IRO-04.1: Data Breach
Mechanisms exist to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations.
Control Question: Does the organization address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations?
General (10)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC7.3 CC7.3-POF4 CC7.3-POF5 P6.3 P6.6 P6.6-POF2 P6.7 |
| Generally Accepted Privacy Principles (GAPP) | 1.2.7 7.2.4 |
| ISO 27002 2022 | 5.25 |
| ISO 27018 2014 | A.9.1 |
| NAIC Insurance Data Security Model Law (MDL-668) | 6.C |
| NIST Privacy Framework 1.0 | GV.MT-P4 GV.MT-P5 |
| NIST 800-53 R4 | SE-2 |
| NIST 800-53 R5 (source) | IR-8(1) |
| NIST 800-53B R5 (privacy) (source) | IR-8(1) |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IRO-04.1 |
US (11)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | IMC:SG1.SP1 IMC:SG4.SP2 |
| US CJIS Security Policy 5.9.3 (source) | IR-8(1) |
| US CMS MARS-E 2.0 | SE-2 |
| US DFARS Cybersecurity 252.204-70xx | 252.204-7012(c)(1)(i) 252.204-7012(c)(1)(ii) 252.204-7012(c)(2) 252.204-7012(c)(3) 252.204-7012(d) 252.204-7012(e) 252.204-7012(f) 252.204-7012(g) 252.204-7012(h) |
| US HIPAA Administrative Simplification 2013 (source) | 164.404(a)(1) 164.404(a)(2) 164.404(c)(1)(A) 164.404(c)(1)(B) 164.404(c)(1)(C) 164.404(c)(1)(D) 164.404(c)(1)(E) 164.404(c)(2) 164.404(d)(1)(i) 164.404(d)(1)(ii) 164.404(d)(2) 164.404(d)(2)(i) 164.404(d)(2)(ii)(A) 164.404(d)(2)(ii)(B) 164.404(d)(3) 164.406(a) 164.406(b) 164.406(c) 164.410(c)(1) |
| US IRS 1075 | 1.8.3 IR-8(1) |
| US NNPI (unclass) | 8.1 8.2 8.3 8.4 |
| US SSA EIESR 8.0 | 5.6 |
| US - IL PIPA | 10(a) 10(a)(1)(A) 10(a)(1)(B) 10(a)(1)(C) 10(a)(2) 10(b) 10(c)(1) 10(c)(2) 10(c)(3) 10(d) 10(e)(1) 10(e)(2) 10(e)(2)(A) 10(e)(2)(B) 10(e)(2)(C) |
| US - NY SHIELD Act S5575B | 3(2) 3(2)(a) 3(2)(b)(i) 3(2)(b)(ii) 3(2)(b)(iii) 3(2)(b)(iv) 3(3) 3(5)(a) 3(5)(b) 3(5)(c) 3(5)(d) 3(5)(d)(1) 3(5)(d)(2) 3(5)(d)(3) 3(7) 3(8)(a) 3(8)(b) 3(9) |
| US - TX BC521 | 521.053 |
EMEA (9)
| Framework | Mapping Values |
|---|---|
| EMEA EU GDPR (source) | 33.1 |
| EMEA Germany C5 2020 | SIM-02 |
| EMEA Kenya DPA 2019 | 43(1)(b) 43(2) 43(3) 43(4) 43(5) 43(5)(a) 43(5)(b) 43(5)(c) 43(5)(d) 43(5)(e) 43(6) 43(7) 43(8)(a) 43(8)(b) 43(8)(c) |
| EMEA Qatar PDPPL | 14 |
| EMEA Saudi Arabia PDPL | 20.1 20.2 |
| EMEA Serbia 87/2018 | 53 53.1 53.2 53.3 |
| EMEA South Africa | 22 |
| EMEA Switzerland | 12 |
| EMEA UK DPA | Chapter29-Schedule1-Part1-Principles 7 |
APAC (7)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0133 |
| APAC China Privacy Law | 57 57(1) 57(2) 57(3) |
| APAC India DPDPA 2023 | 8(6) |
| APAC Japan APPI | 22-2(1) 22-2(2) |
| APAC Philippines | 38 |
| APAC South Korea | 34 |
| APAC Taiwan | 12 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Brazil LGPD | 48 |
| Americas Mexico | 20 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations.
Level 2 — Planned & Tracked
Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.
- Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
Level 3 — Well Defined
Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
- The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
- A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
- Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations.
Assessment Objectives
- IRO-04.1_A01 the incident response plan for breaches involving Personal Data (PD) includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed.
- IRO-04.1_A02 the incident response plan for breaches involving Personal Data (PD) includes an assessment process to determine the extent of the harm, embarrassment, inconvenience or unfairness to affected individuals and any mechanisms to mitigate such harms.
- IRO-04.1_A03 the incident response plan for breaches involving Personal Data (PD) includes the identification of applicable privacy requirements.
Technology Recommendations
Micro/Small
- Incident Response Plan (IRP)
Small
- Incident Response Plan (IRP)
Medium
- Integrated Incident Response Program (IIRP)
Large
- Integrated Incident Response Program (IIRP)
Enterprise
- Integrated Incident Response Program (IIRP)