Does your organization have documented procedures for notifying business partners and customers of security incidents in accordance with contractual obligations?
Explanation
Incident notification to partners is the subject, asking whether you have documented procedures for informing business partners and customers of security incidents per your contractual obligations. Having clear notification procedures helps maintain trust, enables affected parties to take appropriate actions, and demonstrates compliance with legal and contractual obligations.
Evidence could include an incident response plan with specific sections on external communications, notification templates, a communication matrix showing which stakeholders should be notified for different incident types, and records of previous notifications that demonstrate adherence to contractual timeframes.
Implementation Example
Notify business partners and customers of incidents in accordance with contractual requirements
ID: RS.CO-02.331
Context
- Function
- RS: RESPOND
- Category
- RS.CO: Incident Response Reporting and Communication
- Sub-Category
- Internal and external stakeholders are notified of incidents
Related questions
- Do personnel understand their specific roles, responsibilities, and the order of operations during a security incident response?
- Does your organization have documented breach notification procedures that include a process for notifying affected customers in the event of a data breach?
- Does your organization have documented procedures for notifying law enforcement and regulatory bodies of security incidents that include specific notification criteria and required management approvals?
- Does your organization have documented processes for securely sharing information during incident response that align with established information sharing agreements?
- Does your organization voluntarily share information about observed threat actor tactics, techniques, and procedures (TTPs) with an Information Sharing and Analysis Center (ISAC) or similar industry group after removing sensitive data?
- Does your organization have a documented process for notifying HR when malicious insider activity is detected?

