SOC 2 Incident Response (CC7.4)

Overview:
The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.

Action Items:
1) Create an escalation procedure and publish on the company intranet for employees to access and review.
2) Create an employee disciplinary policy and related procedures and publish on the company intranet for employees to access and review.
3) Create an incident response policy and related procedures and publish on the company intranet for employees to access and review.
4) Inspect the escalation procedure policy to determine that documented escalation procedures for reporting security incidents are in place to guide employees in identifying, reporting, and acting upon system security breaches and other incidents.
5) Inspect the employee disciplinary process to determine that the company has a formal sanctions policy in place that includes disciplinary action up to, and including, dismissal for violating company policies.
6) Inspect the breach notification procedure to determine that the company has implemented a formal breach notification process to notify effected parties in the event of a security breach.
7) Inspect the change control tickets for a sample of security incidents to determine that incidents requiring a change to the system followed the standard change control process for each incident sampled.
8) Inspect the ISMS update agenda to determine that ISMS meetings are held on a monthly basis to discuss the effect of identified security vulnerabilities on the ability to meet business objectives and to identify corrective measures.

Related Documents:
1) Escalation procedure
2) Employee disciplinary policy
3) Incident response policy
4) Change tickets for a sample of changes

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Assigns Roles and Responsibilities—Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary.
2) Contains Security Incidents—Procedures are in place to contain security incidents that actively threaten entity objectives.
3) Mitigates Ongoing Security Incidents—Procedures are in place to mitigate the effects of ongoing security incidents.
4) Ends Threats Posed by Security Incidents—Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions.
5) Restores Operations—Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives.
6) Develops and Implements Communication Protocols for Security Incidents—Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives.
7) Obtains Understanding of Nature of Incident and Determines Containment Strategy—An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach.
8) Remediates Identified Vulnerabilities—Identified vulnerabilities are remediated through the development and execution of remediation activities.
9) Communicates Remediation Activities—Remediation activities are documented and communicated in accordance with the incident response program.
10) Evaluates the Effectiveness of Incident Response—The design of incident response activities is evaluated for effectiveness on a periodic basis.
11) Periodically Evaluates Incidents—Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes.
12) Communicates Unauthorized Use and Disclosure—Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required.
13) Application of Sanctions—The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements.