RS.AN-06.325

Does your organization require incident responders and other relevant personnel to maintain immutable records of all actions taken during incident response activities?

Explanation

Maintaining immutable records of incident response actions creates an audit trail that cannot be altered after the fact, ensuring accountability and providing crucial forensic evidence. These records should capture all actions taken by incident responders, system administrators, and cybersecurity engineers during an incident, including system changes, communication logs, and investigative steps. Evidence of compliance could include screenshots or documentation of a tamper-proof logging system, examples of incident response logs with timestamps and user attribution, or written procedures that mandate the use of write-once media or blockchain-based logging solutions for incident documentation.

Implementation Example

Require each incident responder and others (e.g., system administrators, cybersecurity engineers) who perform incident response tasks to record their actions and make the record immutable

ID: RS.AN-06.325

Context

Function: RS: RESPOND
Category: RS.AN: Incident Analysis
Sub-Category: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub