Does your organization coordinate incident response activities with all relevant stakeholders in accordance with your documented incident response plan?
Explanation
Effective incident response requires timely communication and coordination with appropriate stakeholders such as executive leadership, legal counsel, IT teams, affected business units, customers, and potentially regulatory bodies or law enforcement.
This coordination should follow predefined protocols established in your incident response plan to ensure consistent handling of incidents and appropriate information sharing based on stakeholder roles and responsibilities.
Evidence of fulfillment could include documentation of stakeholder communication templates, incident response playbooks showing communication workflows, records of past incident communications, or after-action reports demonstrating how stakeholder coordination occurred during actual incidents.
Context
- Function
- RS: RESPOND
- Category
- RS.CO: Incident Response Reporting and Communication
- Sub-Category
- Coordination with stakeholders occurs consistent with response plans
Related questions
- Do personnel understand their specific roles, responsibilities, and the order of operations during a security incident response?
- Does your organization have documented breach notification procedures that include a process for notifying affected customers in the event of a data breach?
- Does your organization have documented procedures for notifying business partners and customers of security incidents in accordance with contractual obligations?
- Does your organization have documented procedures for notifying law enforcement and regulatory bodies of security incidents that include specific notification criteria and required management approvals?
- Does your organization have documented processes for securely sharing information during incident response that align with established information sharing agreements?
- Does your organization voluntarily share information about observed threat actor tactics, techniques, and procedures (TTPs) with an Information Sharing and Analysis Center (ISAC) or similar industry group after removing sensitive data?

