Does your organization require incident responders and other relevant personnel to maintain immutable records of all actions taken during incident response activities?
Explanation
Maintaining immutable records of incident response actions creates an audit trail that cannot be altered after the fact, ensuring accountability and providing crucial forensic evidence. These records should capture all actions taken by incident responders, system administrators, and cybersecurity engineers during an incident, including system changes, communication logs, and investigative steps.
Evidence of compliance could include screenshots or documentation of a tamper-proof logging system, examples of incident response logs with timestamps and user attribution, or written procedures that mandate the use of write-once media or blockchain-based logging solutions for incident documentation.
Implementation Example
Require each incident responder and others (e.g., system administrators, cybersecurity engineers) who perform incident response tasks to record their actions and make the record immutable
ID: RS.AN-06.325
Context
- Function
- RS: RESPOND
- Category
- RS.AN: Incident Analysis
- Sub-Category
- Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved
Related questions
- Does your organization have a documented process for investigating notifications from security detection systems?
- Does your organization have a formal process to assess and document the impact of security incidents?
- Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?
- Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?
- Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?
- Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?

