IRO-04.2: IRP Update

IRO 8 — High Respond

Mechanisms exist to regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary.

Control Question: Does the organization regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary?

General (34)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	CC7.4-POF11
GovRAMP Low	IR-01
GovRAMP Low+	IR-01
GovRAMP Moderate	IR-01
GovRAMP High	IR-01
NIST 800-53 R4	IR-1
NIST 800-53 R4 (low)	IR-1
NIST 800-53 R4 (moderate)	IR-1
NIST 800-53 R4 (high)	IR-1
NIST 800-53 R5 (source)	IR-1
NIST 800-53B R5 (privacy) (source)	IR-1
NIST 800-53B R5 (low) (source)	IR-1
NIST 800-53B R5 (moderate) (source)	IR-1
NIST 800-53B R5 (high) (source)	IR-1
NIST 800-82 R3 LOW OT Overlay	IR-1
NIST 800-82 R3 MODERATE OT Overlay	IR-1
NIST 800-82 R3 HIGH OT Overlay	IR-1
NIST 800-161 R1	IR-1
NIST 800-161 R1 C-SCRM Baseline	IR-1
NIST 800-161 R1 Flow Down	IR-1
NIST 800-161 R1 Level 1	IR-1
NIST 800-161 R1 Level 2	IR-1
NIST 800-161 R1 Level 3	IR-1
NIST 800-171 R2 (source)	NFO-IR-1
NIST 800-171 R3 (source)	03.06.04.b 03.06.05.c
NIST 800-171A R3 (source)	A.03.06.05.c
NIST CSF 2.0 (source)	ID.IM-04
PCI DSS 4.0.1 (source)	12.10.2 12.10.6
PCI DSS 4.0.1 SAQ D Merchant (source)	12.10.2 12.10.6
PCI DSS 4.0.1 SAQ D Service Provider (source)	12.10.2 12.10.6
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	IRO-04.2
SCF CORE ESP Level 1 Foundational	IRO-04.2
SCF CORE ESP Level 2 Critical Infrastructure	IRO-04.2
SCF CORE ESP Level 3 Advanced Threats	IRO-04.2

US (23)

Framework	Mapping Values
US CISA CPG 2022	2.S
US CJIS Security Policy 5.9.3 (source)	IR-1
US CMS MARS-E 2.0	IR-1
US FCA CRM	609.930(c)(3)
US FedRAMP R4	IR-1
US FedRAMP R4 (low)	IR-1
US FedRAMP R4 (moderate)	IR-1
US FedRAMP R4 (high)	IR-1
US FedRAMP R4 (LI-SaaS)	IR-1
US FedRAMP R5 (source)	IR-1
US FedRAMP R5 (low) (source)	IR-1
US FedRAMP R5 (moderate) (source)	IR-1
US FedRAMP R5 (high) (source)	IR-1
US FedRAMP R5 (LI-SaaS) (source)	IR-1
US FFIEC	D5.IR.Pl.Int.4 D5.IR.Te.Int.5
US GLBA CFR 314 2023 (source)	314.4(h)(7)
US IRS 1075	IR-1
US NERC CIP 2024 (source)	CIP-008-6 3.1.2 CIP-008-6 3.1.3 CIP-008-6 3.2.1 CIP-008-6 3.2.2
US NISPOM 2020	8-101 8-103
US - NY DFS 23 NYCRR500 2023 Amd 2	500.16(a)(1)(ix)
US - TX DIR Control Standards 2.0	IR-1
US - TX TX-RAMP Level 1	IR-1
US - TX TX-RAMP Level 2	IR-1

APAC (1)

Framework	Mapping Values
APAC India SEBI CSCRF	EV.ST.S3 RS.IM.S2

Americas (3)

Framework	Mapping Values
Americas Canada CSAG	5.9
Americas Canada OSFI B-13	2.7.3
Americas Canada ITSP-10-171	03.06.04.B 03.06.05.C

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary.

Level 2 — Planned & Tracked

Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.

Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
IT/cybersecurity personnel:
Regularly update incident response strategies to keep current with business needs, technology changes and regulatory requirements.

Level 3 — Well Defined

Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
Regularly update incident response strategies to keep current with business needs, technology changes and regulatory requirements.

Level 4 — Quantitatively Controlled

Incident Response (IR) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary.

Assessment Objectives

IRO-04.2_A01 an official to manage the incident response policy / procedures is defined.
IRO-04.2_A02 the frequency at which the current incident response policy / procedures is reviewed / updated is defined.
IRO-04.2_A03 events that would require the current incident response policy / procedures to be reviewed / updated are defined.
IRO-04.2_A04 the current incident response policy / procedures are reviewed / updated organization-defined frequency.
IRO-04.2_A05 the current incident response policy / procedures are reviewed / updated following organization-defined events.
IRO-04.2_A06 the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing.
IRO-04.2_A07 personnel or roles to whom the incident response policy / procedures is to be disseminated are defined.
IRO-04.2_A08 an incident response policy is developed and documented.
IRO-04.2_A09 the incident response policy is disseminated to organization-defined personnel or roles.
IRO-04.2_A10 incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented.
IRO-04.2_A11 the incident response procedures are disseminated to organization-defined personnel or roles.
IRO-04.2_A12 the organization's incident response policy addresses purpose.
IRO-04.2_A13 the organization's incident response policy addresses scope.
IRO-04.2_A14 the organization's incident response policy addresses roles.
IRO-04.2_A15 the organization's incident response policy addresses responsibilities.
IRO-04.2_A16 the organization's incident response policy addresses management commitment.
IRO-04.2_A17 the organization's incident response policy addresses coordination among organizational entities.
IRO-04.2_A18 the organization's incident response policy addresses compliance.
IRO-04.2_A19 the organization's incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.
IRO-04.2_A20 the organization-defined official is designated to manage the development, documentation, and dissemination of the incident response policy and procedures.

Evidence Requirements

E-IRO-07 IRP Updates: Documented evidence of a periodic review process for the organization's Incident Response Plan (IRP) to identify necessary updates.
Incident Response

IRO-04.2: IRP Update

Capability Maturity Model

Assessment Objectives

Evidence Requirements

Technology Recommendations

Manage this control in SCF Connect