Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.  Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies.  [SP 800-6] provides guidance on incident handling.

Priority: High  

Category: Incident Response Operations 

Services Associated with AWS:   

  • AWS Security Hub, AWS Incident Manager 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing incident response roles
  • Administrative: Incident Response Plan (IRP) practices that cover all phases of incident response operations 

Possible Technology Considerations : 

  • Incident Response Plan (IRP) 

What needs to be answered :  

Is there a company incident response policy which specifically outlines requirements for tracking and reporting of incidents involving CUI to appropriate officials? Are security incidents related to industrial control systems security incidents and cybersecurity incident information promptly reported to company management and authorities within a defined time period? 

  • Incident Tracking, Documentation, and Reporting
    Description: This check ensures that organizations have established processes to track, document, and report system security incidents to designated officials and/or authorities both internal and external to the organization. The processes include maintaining incident records, evaluating incident details, and adhering to incident reporting requirements.

More Details:  

Incident reporting and response documented throughout resolution process and retained indefinitely