IRO-02.6: Automatic Disabling of Technology Assets, Applications and/or Services (TAAS)

There is no evidence of a capability to automatically disable Technology Assets, Applications and/or Services (TAAS), up on detection of a possible incident that meets organizational criteria, which allows for forensic analysis to be performed.

C|P-CMM1 is N/A, since a structured process is required to automatically disable Technology Assets, Applications and/or Services (TAAS), up on detection of a possible incident that meets organizational criteria, which allows for forensic analysis to be performed.

C|P-CMM2 is N/A, since a well-defined process is required to automatically disable Technology Assets, Applications and/or Services (TAAS), up on detection of a possible incident that meets organizational criteria, which allows for forensic analysis to be performed.

Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
• The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
• A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
• Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
• An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to automatically disable Technology Assets, Applications and/or Services (TAAS), up on detection of a possible incident that meets organizational criteria, which allows for forensic analysis to be performed.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to automatically disable Technology Assets, Applications and/or Services (TAAS), up on detection of a possible incident that meets organizational criteria, which allows for forensic analysis to be performed.