RS.CO-03: Information is shared with designated internal and external stakeholders

Previous Version:


[ Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

3rd: 3rd Party Risk

Ex1: Securely share information consistent with response plans and information sharing agreements

Ex2: Voluntarily share information about an attacker's observed TTPs, with all sensitive data removed, with an Information Sharing and Analysis Center (ISAC)

Ex3: Notify HR when malicious insider activity occurs

Ex4: Regularly update senior leadership on the status of major incidents

Ex5: Follow the rules and protocols defined in contracts for incident information sharing between the organization and its suppliers

Ex6: Coordinate crisis communication methods between the organization and its critical suppliers