IRO-14: Regulatory & Law Enforcement Contacts
Mechanisms exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Control Question: Does the organization maintain incident response contacts with applicable regulatory and law enforcement agencies?
General (26)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.3 CC7.4 |
| COSO 2017 | Principle 15 |
| CSA CCM 4 | SEF-08 |
| GovRAMP Core | IR-06 |
| GovRAMP Low | IR-06 |
| GovRAMP Low+ | IR-06 |
| GovRAMP Moderate | IR-06 |
| GovRAMP High | IR-06 |
| NIST 800-53 R4 | IR-6 |
| NIST 800-53 R4 (low) | IR-6 |
| NIST 800-53 R4 (moderate) | IR-6 |
| NIST 800-53 R4 (high) | IR-6 |
| NIST 800-53 R5 (source) | IR-6 |
| NIST 800-53B R5 (privacy) (source) | IR-6 |
| NIST 800-53B R5 (low) (source) | IR-6 |
| NIST 800-53B R5 (moderate) (source) | IR-6 |
| NIST 800-53B R5 (high) (source) | IR-6 |
| NIST 800-82 R3 LOW OT Overlay | IR-6 |
| NIST 800-82 R3 MODERATE OT Overlay | IR-6 |
| NIST 800-82 R3 HIGH OT Overlay | IR-6 |
| NIST 800-161 R1 | IR-6 |
| NIST 800-171 R3 (source) | 03.06.02.c |
| NIST 800-171A R3 (source) | A.03.06.02.ODP[02] |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IRO-14 |
| SCF CORE ESP Level 2 Critical Infrastructure | IRO-14 |
| SCF CORE ESP Level 3 Advanced Threats | IRO-14 |
US (20)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | IMC:SG2.SP1 |
| US CJIS Security Policy 5.9.3 (source) | IR-6 |
| US CMS MARS-E 2.0 | IR-6 |
| US FedRAMP R4 | IR-6 |
| US FedRAMP R4 (low) | IR-6 |
| US FedRAMP R4 (moderate) | IR-6 |
| US FedRAMP R4 (high) | IR-6 |
| US FedRAMP R4 (LI-SaaS) | IR-6 |
| US FedRAMP R5 (source) | IR-6 |
| US FedRAMP R5 (low) (source) | IR-6 |
| US FedRAMP R5 (moderate) (source) | IR-6 |
| US FedRAMP R5 (high) (source) | IR-6 |
| US FedRAMP R5 (LI-SaaS) (source) | IR-6 |
| US HIPAA HICP Medium Practice | 8.M.C |
| US HIPAA HICP Large Practice | 8.M.C 8.L.B 9.L.D |
| US IRS 1075 | IR-6 |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.17(a)(1) |
| US - TX DIR Control Standards 2.0 | IR-6 |
| US - TX TX-RAMP Level 1 | IR-6 |
| US - TX TX-RAMP Level 2 | IR-6 |
EMEA (2)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.7.5(91) |
| EMEA Austria | Sec 10 |
APAC (4)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0140 |
| APAC Malaysia | 9 |
| APAC New Zealand NZISM 3.6 | 2.1.10.C.01 |
| APAC Singapore | 11 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Argentina PPL | 26 |
| Americas Canada ITSP-10-171 | 03.06.02.C |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Level 2 — Planned & Tracked
Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.
- Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- Administrative processes and technologies exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Level 3 — Well Defined
Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
- The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
- A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
- Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
- Administrative processes and technologies exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Level 4 — Quantitatively Controlled
Incident Response (IR) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Assessment Objectives
- IRO-14_A01 time period for personnel to report suspected incidents to the organizational incident response capability is defined.
- IRO-14_A02 authorities to whom incident information is to be reported are defined.
- IRO-14_A03 personnel are required to report suspected incidents to the organizational incident response capability within an organization-defined time period.
- IRO-14_A04 incident information is reported to authorities.