SEF-01: Security Incident Management Policy and Procedures

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-06: Policy, GRM-09: Policy Reviews, SEF-02: Incident Management.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Security Incident Management, E-Discovery, and Cloud Forensics. Review and update the policies and procedures at least annually.

Implementation Guidance

Management-approved policies and procedures for organizations and personnel who manage incidents should incorporate clearly defined roles and responsibilities—including guidelines on managing the “chain of custody” for forensic evidence collected from affected systems, devices, cloud services, applications, and personnel. These policies, procedures, and supporting systems should result in legally admissible evidence. Policies should require establishing a core, qualified, and standing incident response team that holds the capability to assess, respond, learn, and communicate appropriately. Appropriate reporting standards and procedures shall include lessons learned and key performance indicators (KPIs), which should be defined and implemented for incident response processes and training. Appropriate information should be shared with affected third parties (including customers) promptly.

Auditing Guidance

  1. Examine policy for adequacy, approval, communication, and effectiveness as applicable to planning, delivery and support of the organization’s Security Incident Management, E-Discovery and Cloud Forensics.
  2. Examine policy and procedures for evidence of review at least annually.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.