Reporting of Suspected Security Weaknesses, v1.0

Defines conformance and assessment criteria for compliance with minimum security requirements for reporting of suspected security weaknesses as related to overall incident response requirements.
DEPRECATED
This Trustmark Definition has been deprecated. You should not use this definition for any reason.
This Trustmark Definition has been superseded by the following:
If an assessment step references organization-defined elements (E.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), corresponding citations/excerpts must be provided to confirm that the organization has established and documented these values and that they apply as referenced in the conformance criteria.

Similarly, if a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]) is specified, evidence must be provided to establish that the option(s) implemented by the organization have been defined and documented.

The assessment step shall not be marked as satisfied without this evidence.

Assessment Step

1
Reporting of Suspected Security Weaknesses (ReportingofSuspectedSecurityWeaknesses)
Does the organization require personnel to report suspected security weaknesses to the organizational incident response capability within <organization-defined time period>?
Artifacts
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A2
Provide the organization's required reporting time period for suspected weaknesses in hours.
Parameter
Reporting Timerequired
NUMBER : Provide the time (in hours) within which suspected security weaknesses must be reported.
If conformance criteria reference organization-defined elements (e.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), these values must be defined and documented by the organization.

Similarly, if the criteria specify a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]), the option(s) implemented by the organization must also be defined and documented.

Conformance Criteria (1)

C1
Information security events and weaknesses associated with information systems shall be communicated in a manner allowing timely corrective action to be taken.
Citation
CJIS-SP-V5-4
Section 5.3.1.