Establish and Maintain Contact Information for Reporting Security Incidents
Description
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date.
Implementation Checklist
Tool Recommendations
Security orchestration, automation, and response platform with playbook automation and case management
Palo Alto Networks · Enterprise subscription
Security orchestration and automated response platform with playbooks, case management, and 350+ integrations
Cisco (Splunk) · Event-based subscription
Security incident response and vulnerability response with orchestration, workflow automation, and CMDB integration
ServiceNow · Enterprise subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Regulatory Notification Deadline Missed After Breach
IntegrityAfter a data breach, the organization fails to notify required regulatory agencies within mandated timeframes because no maintained contact list exists for incident reporting parties.
Cyber Insurance Claim Denied Due to Late Notification
AvailabilityThe organization's cyber insurance claim is denied because the insurer was not notified within the required timeframe, as the insurance provider's incident contact information was not readily available.
Law Enforcement Engagement Delayed During Active Attack
AvailabilityDuring an active ransomware attack, critical hours are lost trying to identify the correct law enforcement contacts because no pre-established contact list exists for security incident reporting.
Vulnerabilities (When Safeguard Absent)
No Maintained Contact List for Incident Reporting
Without a current list of incident reporting contacts including regulators, law enforcement, insurers, and partners, critical notifications are delayed or missed during the time-sensitive incident response phase.
Outdated Contact Information for Key Stakeholders
Absence of annual contact verification means that during an incident, the organization may attempt to reach stakeholders at outdated phone numbers or email addresses, causing communication failures.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |