Incident response reporting and communication (RS.CO)
This control family is all about getting the word out when an incident strikes. It is not just internal stakeholders that you will have to notify though. You will also need to notify external stakeholders and maybe even regulatory bodies. States and the federal government have breach notification laws whereby you are required to notify those affected by a certain date or within a certain time limit. This date could be one day to one month after determining whether it was a breach or not.
RS.CO-02
Your policies and procedures should state if and when you notify others of a data breach or other adverse event that has affected your company. There should be thresholds that dictate whom to speak with and when after an event has occurred. There also needs to be a determination of whether the event affected others and is considered a breach of confidential information...
