Control 3.4: Incident Reporting and Root Cause Analysis
Control ID: 3.4 Pillar: Reporting Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, SEC 17a-4, FFIEC IT Handbook, SEC Regulation S-P Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Establish a systematic process for capturing, investigating, and remediating AI agent-related incidents including security events, policy violations, performance failures, and compliance breaches. This control supports proper documentation, root cause analysis, and corrective actions with full audit trail to aid compliance.
Why This Matters for FSI
- GLBA 501(b): Requires incident response procedures for security events affecting customer NPI. Notification timelines vary by regulator, incident type, and entity obligations; map applicable requirements during incident workflow.
- SEC Regulation S-P (2024 amendments, effective December 3, 2025): Requires covered institutions to notify affected customers as soon as practicable, but no later than 30 days after becoming aware of unauthorized access to sensitive customer information.
- SEC 17a-4: Incident records must be preserved for 6+ years minimum
- FINRA 4511: Material operational events must be documented in books and records
- SOX 404: Control failures require immediate escalation to audit committee
- FFIEC: Cybersecurity incidents must be reported to primary regulator
Control Description
This control establishes incident classification, tracking, root cause analysis, and remediation workflows for AI agent-related events. It integrates with Microsoft Sentinel for detection and SharePoint for case management.
| Capability | Description |
|---|---|
| Classification Taxonomy | Categorize incidents by type and severity |
| SLA Monitoring | Track response times with automatic escalation |
| Root Cause Analysis | Structured RCA process with templates |
| Regulatory Notification | Workflows for required regulatory filings |
| Metrics Dashboard | Track MTTR, open issues, trends |
Incident Categories:
| Category | Severity Range | Example |
|---|---|---|
| Security | Critical - High | Unauthorized access, DLP violation |
| Compliance | Critical - Medium | Policy breach, missing audit records |
| Data Quality | Critical - Low | Hallucinations, calculation errors |
| Privacy | Critical - High | Customer data exposure, GLBA breach |
Key Configuration Points
- Create SharePoint incident tracking list with required fields (ID, category, severity, RCA, resolution)
- Configure Power Automate workflows for new incident notification and SLA breach alerts
- Define severity-based response SLAs: Critical (15 min), High (1 hr), Medium (4 hr), Low (24 hr)
- Establish RCA document template with 5-Whys or Fishbone analysis sections
- Integrate with Microsoft Sentinel for automated incident detection
- Configure regulatory notification tracking for SEC Regulation S-P 30-day requirement
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Standard response (24h); optional RCA for low severity | Low-risk personal use |
| Zone 2 (Team) | Accelerated response (4h); RCA required for all incidents | Shared data increases risk |
| Zone 3 (Enterprise) | Immediate response (15min); full RCA required; 7–10 year retention | Customer-facing, regulatory examination risk |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Entra Security Admin | Configure Sentinel rules, investigate security incidents |
| Compliance Officer | Review regulatory impact, approve notifications |
| AI Governance Lead | Define classification taxonomy, oversee RCA quality |
| Power Platform Admin | Maintain tracking system, workflow automation |
Related Controls
| Control | Relationship |
|---|---|
| 1.7 - Audit Logging | Provides evidence for investigations |
| 1.8 - Runtime Protection | Detects security incidents |
| 1.5 - DLP and Sensitivity Labels | DLP violation correlation (Deny Event Correlation Report) |
| 3.2 - Usage Analytics | Identifies anomalies leading to incidents |
| 3.3 - Compliance Reporting | Includes incident summary in reports |
Automated Validation: Deny Event Correlation Report
For automated deny event detection and alerting supporting incident reporting workflows, see the Deny Event Correlation Report solution.
Capabilities:
- Multi-source deny event extraction (RAI telemetry, Purview Audit, Purview DLP)
- Daily correlation engine with 7-day trend analysis and volume anomaly detection
- Zone-based alerting with Teams adaptive cards and email notifications
- Dataverse persistence with zone-based retention (90d/365d/730d)
- SHA-256 integrity-hashed evidence export with regulatory alignment mapping
Deployable Solution: deny-event-correlation-report provides PowerShell extraction scripts, Dataverse infrastructure, Power Automate orchestration flow, and evidence export pipeline.
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Incident workflow documented with severity-based SLAs: Critical (15 min), High (1 hr), Medium (4 hr), Low (24 hr)
- Critical incidents trigger CISO/CCO notification within 15 minutes
- SLA breach alerts automatically escalate overdue incidents
- Incident closure requires completed Root Cause and Corrective Actions fields
- Regulatory notification workflow tracks SEC S-P 30-day deadline
- Incident records retained for 6+ years per SEC 17a-4
- Weekly incident review meetings produce documented action items
Additional Resources
- Microsoft Sentinel Incidents
- Power Automate Approval Workflows
- SharePoint List Management
- Microsoft 365 Audit Log Search
- Incident Response Planning
Updated: January 2026 | Version: v1.2 | UI Verification Status: Current