IR-6 - Incident Reporting
Control requirements
IR-6 (a)
Require personnel to report suspected incidents to the organizational incident response capability within [IBM Assignment: no longer than 24 hours for systems related to FS-ready public cloud customers].
IR-6 (b)
Report incident information to [IBM Assignment: Information Security Incident Response Team of the FS-ready public cloud customers].
Additional IBM Cloud for Financial Services specifications
The organization shall ensure that data management issues are treated as incidents and are reported to the customer as they arise.
NIST supplemental guidance
The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.