← Back to catalog
IR-8(1)

Breaches

Incident Response (IR)
Baselines
Low · Not includedModerate · Not includedHigh · Not included
Description

Include the following in the Incident Response Plan for breaches involving personally identifiable information: A process to determine if notice to individuals or other organizations, including oversight organizations, is needed; An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and Identification of applicable privacy requirements.

Discussion

Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, including notice to individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements.

Implementation guidance

No content available.

CSF 2.0 crosswalk

No CSF mappings exist for this control.