process.

Compliance Mappings

ISO 27001:2022

A.5.25A.5.26A.5.27A.5.28A.8.16

ISO 27002:2022

5.245.255.265.275.288.16

COBIT 2019

DSS02DSS03

CIS Controls v8

CIS 13CIS 17CIS 17.6CIS 17.8CIS 17.9

NIST CSF 2.0

DE.AE-02DE.AE-04DE.AE-08GV.SC-08ID.IM-03RC.RP-01RC.RP-02RC.RP-04RC.RP-06RS.AN-03RS.AN-06RS.AN-07RS.AN-08RS.MA-01RS.MA-02RS.MA-03RS.MA-04RS.MA-05RS.MI-01RS.MI-02

SOC 2 TSC

CC2.2-POF10CC2.2-POF3CC7.3CC7.3-POF1CC7.4CC7.4-POF1CC7.4-POF10CC7.4-POF11CC7.4-POF12CC7.4-POF13CC7.4-POF2CC7.4-POF3CC7.4-POF4CC7.4-POF5CC7.4-POF6

PCI DSS v4.0.1

10.711.512.10

CSA CCM v4

LOG-05SEF-02SEF-03SEF-05SEF-06

CSA AICM v1

LOG-05SEF-02SEF-03SEF-05SEF-06SEF-09

FINOS CCC

CCC-C15

ISO 42001:2023

A.3.3A.8.4

IEC 62443

3-3 SR 7.4

NIS2 Directive

Art. 21(2)(b)Art. 21(2)(j)

PRA Operational Resilience

SS1/21-8.1

MAS TRM

127

BSI IT-Grundschutz

DER.2.1

ANSSI

Hygiene.35Hygiene.39Hygiene.40SecNumCloud.17.1SecNumCloud.17.2

FINMA Circular 2023/1

IV.A(41)IV.A(42)IV.A(43)IV.C(70)IV.D(71)IV.D(72)

OSFI B-13

B-13.2.5B-13.3.4

EU GDPR

Art.33(1)Art.33(3)Art.33(4)Art.34(1)

EU DORA

Art.17(1)Art.17(3)Art.18(1)Art.18(2)

BIO2

5.245.255.265.275.288.16

RBI CSF

Annex1.19Annex1.22ITGRCA.27

FISC Security Guidelines

FISC.O4

LGPD + BCB 4893

BCB.Art.5BCB.Art.5-SuppBCB.Art.6BCB.Art.7LGPD.Art.48LGPD.Art.49

HKMA TM-E-1

TME1.11.3TME1.5.4TME1.7.5

MLPS 2.0

8.1.10.108.1.5.4

DNB Good Practice

DNB.15.2

EU CRA

CRA.I.2k

SWIFT CSCF

SWIFT.7.1

SAMA CSF

3.6

NCA ECC

2-133-25-1

UAE IA

T11

CBB TM

TM-12TM-13TM-5

Qatar NIA

IM

CBUAE

CR-3CR-9

CBE CSF

CD-2

SA JS2

JS2-7.3JS2-7.4

CBN CSF

Part3.5Part3.6

BoG CISD

CISD-VII

POPIA

s19s22

BoM CTRM

4.25.1

IOSCO Cyber Resilience

DET-4LE-1PFMI-17RR-1

BCBS 239

Principle 6

CPMI-IOSCO PFMI

CG.DECG.LECG.RRPFMI.P17

FFIEC IS

III.BIII.CIII.D

NYDFS 500

500.14500.16500.2

HIPAA Security Rule

§164.308(a)(6)(i)§164.308(a)(6)(ii)

ECB CROE

CROE.2.4CROE.2.5.1CROE.2.8.1

EBA ICT Guidelines

3.5(d)3.7.3

SEBI CSCRF

DE.CMRS.ANRS.IMRS.MASOC

BOT Cyber Resilience

Ch4.1

CMMC 2.0

IR

NERC CIP

CIP-008-6CIP-009-6CIP-015-1

10 CFR 73.54

RG5.71-B-CP

TSA Pipeline SD

SD-2 Sec C

FERC CIP Orders

Order 881Order 888

DOE C2M2 v2.1

RESPONSE

API 1164

Sec 10

AWIA

Sec 2013(b)AWWA Sec 6

IAEA NSS 17-T

Sec 7

CBEST

CBEST.5

TIBER-EU

TIBER.BTTIBER.CLOSE

PCI HSM

10

Solvency II

DR.266EIOPA-ICT-4.9

Lloyd's Minimum Standards

CRM.3MS8.5

NAIC Insurance Data Security

44F-a4F-b5

PRA SS1/23

P5.3

HITRUST CSF v11

11.a11.b11.c

FDA Cybersecurity Guidance

INC-1INC-2VR-1

ISO 27799

16.116.2

NHS DSPT

NDG-6.1NDG-6.3NDG-6.4

MiCA

Art.64(1)Art.62(8)Art.92(1)

Basel SCO60

SCO60.23SCO60.50SCO60.53SCO60.55SCO60.63SCO60.73SCO60.82

BSSC Standards

TIS-04GSP-05

SEC Custody (Digital Assets)

SEC-CD-11

ISO 17799 (legacy)

6.1.613.2.113.2.2

COBIT 4.1 (legacy)

PO9.5PO9.6DS8.2