ID.RA-08.174
Has your organization formally assigned responsibilities for processing, analyzing, and responding to cybersecurity disclosures from external parties, and do you verify these procedures are being executed?
Explanation
This question assesses whether your organization has established clear ownership for handling cybersecurity information received from external sources such as suppliers, customers, partners, and government agencies. Having defined roles and responsibilities ensures that vulnerability disclosures and threat intelligence are properly processed, impact-analyzed, and responded to in a timely manner rather than being overlooked or handled inconsistently. Evidence could include a documented RACI matrix or responsibility assignment chart specifically for external disclosure handling, job descriptions that explicitly include these duties, or process documentation showing the workflow for handling external security disclosures with named roles. Meeting minutes or audit logs demonstrating regular verification that these procedures are being followed would also serve as supporting evidence.
Implementation Example
Assign responsibilities and verify the execution of procedures for processing, analyzing the impact of, and responding to cybersecurity threat, vulnerability, or incident disclosures by suppliers, customers, partners, and government cybersecurity organizations
ID: ID.RA-08.174
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Processes for receiving, analyzing, and responding to vulnerability disclosures are established
