10.8.1 Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:
• Restoring security functions
• Identifying and documenting the duration (date and time start to end) of the security failure
• Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
• Identifying and addressing any security issues that arose during the failure
• Performing a risk assessment to determine whether further actions are required as a result of the security failure
• Implementing controls to prevent cause of failure from reoccurring
• Resuming monitoring of security controls
10.8.1.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure, and include:
• Restoring security functions
• Identifying and documenting the duration (date and time start to end) of the security failure
• Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
• Identifying and addressing any security issues that arose during the failure
• Performing a risk assessment to determine whether further actions are required as a result of the security failure
• Implementing controls to prevent cause of failure from reoccurring
• Resuming monitoring of security controls
10.8.1.b Examine records to verify that security control failures are documented to include:
• Identification of cause(s) of the failure, including root cause
• Duration (date and time start and end) of the security failure
• Details of the remediation required to address the root cause
Note: This requirement applies only when the entity being assessed is a service provider.
If critical security control failures alerts are not quickly and effectively responded to, attackers may use this time to insert malicious software, gain control of a system, or steal data from the entity’s environment.
Documented evidence (e.g., records within a problem management system) should support that processes and procedures are in place to respond to security failures. In addition, personnel should be aware of their responsibilities in the event of a failure. Actions and responses to the failure should be captured in the documented evidence.