Is there a documented incident process for attack-surface findings (with severity SLAs)?
Demonstrate that the organization maintains a documented incident response process specifically for attack surface findings, with measurable severity-based SLAs that govern response and remediation timelines.
Description
What this control does
This control requires a formal, documented incident response process specifically tailored to security findings identified through attack surface management activities (external asset discovery, exposed service enumeration, vulnerability scanning of internet-facing assets). The process must include defined severity classifications and corresponding service-level agreements (SLAs) that dictate maximum response and remediation timeframes based on risk levels. This ensures that externally visible vulnerabilities—often the easiest path for attackers—are triaged and remediated systematically rather than ad hoc, reducing the window of exploitability.
Control objective
What auditing this proves
Demonstrate that the organization maintains a documented incident response process specifically for attack surface findings, with measurable severity-based SLAs that govern response and remediation timelines.
Associated risks
Risks this control addresses
- Critical vulnerabilities on internet-facing assets remain unpatched beyond acceptable risk windows, enabling exploitation by opportunistic or targeted threat actors
- Inconsistent or delayed response to external exposure findings allows attackers to leverage reconnaissance data before defensive action is taken
- Lack of severity-based prioritization leads to misallocation of security resources, addressing low-risk findings while critical exposures persist
- Absence of documented SLAs prevents accountability and measurement, obscuring chronic response failures and organizational risk posture degradation
- Attack surface findings fall outside standard incident response workflows and are lost or ignored, creating blind spots in vulnerability management
- Regulatory or contractual breach due to failure to remediate known external vulnerabilities within mandated timeframes
- Reputational damage and loss of customer trust when publicly accessible security weaknesses are exploited after being identified but not remediated
Testing procedure
How an auditor verifies this control
- Request and review the documented incident response process or runbook specifically addressing attack surface management findings.
- Identify and document the severity classification scheme used for external findings (e.g., Critical, High, Medium, Low) and verify alignment with organizational risk appetite.
- Extract and record the defined SLAs for each severity level, including maximum time-to-acknowledge, time-to-triage, and time-to-remediate or accept.
- Select a sample of 10-15 attack surface findings from the past 12 months spanning all severity categories from the asset inventory or vulnerability management system.
- For each sampled finding, trace the timeline from discovery through acknowledgment, triage, and closure, recording actual elapsed times at each stage.
- Compare actual response times against documented SLAs to identify instances of non-compliance or SLA breaches.
- Interview incident response and security operations personnel to confirm awareness of the process, understanding of SLAs, and adherence in practice.
- Review escalation procedures for SLA breaches or high-severity findings and validate evidence of escalation in at least two historical cases.