Control 3.4: Incident Reporting and Root Cause Analysis
Overview
Control ID: 3.4 Control Name: Incident Reporting and Root Cause Analysis Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, SEC Rule 17a-4, FFIEC IT Handbook Setup Time: 3-4 hours
Purpose
Incident Reporting and Root Cause Analysis establishes a systematic process for capturing, investigating, and remediating AI agent-related incidents. This control ensures that security events, policy violations, performance failures, and compliance breaches are properly documented, analyzed for root cause, and resolved with corrective actions. For financial services organizations, this control is critical for demonstrating regulatory compliance and maintaining operational resilience.
Prerequisites
Primary Owner Admin Role: Entra Security Admin Supporting Roles: Compliance Officer
Licensing Requirements
| Component | License Required |
|---|---|
| Microsoft Sentinel | Azure subscription + Sentinel workspace |
| Microsoft Defender for Cloud Apps | Microsoft 365 E5 Security |
| Microsoft 365 Audit Logs | Microsoft 365 E3/E5 |
| SharePoint for Case Management | Microsoft 365 E3/E5 |
| Power Automate for Workflows | Power Platform (included with M365) |
Permissions Required
| Task | Role/Permission |
|---|---|
| Report Incidents | All authenticated users |
| Triage Incidents | Compliance Reader, Security Reader |
| Investigate Incidents | Security Operator, Compliance Administrator |
| Close Incidents | Security Administrator, Compliance Administrator |
| Access Incident Data | Audit Log Reader |
| Configure Incident Workflows | Power Automate Administrator |
Dependencies
- [x] Control 1.7: Comprehensive Audit Logging
- [x] Control 1.8: Runtime Protection and External Threat Detection
- [x] Control 3.2: Usage Analytics and Activity Monitoring
- [x] Control 2.5: Business Continuity and Disaster Recovery
Pre-Setup Checklist
- [ ] Incident classification taxonomy defined
- [ ] Escalation matrix approved by management
- [ ] SharePoint incident tracking list created
- [ ] On-call rotation established
- [ ] Regulatory notification thresholds documented
Governance Levels
Baseline (Level 1)
Document incidents: security events, policy violations, performance failures; log root causes.
Recommended (Level 2-3)
Incident tracking system; automated RCA workflow; weekly incident reviews.
Regulated/High-Risk (Level 4)
Real-time incident reporting; mandatory SLA for investigation; audit-ready incident files.
Setup & Configuration
Step 1: Define Incident Classification Taxonomy
Incident Categories:
| Category | Description | Examples | Severity Range |
|---|---|---|---|
| Security | Unauthorized access, data breach | Credential theft, DLP violation | Critical - High |
| Compliance | Regulatory violation, policy breach | Unapproved data access, missing audit | Critical - Medium |
| Availability | Service outage, performance degradation | Agent down, slow response | High - Low |
| Data Quality | Incorrect outputs, hallucinations | Wrong financial advice, calculation error | Critical - Low |
| Privacy | PII exposure, consent violation | Customer data leak, GLBA breach | Critical - High |
| Bias/Fairness | Discriminatory outcomes | Loan denial bias, unfair treatment | Critical - High |
Severity Levels:
| Severity | Response SLA | Escalation | Example |
|---|---|---|---|
| Critical (P1) | 15 minutes | Immediate - CISO/CCO | Data breach, regulatory filing required |
| High (P2) | 1 hour | 4 hours - Director | DLP violation, agent producing incorrect advice |
| Medium (P3) | 4 hours | 24 hours - Manager | Policy violation, performance degradation |
| Low (P4) | 24 hours | 48 hours - Team Lead | Minor UI issues, feature requests |
Step 2: Create SharePoint Incident Tracking System
Portal Path: SharePoint Admin Center → Sites → Create Site
Create SharePoint list with the following columns:
| Column Name | Type | Required | Values/Format |
|---|---|---|---|
| Incident ID | Auto-generated | Yes | INC-YYYY-MMDD-### |
| Title | Single line | Yes | Brief description |
| Category | Choice | Yes | Security, Compliance, Availability, etc. |
| Severity | Choice | Yes | Critical, High, Medium, Low |
| Agent Name | Lookup | Yes | Link to Agent Inventory |
| Reported By | Person | Yes | User |
| Reported Date | Date/Time | Yes | Auto-populated |
| Status | Choice | Yes | New, Investigating, Pending RCA, Remediation, Closed |
| Assigned To | Person | Yes | Investigator |
| Description | Multi-line | Yes | Full incident details |
| Root Cause | Multi-line | No | RCA findings |
| Corrective Actions | Multi-line | No | Remediation steps |
| Resolution Date | Date/Time | No | When closed |
| Time to Resolution | Calculated | Auto | Resolution Date - Reported Date |
| Regulatory Impact | Yes/No | Yes | FINRA/SEC notification required |
| Evidence Links | Multiple links | No | Audit logs, screenshots |
Step 3: Configure Incident Reporting Form
Portal Path: SharePoint Site → New → List Form → Customize with Power Apps
Create user-friendly intake form with:
- Required fields validation
- Auto-population of reporter and date
- Category-based severity suggestions
- File attachment for evidence
- Email confirmation to reporter
Step 4: Set Up Automated Workflows
Portal Path: Power Automate → Create → Automated cloud flow
Workflow 1: New Incident Notification
Trigger: When item created in Incidents list
Conditions:
├── If Severity = Critical → Immediate escalation
│ └── Email CISO, CCO, CEO
│ └── Teams notification to Security-Ops
│ └── Create Sentinel incident
├── If Severity = High
│ └── Email Security Team Lead
│ └── Teams notification to AI-Ops
└── All incidents
└── Assign to on-call investigator
└── Start SLA timer
└── Log to incident dashboard
Workflow 2: SLA Breach Alert
Trigger: Scheduled - Every 15 minutes
Conditions:
├── Find incidents past SLA
├── For each overdue incident:
│ └── Email escalation chain
│ └── Update status to "Escalated"
│ └── Notify manager
Workflow 3: Incident Closure
Trigger: When Status changed to "Closed"
Actions:
├── Validate required fields (Root Cause, Corrective Actions)
├── Calculate Time to Resolution
├── Archive evidence to permanent storage
├── Update metrics dashboard
├── If Regulatory Impact = Yes
│ └── Queue for regulatory filing review
└── Send closure notification
Step 5: Configure Root Cause Analysis Template
RCA Document Structure:
INCIDENT ROOT CAUSE ANALYSIS
============================
Incident ID: [Auto-populated]
Analysis Date: [Date]
Analyst: [Name]
1. INCIDENT SUMMARY
- What happened
- When discovered
- Impact scope
2. TIMELINE
[Time] - Event 1
[Time] - Event 2
...
3. ROOT CAUSE ANALYSIS
Primary Cause: [Description]
Contributing Factors:
- Factor 1
- Factor 2
Analysis Method: ☐ 5 Whys ☐ Fishbone ☐ Fault Tree
4. IMPACT ASSESSMENT
- Customers affected: [Number]
- Data exposed: [Yes/No - Details]
- Financial impact: [$Amount]
- Regulatory implications: [Description]
5. CORRECTIVE ACTIONS
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| [Action 1] | [Name] | [Date] | [Status] |
6. PREVENTIVE MEASURES
- Short-term: [Description]
- Long-term: [Description]
7. LESSONS LEARNED
- [Key takeaways]
8. APPROVALS
Analyst: _________________ Date: _______
Manager: _________________ Date: _______
Compliance: ______________ Date: _______
Step 6: Integrate with Microsoft Sentinel
Portal Path: Azure Portal → Microsoft Sentinel → Analytics
Create analytics rules for agent-related incidents:
| Rule Name | Data Source | Trigger | Severity |
|---|---|---|---|
| Agent DLP Violation | M365 Defender | DLP policy match | High |
| Unauthorized Agent Access | Entra ID | Failed access after hours | Medium |
| Agent Connector Failure | Power Platform | Error rate >5% | High |
| Unusual Data Volume | Audit Log | >3σ from baseline | Medium |
| Agent Response Anomaly | App Insights | Latency spike | Low |
Step 7: Establish Weekly Incident Review Process
Meeting Structure:
| Item | Duration | Participants |
|---|---|---|
| Open Incidents Review | 15 min | Ops Team |
| Critical Incident Deep Dive | 20 min | All stakeholders |
| RCA Presentations | 15 min | Analysts |
| Trend Analysis | 5 min | Manager |
| Action Item Review | 5 min | All |
PowerShell Configuration
# ============================================================
# Control 3.4: Incident Reporting and Root Cause Analysis
# PowerShell Configuration Script for FSI Organizations
# ============================================================
# Install required modules
Install-Module -Name PnP.PowerShell -Force -AllowClobber
Install-Module -Name Microsoft.Graph -Force -AllowClobber
Install-Module -Name Az.SecurityInsights -Force -AllowClobber
# Connect to services
Connect-PnPOnline -Url "https://[tenant].sharepoint.com/sites/AI-Governance" -Interactive
Connect-MgGraph -Scopes "SecurityEvents.Read.All", "SecurityIncident.ReadWrite.All"
Connect-AzAccount
# ============================================================
# SECTION 1: Create Incident Tracking List
# ============================================================
function New-IncidentTrackingList {
param(
[string]$SiteUrl = "https://[tenant].sharepoint.com/sites/AI-Governance",
[string]$ListName = "AI Agent Incidents"
)
Write-Host "Creating Incident Tracking List..." -ForegroundColor Cyan
Connect-PnPOnline -Url $SiteUrl -Interactive
# Create list
$list = New-PnPList -Title $ListName -Template GenericList
# Add columns
$columns = @(
@{ Name = "IncidentID"; Type = "Text"; Required = $true },
@{ Name = "Category"; Type = "Choice"; Choices = @("Security", "Compliance", "Availability", "Data Quality", "Privacy", "Bias/Fairness") },
@{ Name = "Severity"; Type = "Choice"; Choices = @("Critical", "High", "Medium", "Low") },
@{ Name = "AgentName"; Type = "Text"; Required = $true },
@{ Name = "ReportedDate"; Type = "DateTime"; Required = $true },
@{ Name = "Status"; Type = "Choice"; Choices = @("New", "Investigating", "Pending RCA", "Remediation", "Closed") },
@{ Name = "AssignedTo"; Type = "User"; Required = $true },
@{ Name = "Description"; Type = "Note"; Required = $true },
@{ Name = "RootCause"; Type = "Note" },
@{ Name = "CorrectiveActions"; Type = "Note" },
@{ Name = "ResolutionDate"; Type = "DateTime" },
@{ Name = "RegulatoryImpact"; Type = "Boolean" },
@{ Name = "TimeToResolutionHours"; Type = "Number" }
)
foreach ($col in $columns) {
switch ($col.Type) {
"Text" { Add-PnPField -List $ListName -DisplayName $col.Name -InternalName $col.Name -Type Text -Required:$col.Required }
"Choice" { Add-PnPFieldFromXml -List $ListName -FieldXml "<Field Type='Choice' DisplayName='$($col.Name)'><CHOICES>$($col.Choices | ForEach-Object { "<CHOICE>$_</CHOICE>" })</CHOICES></Field>" }
"DateTime" { Add-PnPField -List $ListName -DisplayName $col.Name -InternalName $col.Name -Type DateTime }
"Note" { Add-PnPField -List $ListName -DisplayName $col.Name -InternalName $col.Name -Type Note }
"User" { Add-PnPField -List $ListName -DisplayName $col.Name -InternalName $col.Name -Type User }
"Boolean" { Add-PnPField -List $ListName -DisplayName $col.Name -InternalName $col.Name -Type Boolean }
"Number" { Add-PnPField -List $ListName -DisplayName $col.Name -InternalName $col.Name -Type Number }
}
}
Write-Host "Incident Tracking List created successfully" -ForegroundColor Green
return $list
}
# ============================================================
# SECTION 2: Report New Incident
# ============================================================
function New-AgentIncident {
param(
[Parameter(Mandatory=$true)]
[string]$Title,
[Parameter(Mandatory=$true)]
[ValidateSet("Security", "Compliance", "Availability", "Data Quality", "Privacy", "Bias/Fairness")]
[string]$Category,
[Parameter(Mandatory=$true)]
[ValidateSet("Critical", "High", "Medium", "Low")]
[string]$Severity,
[Parameter(Mandatory=$true)]
[string]$AgentName,
[Parameter(Mandatory=$true)]
[string]$Description,
[string]$AssignTo = "",
[bool]$RegulatoryImpact = $false
)
Write-Host "Reporting new incident..." -ForegroundColor Cyan
# Generate Incident ID
$incidentId = "INC-$(Get-Date -Format 'yyyy-MMdd')-$(Get-Random -Minimum 100 -Maximum 999)"
$incident = @{
Title = $Title
IncidentID = $incidentId
Category = $Category
Severity = $Severity
AgentName = $AgentName
Description = $Description
ReportedDate = Get-Date
Status = "New"
RegulatoryImpact = $RegulatoryImpact
}
# Add to SharePoint
$item = Add-PnPListItem -List "AI Agent Incidents" -Values $incident
Write-Host "Incident created: $incidentId" -ForegroundColor Green
# Trigger notifications based on severity
if ($Severity -eq "Critical") {
Write-Host "CRITICAL INCIDENT - Initiating emergency escalation" -ForegroundColor Red
Send-CriticalIncidentNotification -IncidentId $incidentId -Details $incident
}
elseif ($Severity -eq "High") {
Write-Host "HIGH SEVERITY - Notifying security team" -ForegroundColor Yellow
}
return $incident
}
function Send-CriticalIncidentNotification {
param($IncidentId, $Details)
# In production, integrate with email/Teams/PagerDuty
Write-Host "🚨 CRITICAL INCIDENT ALERT 🚨" -ForegroundColor Red
Write-Host "Incident ID: $IncidentId"
Write-Host "Category: $($Details.Category)"
Write-Host "Agent: $($Details.AgentName)"
Write-Host "Description: $($Details.Description)"
Write-Host ""
Write-Host "Escalation chain notified: CISO, CCO, CEO" -ForegroundColor Yellow
}
# ============================================================
# SECTION 3: Update Incident Status
# ============================================================
function Update-IncidentStatus {
param(
[Parameter(Mandatory=$true)]
[string]$IncidentId,
[Parameter(Mandatory=$true)]
[ValidateSet("Investigating", "Pending RCA", "Remediation", "Closed")]
[string]$NewStatus,
[string]$RootCause = "",
[string]$CorrectiveActions = ""
)
Write-Host "Updating incident $IncidentId to status: $NewStatus" -ForegroundColor Cyan
$updates = @{
Status = $NewStatus
}
if ($NewStatus -eq "Closed") {
if ([string]::IsNullOrEmpty($RootCause) -or [string]::IsNullOrEmpty($CorrectiveActions)) {
Write-Error "Root Cause and Corrective Actions required to close incident"
return
}
$updates.RootCause = $RootCause
$updates.CorrectiveActions = $CorrectiveActions
$updates.ResolutionDate = Get-Date
}
# Find and update the item
$items = Get-PnPListItem -List "AI Agent Incidents" -Query "<View><Query><Where><Eq><FieldRef Name='IncidentID'/><Value Type='Text'>$IncidentId</Value></Eq></Where></Query></View>"
if ($items.Count -eq 1) {
Set-PnPListItem -List "AI Agent Incidents" -Identity $items[0].Id -Values $updates
Write-Host "Incident updated successfully" -ForegroundColor Green
# Calculate TTR if closing
if ($NewStatus -eq "Closed") {
$reportedDate = $items[0]["ReportedDate"]
$ttr = ((Get-Date) - [DateTime]$reportedDate).TotalHours
Write-Host "Time to Resolution: $([math]::Round($ttr, 1)) hours" -ForegroundColor Cyan
}
}
else {
Write-Error "Incident not found: $IncidentId"
}
}
# ============================================================
# SECTION 4: Generate Incident Metrics
# ============================================================
function Get-IncidentMetrics {
param(
[int]$DaysBack = 30
)
Write-Host "Generating incident metrics for last $DaysBack days..." -ForegroundColor Cyan
$startDate = (Get-Date).AddDays(-$DaysBack).ToString("yyyy-MM-dd")
$allIncidents = Get-PnPListItem -List "AI Agent Incidents" -PageSize 500
$recentIncidents = $allIncidents | Where-Object {
[DateTime]$_["ReportedDate"] -ge (Get-Date).AddDays(-$DaysBack)
}
$metrics = @{
TotalIncidents = $recentIncidents.Count
BySeverity = @{
Critical = ($recentIncidents | Where-Object { $_["Severity"] -eq "Critical" }).Count
High = ($recentIncidents | Where-Object { $_["Severity"] -eq "High" }).Count
Medium = ($recentIncidents | Where-Object { $_["Severity"] -eq "Medium" }).Count
Low = ($recentIncidents | Where-Object { $_["Severity"] -eq "Low" }).Count
}
ByCategory = $recentIncidents | Group-Object { $_["Category"] } | Select-Object Name, Count
ByStatus = $recentIncidents | Group-Object { $_["Status"] } | Select-Object Name, Count
OpenIncidents = ($recentIncidents | Where-Object { $_["Status"] -ne "Closed" }).Count
AverageTimeToResolution = 0
RegulatoryImpactCount = ($recentIncidents | Where-Object { $_["RegulatoryImpact"] -eq $true }).Count
}
# Calculate average TTR for closed incidents
$closedIncidents = $recentIncidents | Where-Object { $_["Status"] -eq "Closed" -and $_["ResolutionDate"] }
if ($closedIncidents.Count -gt 0) {
$totalHours = $closedIncidents | ForEach-Object {
([DateTime]$_["ResolutionDate"] - [DateTime]$_["ReportedDate"]).TotalHours
} | Measure-Object -Average
$metrics.AverageTimeToResolution = [math]::Round($totalHours.Average, 1)
}
Write-Host "`nIncident Metrics Summary:" -ForegroundColor Green
Write-Host "=========================" -ForegroundColor Green
Write-Host "Total Incidents: $($metrics.TotalIncidents)"
Write-Host "Open Incidents: $($metrics.OpenIncidents)"
Write-Host "Critical: $($metrics.BySeverity.Critical) | High: $($metrics.BySeverity.High) | Medium: $($metrics.BySeverity.Medium) | Low: $($metrics.BySeverity.Low)"
Write-Host "Average TTR: $($metrics.AverageTimeToResolution) hours"
Write-Host "Regulatory Impact: $($metrics.RegulatoryImpactCount)"
return $metrics
}
# ============================================================
# SECTION 5: Generate RCA Report
# ============================================================
function New-RootCauseAnalysisReport {
param(
[Parameter(Mandatory=$true)]
[string]$IncidentId,
[Parameter(Mandatory=$true)]
[string]$PrimaryCause,
[Parameter(Mandatory=$true)]
[string[]]$ContributingFactors,
[Parameter(Mandatory=$true)]
[hashtable[]]$CorrectiveActions,
[string]$OutputPath = ".\RCA-$IncidentId.html"
)
Write-Host "Generating RCA Report for $IncidentId..." -ForegroundColor Cyan
# Get incident details
$incident = Get-PnPListItem -List "AI Agent Incidents" -Query "<View><Query><Where><Eq><FieldRef Name='IncidentID'/><Value Type='Text'>$IncidentId</Value></Eq></Where></Query></View>"
$html = @"
<!DOCTYPE html>
<html>
<head>
<title>Root Cause Analysis - $IncidentId</title>
<style>
body { font-family: 'Segoe UI', Arial, sans-serif; margin: 40px; }
h1 { color: #C41E3A; border-bottom: 3px solid #C41E3A; padding-bottom: 10px; }
h2 { color: #333; margin-top: 30px; }
table { width: 100%; border-collapse: collapse; margin: 20px 0; }
th { background: #0078D4; color: white; padding: 12px; text-align: left; }
td { border: 1px solid #ddd; padding: 10px; }
.section { background: #f5f5f5; padding: 20px; border-radius: 8px; margin: 20px 0; }
.cause-box { background: #FFF3CD; border-left: 4px solid #FFC107; padding: 15px; margin: 10px 0; }
.action-item { background: #D4EDDA; border-left: 4px solid #28A745; padding: 15px; margin: 10px 0; }
.signature-line { border-bottom: 1px solid #000; width: 300px; display: inline-block; margin: 10px 0; }
</style>
</head>
<body>
<h1>🔍 Root Cause Analysis Report</h1>
<div class="section">
<h2>Incident Summary</h2>
<table>
<tr><td><strong>Incident ID</strong></td><td>$IncidentId</td></tr>
<tr><td><strong>Title</strong></td><td>$($incident[0]["Title"])</td></tr>
<tr><td><strong>Category</strong></td><td>$($incident[0]["Category"])</td></tr>
<tr><td><strong>Severity</strong></td><td>$($incident[0]["Severity"])</td></tr>
<tr><td><strong>Agent</strong></td><td>$($incident[0]["AgentName"])</td></tr>
<tr><td><strong>Reported</strong></td><td>$($incident[0]["ReportedDate"])</td></tr>
</table>
</div>
<h2>Root Cause Analysis</h2>
<div class="cause-box">
<h3>Primary Cause</h3>
<p>$PrimaryCause</p>
</div>
<div class="cause-box">
<h3>Contributing Factors</h3>
<ul>
$($ContributingFactors | ForEach-Object { "<li>$_</li>" })
</ul>
</div>
<h2>Corrective Actions</h2>
<table>
<tr><th>Action</th><th>Owner</th><th>Due Date</th><th>Status</th></tr>
$($CorrectiveActions | ForEach-Object { "<tr><td>$($_.Action)</td><td>$($_.Owner)</td><td>$($_.DueDate)</td><td>$($_.Status)</td></tr>" })
</table>
<h2>Approvals</h2>
<p><strong>Analyst:</strong> <span class="signature-line"></span> Date: __________</p>
<p><strong>Manager:</strong> <span class="signature-line"></span> Date: __________</p>
<p><strong>Compliance:</strong> <span class="signature-line"></span> Date: __________</p>
<p><em>Generated: $(Get-Date -Format "yyyy-MM-dd HH:mm:ss")</em></p>
</body>
</html>
"@
$html | Out-File -FilePath $OutputPath -Encoding UTF8
Write-Host "RCA Report generated: $OutputPath" -ForegroundColor Green
return $OutputPath
}
# ============================================================
# SECTION 6: SLA Compliance Check
# ============================================================
function Test-IncidentSlaCompliance {
Write-Host "Checking SLA compliance for open incidents..." -ForegroundColor Cyan
$slaThresholds = @{
"Critical" = 0.25 # 15 minutes in hours
"High" = 1 # 1 hour
"Medium" = 4 # 4 hours
"Low" = 24 # 24 hours
}
$openIncidents = Get-PnPListItem -List "AI Agent Incidents" -Query "<View><Query><Where><Neq><FieldRef Name='Status'/><Value Type='Text'>Closed</Value></Neq></Where></Query></View>"
$slaBreaches = @()
foreach ($incident in $openIncidents) {
$severity = $incident["Severity"]
$reportedDate = [DateTime]$incident["ReportedDate"]
$hoursOpen = ((Get-Date) - $reportedDate).TotalHours
$threshold = $slaThresholds[$severity]
if ($hoursOpen -gt $threshold) {
$slaBreaches += [PSCustomObject]@{
IncidentId = $incident["IncidentID"]
Severity = $severity
HoursOpen = [math]::Round($hoursOpen, 1)
SlaThreshold = $threshold
BreachAmount = [math]::Round($hoursOpen - $threshold, 1)
}
}
}
if ($slaBreaches.Count -gt 0) {
Write-Host "`n⚠️ SLA BREACHES DETECTED:" -ForegroundColor Red
$slaBreaches | Format-Table -AutoSize
}
else {
Write-Host "✅ All incidents within SLA" -ForegroundColor Green
}
return $slaBreaches
}
# ============================================================
# EXAMPLE USAGE
# ============================================================
Write-Host "=== Control 3.4: Incident Reporting and Root Cause Analysis ===" -ForegroundColor Magenta
# Create incident tracking list
# New-IncidentTrackingList
# Report new incident
# New-AgentIncident -Title "Customer data exposed in agent response" -Category "Privacy" -Severity "Critical" -AgentName "Account Inquiry Bot" -Description "Agent displayed another customer's account details" -RegulatoryImpact $true
# Update incident status
# Update-IncidentStatus -IncidentId "INC-2025-0115-123" -NewStatus "Closed" -RootCause "Session management bug allowed cross-user data leakage" -CorrectiveActions "Patched session handler; added data isolation checks"
# Generate metrics
# Get-IncidentMetrics -DaysBack 30
# Check SLA compliance
# Test-IncidentSlaCompliance
Write-Host "`nConfiguration script ready. Uncomment and run desired functions." -ForegroundColor Green
Financial Sector Considerations
Regulatory Requirements
| Regulation | Requirement | Threshold | Notification |
|---|---|---|---|
| GLBA 501(b) | Report security incidents affecting NPI | Customer data exposed | 72 hours to affected customers |
| SEC 17a-4 | Preserve incident records | All incidents | 6 years minimum |
| FINRA 4511 | Document operational events | Material incidents | Include in books and records |
| SOX 404 | Report control failures | Material weakness | Immediate to audit committee |
| FFIEC | Report cybersecurity incidents | System compromise | Report to primary regulator |
| State Breach Laws | Notify affected individuals | PII exposure | Varies by state (24-72 hours) |
Zone-Specific Configuration
| Zone | Incident Response | RCA Requirement | Retention |
|---|---|---|---|
| Zone 1 (Personal Productivity) | Standard (24h) | Optional for low severity | 3 years |
| Zone 2 (Team Collaboration) | Accelerated (4h) | Required for all | 5 years |
| Zone 3 (Enterprise Managed) | Immediate (15min) | Full RCA required | 7 years |
FSI Example: Critical Privacy Incident Response
INCIDENT: Customer data exposed in agent response
SEVERITY: Critical (P1)
GOVERNANCE TIER: Tier 3 (Enterprise Managed)
TIMELINE:
├── T+0:00 - Incident detected by customer complaint
├── T+0:05 - Escalation to CISO/CCO initiated
├── T+0:15 - Agent suspended from production
├── T+0:30 - Initial scope assessment complete
├── T+1:00 - Affected customers identified (15)
├── T+4:00 - Root cause identified
├── T+24:00 - Fix deployed to production
├── T+48:00 - Customer notifications sent
├── T+72:00 - Regulatory notification filed (if required)
REGULATORY NOTIFICATIONS:
├── State AG: [Required per state breach law]
├── FINRA: [If customer assets affected]
├── OCC: [If bank charter]
└── SEC: [If investment adviser]
Verification & Testing
Verification Steps
- Incident Reporting Flow
- Submit test incident through intake form
- Verify notifications trigger correctly
-
Confirm assignment to investigator
-
SLA Monitoring
- Create test incidents at each severity level
- Verify SLA timers activate
-
Confirm escalation triggers at breach
-
RCA Process
- Complete sample RCA document
- Verify approval workflow
-
Confirm archive to permanent storage
-
Metrics Dashboard
- Review incident metrics
- Verify calculations are accurate
- Test drill-down to individual incidents
Compliance Checklist
| Item | Required For | Status |
|---|---|---|
| Incident tracking system operational | All regulations | ☐ |
| SLA monitoring configured | FFIEC, SOX 404 | ☐ |
| RCA template approved | Internal governance | ☐ |
| Escalation matrix documented | All regulations | ☐ |
| Regulatory notification thresholds defined | GLBA, State laws | ☐ |
| Incident records retained 6+ years | SEC 17a-4 | ☐ |
| Weekly incident review meetings | Best practice | ☐ |
Troubleshooting & Validation
Issue: Incidents Not Auto-Assigning
Symptoms: New incidents remain unassigned
Resolution:
- Check Power Automate flow is enabled
- Verify on-call assignment logic
- Confirm user accounts exist in lookup
- Check flow run history for errors
Issue: SLA Alerts Not Triggering
Symptoms: Overdue incidents not generating alerts
Resolution:
- Verify scheduled flow is running
- Check SLA threshold configuration
- Confirm email delivery settings
- Test with shorter SLA for validation
Issue: RCA Template Not Saving
Symptoms: Root cause analysis forms fail to save
Resolution:
- Check required field validation
- Verify user has Contribute permissions
- Ensure document library isn't locked
- Check for character limit issues
Issue: Regulatory Notification Workflow Not Triggering
Symptoms: Incidents with regulatory impact not flagged
Resolution:
- Verify RegulatoryImpact field is set correctly
- Check notification workflow conditions
- Confirm compliance team distribution list
- Test workflow with manual trigger
Additional Resources
- Microsoft Sentinel Incidents
- Power Automate Approval Workflows
- SharePoint List Management
- Microsoft 365 Audit Log Search
- Incident Response Planning
Related Controls
| Control | Relationship |
|---|---|
| 1.7 Audit Logging | Provides evidence for investigations |
| 1.8 Runtime Protection | Detects security incidents |
| 3.2 Usage Analytics | Identifies anomalies leading to incidents |
| 2.4 Business Continuity | Recovery procedures for major incidents |
| 3.3 Compliance Reporting | Includes incident summary in reports |
Support & Questions
For implementation support or questions about this control, contact:
- AI Governance Lead (governance direction)
- Compliance Officer (regulatory requirements)
- Technical Implementation Team (platform setup)
Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification