Highlights of IS.009 Information Security Incident Management Standard
The Massachusetts Executive Office for Technology Services and Security IS.009 Information Security Incident Management Standard documents the requirements for managing an information security incident, describes the actions to be taken should an incident occur, and details each phase of the incident management life cycle, including identification, investigation, response and remediation. Some of the topics include:
- Incident Identification, Investigation and Analysis (process to define incidents)
- Incident Reporting and Escalation (to ensure timely and effective handling of incidents)
- Information security incident impact rating (High Medium Low based upon threat)
- Communication protocols (handling information related to an incident including security and confidential information)
- Incident containment and collection of evidence (to investigate and remediate incident)
- Post-Incident Analysis (determine the organizational impact and mitigate steps)
See the Enterprise Information Security Standards Self-Assessment Questionnaire [Excel] that can be used to track compliance with implementing these internal controls. Departments should expect to be audited on compliance with these internal controls.
The Executive Office of Technology Services and Security (EOTSS) publishes Enterprise Information Security Policies and Standards which must be included in a department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.