17.6
IG2 IG3

Define Mechanisms for Communicating During Incident Response

Control Group: 17. Incident Response Management
Asset Type: N/A
Security Function: Respond

Description

Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard.

Implementation Checklist

1
Define response procedures and playbooks
2
Assign response roles and responsibilities
3
Establish response timeframes and SLAs
4
Test response procedures through tabletop or simulation
5
Document lessons learned and update procedures
6
Develop incident response plan and playbooks
7
Define roles, escalation paths, and communication channels
8
Conduct tabletop exercise to validate plan
9
Establish post-incident review process
10
Configure email authentication (SPF, DKIM, DMARC)
11
Deploy email security gateway with filtering
12
Configure attachment and URL scanning

Tool Recommendations

Palo Alto Cortex XSOAR Gartner MQ Leader, SOAR 2024; Forrester Wave Leader 2024

Security orchestration, automation, and response platform with playbook automation and case management

Palo Alto Networks · Enterprise subscription
Splunk SOAR Gartner MQ Leader, SIEM 2024 (integrated SOAR)

Security orchestration and automated response platform with playbooks, case management, and 350+ integrations

Cisco (Splunk) · Event-based subscription
ServiceNow Security Operations Gartner MQ Leader, ITSM 2024; Forrester Wave Leader, Security Operations 2023

Security incident response and vulnerability response with orchestration, workflow automation, and CMDB integration

ServiceNow · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Communication Blackout During Email System Compromise

Availability

An attacker compromises the email system during a breach, and the incident response team cannot coordinate because email was the only planned communication channel and no secondary mechanism was defined.

Sensitive Incident Details Leaked Through Insecure Channel

Confidentiality

Incident responders discuss sensitive breach details over an unsecured communication channel because no predefined secure mechanisms were established, and the attacker monitors the communications.

Vulnerabilities (When Safeguard Absent)

No Defined Communication Mechanisms for Incident Response

Without predefined primary and secondary communication channels, incident response teams have no reliable way to coordinate when standard communication systems are compromised or unavailable.

No Out-of-Band Communication Capability

Absence of a secondary communication mechanism means a single point of failure exists; if the primary channel is compromised or disrupted during an incident, coordination collapses.

Evidence Requirements

Type Evidence Item Collection Frequency
Document Response procedure/playbook documentation Reviewed bi-annually
Record Response action logs showing procedure execution Per incident
Document Incident response plan and playbooks Reviewed bi-annually
Record Incident reports and post-incident review documentation Per incident
Technical Email security configuration (SPF, DKIM, DMARC records) Verified quarterly
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Incident Response Policy
Control 17

Related Safeguards in Control 17

17.1 Designate Personnel to Manage Incident Handling
17.2 Establish and Maintain Contact Information for Reporting Security Incidents
17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
17.4 Establish and Maintain an Incident Response Process
17.5 Assign Key Roles and Responsibilities
17.7 Conduct Routine Incident Response Exercises
17.8 Conduct Post>Incident Reviews
17.9 Establish and Maintain Security Incident Thresholds
17.5 17.7