Incident Response Controls

Purpose

Bramble maintains a practiced incident response capability that trains all users on how to recognize and report suspicious security or privacy-related incidents so that trained incident responders can take the appropriate steps to handle incidents, in accordance with an Incident Response Plan (IRP).

Scope

This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting Brmbl.io and its subdomains. This may include third-party systems that support the business of Brmbl.io.

Ownership

• Control Owner = Infrastructure
• Process Owner = Security Operations

Controls

Control Number	Control Title	Control Statement	Goal	TOD	TOE
IRO-01	Incident Response Operations	Bramble Group Corp. has established mechanisms to implement and govern processes and documentation to facilitate an organization-wide response capability for security and privacy-related incidents.	Does the organization facilitate the implementation of incident response controls?	1. Examine processes and documentation used to identify, plan and initiate an organizational wide response for security and privacy related incidents. 2. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the organization-wide response for security and privacy related incidents. 3. Examine policies and procedures for: Purpose; Scope; Roles and responsibilities; Management commitment; Coordination among organizational entities; Compliance; Implementation requirements; and Annual review and approval.	1. Examine policies, procedures and related documentation for organizational elements associated with the incident response process for security and privacy related incidents. 2. Examine the response plans (business continuity, incident response, disaster recovery etc.) ToD attributes. 3. Pull a population of all security and privacy related incidents that occurred within the examination period. 4. Examine security incidents against evidence of documented and planned remedial activities as outlined in the ToD. 5. Examine a sample set of security incidents for evidence of acknowledgement, evaluation of risk level, documented and planned remedial activities as outlined in the ToD.
IRO-02	Incident Handling	Bramble Group Corp. has established mechanisms to cover the preparation, automated detection or intake of incident reporting, analysis, containment, eradication and recovery.	Does incident handling processes cover preparation, detection and analysis, containment, eradication and recovery?	1. Examine processes and documentation used to facilitate the preparation, automated detection or intake of incident reporting, analysis, containment, eradication and recovery of security and privacy related incidents. 2. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the preparation, automated detection or intake of incident reporting, analysis, containment, eradication and recovery of security and privacy related incidents.	1. Examine policies, procedures and related documentation for organizational elements associated used to facilitate the preparation, automated detection or intake of incident reporting, analysis, containment, eradication and recovery of security and privacy related incidents. 2. Examine the response plan for evidence of coverage for: Evaluation of event Acknowledgement / response Analyzed for attack target and method Impact Incident threshold Response plan Notification procedures Incident followed associated response plan Incident containment Incident mitigation Recovery activities communicated to internal and external parties as applicable. 3. Pull a population of all security and privacy related incidents that occured within the examination period. 4. Examine security incidents against evidence of documented and planned remedial activities as outlined in step 2. 5. Examine a sample set of security incidents for documented and planned remedial activities as outlined in step 2.
IRO-04	Incident Response Plan (IRP)	Bramble Group Corp. has established mechanisms to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders to address Personal Data (PD) incidents according to applicable laws, regulations and contractual obligations.	Does the organization maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders?	1. Examine the policies, procedures and related documents associated with the Incident Response Plan (IRP). 2. Identify applicable laws, regulations and contractual obligations applicable to the IRP. 3. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the IRP.	1. Examine the IRP for evidence that applicable laws, regulations and contractual obligations were considered during the annual review and approval. 2. Examine the IRP for evidence of availability to all internal and external stakeholders. 3. Examine the IRP for evidence that the IRP contains processes, procedures and requirements to address Personal Data (PD) incidents according to the applicable laws, regulations and contractual obligations outlined in the ToD.
IRO-07	Integrated Security Incident Response Team (ISIRT)	Bramble Group Corp. has implemented mechanisms to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and privacy incident response operations.	Does the organization establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and privacy incident response operations?	1. Examine the policies, procedures and related documents associated with the SIRT (Security Incident Response Team), IT and business function representatives responsible for incident response operations. 2. Interview key organizational personnel within Bramble’s SIRT team to discuss high level planning and workflows that support incident response operations.	1. Examine job descriptions and roles and responsibilities of SIRT, IT and business function representatives as they relate to incident response operations. 2. Examine the SIRT, IT and business function representative roles for evidence that roles and responsibilities align with the ability to identify, respond, coordinate with stakeholders, recovery activities are communicated to internal and external parties for security, cybersecurity or privacy incidents.
IRO-09	Situational Awareness For Incidents	Bramble Group Corp. has implemented mechanisms to document, monitor and report the status of cybersecurity and privacy incidents to internal stakeholders all the way through the resolution of the incident.	Does the organization document, monitor and report cybersecurity and privacy incidents?	1: Examine the policies, procedures and related documents associated with the documentation, monitoring and reporting of security, cybersecurity and privacy incidents to internal stakeholders. 2: Interview key organizational personnel within Bramble’s SIRT team to discuss high level planning and workflows that support the documentation, monitoring and reporting of security, cybersecurity and privacy incidents to internal stakeholders.	1: Examine policies, procedures and related documentation for organizational elements associated used to facilitate the documentation, monitoring and reporting of security, cybersecurity and privacy incidents to internal stakeholders. 2: Examine the relevant documentation for evidence of internally available documentation, monitoring and reporting for security, cybersecurity and privacy incident. 3: Pull a population of all security, cybersecurity and privacy related incidents that occurred within the examination period. 4: Examine incidents against evidence of internal documentation, monitoring and reporting and resolution. 5: Examine a sample set of incidents against evidence of internal documentation, monitoring and reporting and resolution.
IRO-10	Incident Stakeholder Reporting	Bramble Group Corp. has implemented mechanisms to report sensitive data incidents and provide security and privacy incident information in a timely manner to applicable: ▪ Internal stakeholders ; ▪ Affected clients & third-parties; ▪ Regulatory authorities ▪ and to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident.	Does the organization report incidents: Internally to organizational incident response personnel within organization-defined time-periods; and Externally to regulatory authorities and affected parties, as necessary?	1: Examine the policies, procedures and related documents associated with the documentation and reporting of security, cybersecurity and privacy incidents to: internal stakeholders Affected clients & third parties Regulatory authorities Providers of products and services or organizations involved in the supply chain for system or system components. 2: Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the documentation and reporting of sensitive data, security and privacy incidents.	1: Examine policies, procedures and related documentation for organizational elements used to facilitate the documentation and reporting of sensitive data, security and privacy incidents as outlined in ToD. 2: Pull a population of all sensitive data, security and privacy related incidents that occured within the examination period. 3: Examine incidents for documentation and reporting as outlined in ToD. 4: Examine a sample set of incidents for documentation and reporting requirements as outlined in ToD.
IRO-14	Regulatory & Law Enforcement Contacts	Bramble Group Corp. has implemented mechanisms to maintain incident response contacts with applicable regulatory and law enforcement agencies.	Does the organization maintain incident response contacts with applicable regulatory and law enforcement agencies?	Reference GOV-06 - Contacts With Authorities 1: Examine organizational policies and procedures for requirements of the appropriate contacts within relevant law enforcement and regulatory bodies. 2: Examine policies and procedures for: Purpose; Scope; Roles and responsibilities; Management commitment; Coordination among organizational entities; Compliance; and Implementation requirements	1: Inspect formal policies, procedures or other relevant documentation to support the appropriate identification of contacts within law enforcement and regulatory bodies. 2: Interview key organizational personnel conducting discussions for evidence that mechanisms exist to identify and document in accordance to TOD.

• Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
• Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.

Policy Reference

• Security Incident Response Guide
• Incident Management
• Security Incident Communications Plan
• Infrastructure Incident Communication Plan

Bramble provides a contact method for external parties to:

1. Submit complaints and inquiries

   • Incident Management

   • Security Operations Oncall Guide

   • Support Team function in the handbook

   • Support page contains information to contact the Support team

   • Security Incident Comms Plan

   1. Report incidents
   • Process for engaging security on-call
   • Security operations on-call guide
   • Security Incident Comms Plan
2. Bramble IR Contact information in the Handbook
   • Information on how to contact the Bramble legal team
   • Bramble maintains current contact information for external parties to report Security incidents
   • Bramble maintains an active bug bounty program - WIP
3. Engage
   • Red Team Rules of Engagement - WIP