| 4.1.1 | RS.RP-1: Is a valid response plan executed in case of an event? | LOW | · COBIT 5 BAI01.10 · CCS CSC 18 · ISA 62443-2-1:2009 4.3.4.5.1 · ISO/IEC 27001:2013 A.16.1.5 · NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8 | Cloud Provider/ Administrator/ | Sub Metric | Met4.1.1 |
| 4.2 | Communications (4.2): Response activities are coordinated with the SME, to include external support from law enforcement agencies if applicable. |
|
|
| Metric | Met4.2 |
| 4.2.1 | RS.CO-1: Do all the staff of the SME know their roles and directive of procedures when a response is required? | LOW | · ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4 · ISO/IEC 27001:2013 A.6.1.1, A.16.1.1 · NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8 | Cloud Provider | Sub Metric | Met4.2.1 |
| 4.2.2 | RS.CO-2: Are all events reported in accordance with the established criteria? | LOW | · ISA 62443-2-1:2009 4.3.4.5.5 · ISO/IEC 27001:2013 A.6.1.3, A.16.1.2 · NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8 | Cloud Provider/ Administrator | Sub Metric | Met4.2.2 |
| 4.2.3 | RS.CO-3: Is information shared between the SME and the cloud provider in accordance with response plans? | LOW | · ISA 62443-2-1:2009 4.3.4.5.2 · ISO/IEC 27001:2013 A.16.1.2 · NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6, RA-5, SI-4 | Cloud Provider/ Administrator | Sub Metric | Met4.2.3 |
| 4.2.4 | RS.CO-4: Coordination between the SME and the cloud provider occurs in accordance to the response plans? | LOW | · ISA 62443-2-1:2009 4.3.4.5.5 · NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 | Cloud Provider/ Administrator | Sub Metric | Met4.2.4 |
| 4.3 | Analysis (4.3): Proper analysis is done to confirm sufficient response and recovery |undertakings. |
|
|
| Metric | Met4.3 |
| 4.3.1 | RS.AN-1: Are notifications from detection systems investigated appropriately by the cloud providers and administrators? | LOW | · COBIT 5 DSS02.07 · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 · ISA 62443-3-3:2013 SR 6.1 · ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5 · NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4 | Cloud Provider/ Administrator/ Logging | Sub Metric | Met4.3.1 |
| 4.3.2 | RS.AN-2: Is the impact of any potential incident understood by the SME? | MEDIUM | · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 · ISO/IEC 27001:2013 A.16.1.6 · NIST SP 800-53 Rev. 4 CP-2, IR-4 | Users/ Administrator/SME Owners | Sub Metric | Met4.3.2 |
| 4.3.3 | RS.AN-3: Are forensics for any potential security incident performed? | LOW | · ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR · 2.12, SR 3.9, SR 6.1 · ISO/IEC 27001:2013 A.16.1.7 · NIST SP 800-53 Rev. 4 AU-7, IR-4 | Cloud Provider | Sub Metric | Met4.3.3 |
| 4.3.4 | RS.AN-4: Are incidents categorised based on the response plans? | LOW | · ISA 62443-2-1:2009 4.3.4.5.6 · ISO/IEC 27001:2013 A.16.1.4 · NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8 | Cloud Provider | Sub Metric | Met4.3.4 |