Incident Response

  • Verify an Incident Response Plan exists.

    • Understand the relevant risks exist and whether these risks considered as part of the plan.

    • Ensure the plan has clear identification of the CSC versus CSP responsibilities. Understand if a RACI documentation is available within the plan.

    • Ensure the plan outlines a communication path between the CSC and CSP.

    • Verify that the Incident Response Plan undergoes a periodic review and changes related to CSP are made, as needed.

    • Note if the Incident Response Plan has notification procedures and how the CSC addresses responsibility for losses associated with attacks or impacting instructions.

    • Ensure the CSC’s RTO and RPO are reflected in the incident response plan.

  • Ensure the CSC is leveraging existing incident monitoring tools, as well as CSP available tools to monitor the use of CSP services.

  • Understand the CSC’s definition of an incident that impacts the risk of what’s in the cloud. Ask for the definition of the communication escalation path. It can be the same as onpremises but understanding the hand-offs is important because the technology can be different in the cloud. Evaluate the process for incident closure/resolution.

  • Understand what is in the CSP SLA for the following:

    • Understand when a CSP is required to contact a CSC and when the CSC is required to contact their CSP.

    • Understand how incidents are identified. Ensure the right level of precision/prioritization is being appliedto communicate the right incidents.

    • Understand the responsibility to mitigate a breach, the level of detail provided, and mechanisms in place that can be leveraged to monitor and evaluate a breach.

  • Understand if the CSP reported any incidents to them.

  • Understand the mechanism by which the CSC is confident in the accurateness and completeness of the reporting coming from the CSP. Example questions:

    • How are you comfortable that you are being informed of all those incidents?

    • How confident are you?

    • Best practice answer: Those outputs are covered in previous attestation(s), and listed by name.

  • Identify active point of contacts at both the CSP and CSC.

PreviousMonitoring and LoggingNextBusiness Continuity and Disaster Recovery

Last updated