IRO-02.5: Correlation with External Organizations
Mechanisms exist to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Control Question: Does the organization coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses?
General (9)
| Framework | Mapping Values |
|---|---|
| GovRAMP High | IR-04(08) |
| NIST 800-53 R4 | IR-4(8) |
| NIST 800-53 R5 (source) | IR-4(8) |
| NIST 800-53 R5 (NOC) (source) | IR-4(8) |
| NIST 800-161 R1 | IR-1(1) |
| NIST CSF 2.0 (source) | DE.AE-03 GV.SC-08 RS.CO RS.MA-01 |
| SCF CORE ESP Level 1 Foundational | IRO-02.5 |
| SCF CORE ESP Level 2 Critical Infrastructure | IRO-02.5 |
| SCF CORE ESP Level 3 Advanced Threats | IRO-02.5 |
US (4)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | RESPONSE-1.D.MIL3 |
| US FedRAMP R4 | IR-4(8) |
| US FedRAMP R4 (high) | IR-4(8) |
| US IRS 1075 | IR-4(8) |
EMEA (1)
| Framework | Mapping Values |
|---|---|
| EMEA Germany C5 2020 | OPS-21 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC India SEBI CSCRF | GV.SC.S6 RS.CO.S3 RS.MA.S5 |
| APAC New Zealand NZISM 3.6 | 7.3.10.C.01 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 3.6 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Level 3 — Well Defined
Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
- The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
- A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
- Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Assessment Objectives
- IRO-02.5_A01 external organizations with whom organizational incident information is to be coordinated and shared are defined.
- IRO-02.5_A02 incident information to be correlated and shared with organization-defined external organizations are defined.
- IRO-02.5_A03 there is coordination with external organizations to correlate and share incident information to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Evidence Requirements
- E-IRO-01 Incident Response Program (IRP)
-
Documented evidence of a Incident Response Plan (IRP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.
Incident Response