Florida Regulations 60GG-2.005: Respond
Current as of: 2024 | Check for updates
|
Other versions
The respond function of the SFCS is visually represented as such:
Function
Category
Subcategory
Respond (RS)
Response Planning (RP)
RS.RP-1: Execute response plan during or after an Incident
(1) Response Planning. Each Agency shall establish and maintain response processes and procedures and validate execution capability to ensure Agency response for detected Cybersecurity Incidents. Each Agency shall execute a response plan during or after an Incident (RS.RP-1).
(a) Agencies shall establish a cybersecurity Incident Response Team (CSIRT) to respond to Cybersecurity Incidents. CSIRT members shall convene immediately, upon notice of Cybersecurity Incidents. Responsibilities of CSIRT members include:
1. Convening a simple majority of CSIRT members at least quarterly to review, at a minimum, established processes and escalation protocols.
2. Receiving incident response training annually. Training shall be coordinated as a part of the information security program.
3. CSIRT membership shall include, at a minimum, a member from the cybersecurity team, the CIO (or designee), and a member from the Inspector General’s Office who shall act in an advisory capacity. The CSIRT team shall report findings to Agency management.
4. The CSIRT shall determine the appropriate response required for each Cybersecurity Incident.
5. The Agency Cybersecurity Incident reporting process must include notification procedures, established pursuant to Florida Statutes § 501.171, Florida Statutes § 282.318, and as specified in executed agreements with external parties. For reporting Incidents to FL[DS] and the Cybercrime Office (as established within the Florida Department of Law Enforcement and in accordance with Florida Statutes § 943.0415), Agencies shall report observed Incident indicators to FL[DS]. Such indicators may include any known attacker IP addresses, malicious uniform resource locator (URL) addresses, malicious code file names and/or associated file hash values.
(2) Communications. Each Agency shall coordinate response activities with internal and external Stakeholders, as appropriate, to include external support from law enforcement Agencies. Each Agency shall:
(a) Inform Workers of their roles and order of operations when a response is needed (RS.CO-1).
(b) Require that Incidents be reported consistent with established criteria and in accordance with Agency Incident reporting procedures. Criteria shall require immediate reporting, including instances of lost identification and Authentication resources (RS.CO-2).
(c) Share information, consistent with response plans (RS.CO-3).
(d) Coordinate with Stakeholders, consistent with response plans (RS.CO-4).
(e) Establish communications with external Stakeholders to share and receive information to achieve broader cybersecurity situational awareness (RS.CO-5). Where technology permits, enable automated security alerts. Establish processes to receive, assess, and act upon security advisories.
(3) Analysis. Each Agency shall conduct analysis to adequately respond and support recovery activities. Related activities include:
(a) Each Agency shall establish notification thresholds and investigate notifications from detection systems (RS.AN-1).
(b) Each Agency shall assess and identify the impact of Incidents (RS.AN-2).
(c) Each Agency shall perform forensics, where deemed appropriate (RS.AN-3).
(d) Each Agency shall categorize incidents, consistent with response plans (RS.AN-4). Each Incident report and analysis, including findings and corrective actions, shall be documented.
(e) Establish processes to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (RS.AN-5).
(4) Mitigation. Each Agency shall perform Incident mitigation activities. The objective of Incident mitigation activities shall be to attempt to contain and prevent recurrence of Incidents (RS.MI-1); mitigate Incident effects and resolve the Incident (RS.MI-2); and address vulnerabilities or document as accepted risks.
(5) Improvements. Each Agency shall improve organizational response activities by incorporating lessons learned from current and previous detection/response activities into response plans (RS.IM-1). Agencies shall update response strategies in accordance with Agency-established policy (RS.IM-2).
Rulemaking Authority Florida Statutes § 282.318(11). Law Implemented 282.318(3) FS. History—New 3-10-16, Amended 1-2-19, Formerly 74-2.005, Amended 9-18-22.
Function
Category
Subcategory
Respond (RS)
Response Planning (RP)
RS.RP-1: Execute response plan during or after an Incident
Communications (CO)
RS.CO-1: Ensure that personnel know their roles and order of operations when a response is needed
RS.CO-2: Report Incidents consistent with established criteria
RS.CO-3: Share information consistent with response plans
RS.CO-4: Coordinate with Stakeholders consistent with response plans
RS.CO-5: Engage in voluntary information sharing with external Stakeholders to achieve broader cybersecurity situational awareness
Analysis (AN)
RS.AN-1: Investigate notifications from detection systems
RS.AN-2: Understand the impact of Incidents
RS.AN-3: Perform forensic analysis
RS.AN-4: Categorize Incidents consistent with response plans
RS.AN-5: Establish processes to receive, analyze, and respond to vulnerabilities disclosed to the Agency from internal and external sources
Mitigation (MI)
RS.MI-1: Contain Incidents
RS.MI-2: Mitigate Incidents
RS.MI-3: Mitigate newly identified vulnerabilities or document accepted risks
Improvements (IM)
RS.IM-1: Incorporate lessons learned in response plans
RS.IM-2: Periodically update response strategies
(a) Agencies shall establish a cybersecurity Incident Response Team (CSIRT) to respond to Cybersecurity Incidents. CSIRT members shall convene immediately, upon notice of Cybersecurity Incidents. Responsibilities of CSIRT members include:
1. Convening a simple majority of CSIRT members at least quarterly to review, at a minimum, established processes and escalation protocols.
2. Receiving incident response training annually. Training shall be coordinated as a part of the information security program.
3. CSIRT membership shall include, at a minimum, a member from the cybersecurity team, the CIO (or designee), and a member from the Inspector General’s Office who shall act in an advisory capacity. The CSIRT team shall report findings to Agency management.
4. The CSIRT shall determine the appropriate response required for each Cybersecurity Incident.
5. The Agency Cybersecurity Incident reporting process must include notification procedures, established pursuant to Florida Statutes § 501.171, Florida Statutes § 282.318, and as specified in executed agreements with external parties. For reporting Incidents to FL[DS] and the Cybercrime Office (as established within the Florida Department of Law Enforcement and in accordance with Florida Statutes § 943.0415), Agencies shall report observed Incident indicators to FL[DS]. Such indicators may include any known attacker IP addresses, malicious uniform resource locator (URL) addresses, malicious code file names and/or associated file hash values.
(2) Communications. Each Agency shall coordinate response activities with internal and external Stakeholders, as appropriate, to include external support from law enforcement Agencies. Each Agency shall:
(a) Inform Workers of their roles and order of operations when a response is needed (RS.CO-1).
(b) Require that Incidents be reported consistent with established criteria and in accordance with Agency Incident reporting procedures. Criteria shall require immediate reporting, including instances of lost identification and Authentication resources (RS.CO-2).
(c) Share information, consistent with response plans (RS.CO-3).
(d) Coordinate with Stakeholders, consistent with response plans (RS.CO-4).
(e) Establish communications with external Stakeholders to share and receive information to achieve broader cybersecurity situational awareness (RS.CO-5). Where technology permits, enable automated security alerts. Establish processes to receive, assess, and act upon security advisories.
(3) Analysis. Each Agency shall conduct analysis to adequately respond and support recovery activities. Related activities include:
(a) Each Agency shall establish notification thresholds and investigate notifications from detection systems (RS.AN-1).
(b) Each Agency shall assess and identify the impact of Incidents (RS.AN-2).
(c) Each Agency shall perform forensics, where deemed appropriate (RS.AN-3).
(d) Each Agency shall categorize incidents, consistent with response plans (RS.AN-4). Each Incident report and analysis, including findings and corrective actions, shall be documented.
(e) Establish processes to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (RS.AN-5).
(4) Mitigation. Each Agency shall perform Incident mitigation activities. The objective of Incident mitigation activities shall be to attempt to contain and prevent recurrence of Incidents (RS.MI-1); mitigate Incident effects and resolve the Incident (RS.MI-2); and address vulnerabilities or document as accepted risks.
(5) Improvements. Each Agency shall improve organizational response activities by incorporating lessons learned from current and previous detection/response activities into response plans (RS.IM-1). Agencies shall update response strategies in accordance with Agency-established policy (RS.IM-2).
Rulemaking Authority Florida Statutes § 282.318(11). Law Implemented 282.318(3) FS. History—New 3-10-16, Amended 1-2-19, Formerly 74-2.005, Amended 9-18-22.