Overview:
The entity identifies, develops, and implements activities to recover from identified security incidents.
Action Items:
1) Create an escalation procedure and publish on the company intranet for employees to access and review.
2) Create an incident response policy and related procedures and publish on the company intranet for employees to access and review.
3) Inspect the escalation procedure policy to determine that documented escalation procedures for reporting security incidents are in place to guide employees in identifying, reporting, and acting upon system security breaches and other incidents.
4) Inspect the post-mortem reports for a sample of security incidents during the review period to determine that engineering personnel completed incident post-mortem reports upon system outages that include the incident and impact analysis, resolutions, lessons learned, and action items for each security incident sampled.
5) Inspect the ISMS update agenda to determine that ISMS meetings are held on a monthly basis to discuss the effect of identified security vulnerabilities on the ability to meet business objectives and to identify corrective measures.
6) Inspect the change control tickets for a sample of security incidents to determine that corrective measures or changes that occurred as a result of incidents and identified deficiencies followed the standard change control process.
Related Documents:
1) Escalation procedure
2) Incident response policy
3) Post-mortem reports for a sample of security incidents
4) Change tickets for a sample of changes
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Restores the Affected Environment—The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed.
2) Communicates Information About the Event—Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external).
3) Determines Root Cause of the Event—The root cause of the event is determined.
4) Implements Changes to Prevent and Detect Recurrences— Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis.
5) Improves Response and Recovery Procedures—Lessons learned are analyzed, and the incident response plan and recovery procedures are improved.
6) Implements Incident Recovery Plan Testing—Incident recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results.
Article ID: 245
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-incident-recovery-cc7-5-245.html