RS.CO-02.332

Does your organization have documented procedures for notifying law enforcement and regulatory bodies of security incidents that include specific notification criteria and required management approvals?

Explanation

This question assesses whether your organization has formalized when and how to engage external authorities during security incidents. Proper notification procedures ensure timely reporting to law enforcement and regulatory bodies when legally required or when external assistance is needed, while ensuring appropriate management oversight of these communications. Evidence could include a section of your incident response plan that outlines notification thresholds (e.g., data breach size, incident type, regulatory requirements), the approval chain required before external notification, contact information for relevant authorities, and documentation templates for different types of notifications.

Implementation Example

Notify law enforcement agencies and regulatory bodies of incidents based on criteria in the incident response plan and management approval

ID: RS.CO-02.332

Context

Function: RS: RESPOND
Category: RS.CO: Incident Response Reporting and Communication
Sub-Category: Internal and external stakeholders are notified of incidents

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub