IR-01: Monthly Incident Review

Control Description

On a monthly basis, closed incidents, including those addressing system security, availability, confidentiality, processing integrity, and/or privacy (update as applicable), are reviewed for appropriate resolution.

Plain Meaning

This control requires organizations to conduct monthly reviews of all closed security, availability, confidentiality, processing integrity, and privacy incidents to ensure they were properly resolved and that appropriate corrective actions were taken.

Implementation

Incident Review Process

Review Requirements

• Monthly review of all closed incidents
• Verification of resolution completeness
• Assessment of corrective actions
• Documentation of review findings
• Follow-up on incomplete resolutions

Incident Categories to Review

• System security incidents
• Availability incidents
• Confidentiality breaches
• Processing integrity issues
• Privacy violations

Key Success Factors

1. Regular Reviews: Monthly review of all closed incidents
2. Comprehensive Coverage: Review all incident categories
3. Resolution Verification: Ensure incidents were properly resolved
4. Documentation: Maintain detailed review records
5. Follow-up: Address incomplete resolutions

Common Pitfalls to Avoid

• No Reviews: Missing monthly review schedule
• Incomplete Reviews: Not reviewing all incident categories
• No Verification: Not checking resolution quality
• No Follow-up: Not addressing incomplete resolutions

Related Controls

Incident Response

• IR-02: Incident Management Process: Incident management procedures and workflows
• PP-19: Incident Reporting Mechanisms: Incident reporting procedures and escalation

Monitoring and Logging

• COM-02: Centralized Logging Solution: Log collection for incident analysis
• COM-04: Log Monitoring and Alerting: Automated incident detection
• COM-10: Security Event Monitoring: Security event detection and response

Access Management

• LS-04: Access Authorization: Access controls during incidents
• LS-05: Access Review: Post-incident access reviews
• LS-07: Privileged Access Management: Privileged access during incidents

Change Management

• CM-1: Source Code Access Review: Code access during security incidents
• CM-3: Change Authorization: Emergency change procedures
• CM-4: Change Testing: Incident response testing

Risk Assessment

• RA-01: Internal Control Audits: Post-incident control assessments
• RA-02: Risk Assessment Procedures: Incident risk evaluation
• RA-03: Third-Party Risk Assessment: Third-party incident assessment

Error Monitoring and Incident Detection

AWS CloudTrail Event Monitoring

Related Links

Leadline Architecture Design

• Observability & Monitoring: Monitoring, logging, and alerting for incident detection and response
• SSDLC Security Practices: Security toolchain and practices for incident prevention and response

Incident Management

• NIST Incident Response
• Incident Response Best Practices
• Incident Management Framework

Review Tools

• Incident Tracking Systems
• Review Dashboards
• Reporting Tools

Compliance Resources

• Incident Response Compliance
• Security Incident Management
• Privacy Incident Handling