SOC 2 Incident Management (CC7.3)

Overview:
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.

Action Items:
1) Create an escalation procedure and publish on the company intranet for employees to access and review.
2) Create an incident response policy and related procedures and publish on the company intranet for employees to access and review.
3) Inquire of the director of security and engineering operations, or equivalent, regarding security event notifications to determine that security personnel are notified via an internal collaboration platform when security events are identified and identified security events are evaluated to determine whether the event resulted in the unauthorized disclosure of confidential information or PII.
4) Inspect the escalation procedure policy to determine that documented escalation procedures for reporting security incidents are in place to guide employees in identifying, reporting, and acting upon system security breaches and other incidents.
5) Inspect the meeting agendas for a sample of months to determine that security meetings are held on a monthly basis to discuss the effect of identified security vulnerabilities on the ability to meet business objectives and to identify corrective measures for each month sampled.
6) Inspect the incident management ticketing system to determine that security personnel utilize an incident tracking system to document security violations, responses, and resolution.
7) Inspect the change control tickets for a sample of security incidents to determine that incidents requiring a change to the system followed the standard change control process for each incident sampled.
8) Inspect the internal collaboration tool and a sample of security incident tickets to determine that security personnel are notified via an internal collaboration platform when security events are identified and identified security events are evaluated to determine whether the event resulted in the unauthorized disclosure of confidential information or PII.

Related Documents:
1) Escalation procedure
2) Monitoring and alerting configurations
3) Sample of alerts sent to security personnel during security incidents
4) Sample of meeting agendas for recurring security meetings
5) Sample of recent security incident tickets
6) Incident response policy

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Responds to Security Incidents—Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis.
2) Communicates and Reviews Detected Security Events—Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary.
3) Develops and Implements Procedures to Analyze Security Incidents—Procedures are in place to analyze security incidents and determine system impact.
4) Assesses the Impact on Personal Information—Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations.
5) Determines Personal Information Used or Disclosed—When an unauthorized use or disclosure of personal information has occurred, the affected information is identified.