IRO-10.2: Cyber Incident Reporting for Sensitive / Regulated Data
Mechanisms exist to report sensitive/regulated data incidents in a timely manner.
Control Question: Does the organization report sensitive/regulated data incidents in a timely manner?
General (18)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.2-POF6 CC2.3-POF1 CC2.3-POF12 CC7.3-POF2 CC7.3-POF7 CC7.4 CC7.4-POF13 CC7.4-POF6 |
| CIS CSC 8.1 | 17.2 |
| CIS CSC 8.1 IG1 | 17.2 |
| CIS CSC 8.1 IG2 | 17.2 |
| CIS CSC 8.1 IG3 | 17.2 |
| CSA CCM 4 | SEF-07 |
| IMO Maritime Cyber Risk Management | 3.5.5.1 |
| NAIC Insurance Data Security Model Law (MDL-668) | 6.A 6.A(1) 6.A(2) 6.A(2)(a) 6.A(2)(b) 6.A(2)(b)(i) 6.A(2)(b)(ii) 6.B 6.B(1) 6.B(10) 6.B(11) 6.B(12) 6.B(13) 6.B(2) 6.B(3) 6.B(4) 6.B(5) 6.B(6) 6.B(7) 6.B(8) 6.B(9) 6.D(2) 6.E(2)(a) 6.E(2)(b) 6.F |
| NIST AI 600-1 | MG-4.3-003 |
| NIST 800-171 R3 (source) | 03.06.02.b 03.06.02.c |
| NIST 800-171A R3 (source) | A.03.06.02.ODP[02] |
| NIST CSF 2.0 (source) | RS.CO RS.CO-02 RS.CO-03 |
| TISAX ISA 6 | 9.6.2 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IRO-10.2 |
| SCF CORE ESP Level 1 Foundational | IRO-10.2 |
| SCF CORE ESP Level 2 Critical Infrastructure | IRO-10.2 |
| SCF CORE ESP Level 3 Advanced Threats | IRO-10.2 |
| SCF CORE AI Model Deployment | IRO-10.2 |
US (12)
| Framework | Mapping Values |
|---|---|
| US DFARS Cybersecurity 252.204-70xx | 252.204-7012(c)(1)(i) 252.204-7012(c)(1)(ii) 252.204-7012(c)(2) 252.204-7012(c)(3) 252.204-7012(d) 252.204-7012(e) 252.204-7012(f) 252.204-7012(g) |
| US FCA CRM | 609.930(c)(3)(v) |
| US HIPAA Administrative Simplification 2013 (source) | 164.410(a)(1) |
| US HIPAA HICP Medium Practice | 8.M.A 8.M.B |
| US HIPAA HICP Large Practice | 8.M.A 8.M.B |
| US IRS 1075 | 1.8.5 |
| US NERC CIP 2024 (source) | CIP-008-6 4.2 |
| US NNPI (unclass) | 8.2 8.3 |
| US SSA EIESR 8.0 | 5.5 |
| US - CO Colorado Privacy Act | 6-1-1305(2)(b) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.17(a)(1) |
| US - VT Act 171 of 2018 | 2447(b)(10) 2447(b)(10)(A) |
EMEA (9)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 17.1(j) |
| EMEA EU EBA GL/2019/04 | 3.7.5(91) |
| EMEA EU GDPR (source) | 33.1 33.2 33.3(a) 33.3(b) 33.3(c) 33.3(d) 33.4 |
| EMEA EU NIS2 Annex | 3.1.2(b) |
| EMEA Qatar PDPPL | 14 |
| EMEA Saudi Arabia ECC-1 2018 | 2-13-3-3 2-13-3-4 |
| EMEA Saudi Arabia SACS-002 | TPC-23 TPC-89 |
| EMEA Serbia 87/2018 | 52 52.1 52.2 52.3 52.4 |
| EMEA UAE NIAF | 3.3.3 |
APAC (4)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0733 |
| APAC China Privacy Law | 57 57(1) 57(2) 57(3) |
| APAC India SEBI CSCRF | DE.DP.S3 RS.CO.S2 |
| APAC New Zealand NZISM 3.6 | 7.2.18.C.01 7.2.20.C.01 7.2.21.C.01 7.2.23.C.01 7.3.8.C.03 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.06.02.B 03.06.02.C |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to report sensitive/regulated data incidents in a timely manner.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to report sensitive/regulated data incidents in a timely manner.
Level 2 — Planned & Tracked
Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.
- Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- Administrative processes and technologies exist to document, manage and report on actual and potential cybersecurity and data privacy incidents.
- Administrative processes and technologies exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Level 3 — Well Defined
Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
- The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
- A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
- Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
- Administrative processes and technologies exist to report incidents both internally to organizational incident response personnel (within defined time-periods) and externally to governmental authorities and affected parties, as necessary.
- Administrative processes and technologies exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to report sensitive/regulated data incidents in a timely manner.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to report sensitive/regulated data incidents in a timely manner.
Assessment Objectives
- IRO-10.2_A01 sensitive / regulated data incidents are reported in a timely manner.
- IRO-10.2_A02 authorities to whom incident information is to be reported are defined.
Evidence Requirements
- E-IRO-01 Incident Response Program (IRP)
-
Documented evidence of a Incident Response Plan (IRP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.
Incident Response - E-IRO-11 Incident Reporting Capability
-
Documented evidence of a capability to provide situational awareness of incidents to internal stakeholders and generated necessary reporting to affected clients, applicable third-parties and regulatory authorities.
Incident Response
Technology Recommendations
Micro/Small
- Incident Response Plan (IRP)
Small
- Incident Response Plan (IRP)
Medium
- Integrated Incident Response Program (IIRP)
- Integrated Security Incident Response Team (ISIRT)
Large
- Integrated Incident Response Program (IIRP)
- Integrated Security Incident Response Team (ISIRT)
Enterprise
- Integrated Incident Response Program (IIRP)
- Integrated Security Incident Response Team (ISIRT)