SEF-07: Security Breach Notification

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: SEF-04: Incident Response Legal Preparation, STA-05: Supply Chain Agreements.

Control Statement

Define and implement, processes, procedures and technical measures for security breach notifications. Report security breaches and assumed security breaches including any relevant supply chain breaches, as per applicable SLAs, laws and regulations.

Implementation Guidance

Security breach notification processes and procedures should reflect legal and regulatory requirements, which may be applicable based on data types processed, organizational geography, or customer geography, etc. Organizational procedures should also reflect contractual customer and partner commitments regarding breach notifications. Security breach governance should include document procedures and instructions as well as training to familiarize personnel with their respective roles and responsibilities. Accurately and promptly report information security breaches to affected, relevant parties through predefined communication channels, per applicable legal, statutory, and regulatory obligations. Clearly describe the event which occurred and its result, and identify any required or recommended actions for the affected parties. Where applicable, notifications should be sent to relevant parties in a timely manner.

Auditing Guidance

  1. Examine policy for adequacy, approval, communication, and effectiveness as applicable to planning, delivery and support of the organization’s Security Breach Notification management.
  2. Verify if there is a formal program that documents the breach notification requirements for all regulatory or contractual domains that the organization asserts adherence to.
  3. Verify if there is a periodic awareness program to ensure all those associated with information security incident response are aware of the procedures involved for their roles, responsibilities and authorities.
  4. Determine if the organization has established breach notification Time Objectives for information security breaches that meet the minimum expectation of the applicable regulation and verify if those time objectives are reflected in all internal and external service level expectations.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.