Documented response plan for account takeover
Demonstrate that the organization maintains a documented, tested, and regularly updated incident response plan specifically addressing account takeover scenarios with clearly defined detection, containment, eradication, and recovery procedures.
Description
What this control does
This control requires the organization to maintain a documented, approved incident response plan specifically addressing account takeover (ATO) scenarios. The plan must define roles, responsibilities, detection criteria, containment procedures, communication protocols, and recovery steps when user accounts are compromised through credential theft, session hijacking, or unauthorized access. A specialized ATO response plan ensures rapid, coordinated action to limit attacker dwell time, prevent lateral movement, and restore legitimate user access while preserving forensic evidence.
Control objective
What auditing this proves
Demonstrate that the organization maintains a documented, tested, and regularly updated incident response plan specifically addressing account takeover scenarios with clearly defined detection, containment, eradication, and recovery procedures.
Associated risks
Risks this control addresses
- Delayed detection of account takeover allows attackers extended access to sensitive data and systems
- Inconsistent or ad-hoc response to compromised accounts results in incomplete containment and persistent attacker access
- Failure to preserve forensic evidence during account takeover response prevents root cause analysis and legal action
- Lack of defined communication protocols during ATO incidents leads to delayed notification of affected users and regulatory bodies
- Inadequate coordination between security, IT operations, and business units during response allows lateral movement to additional accounts
- Absence of account recovery procedures causes extended service disruption for legitimate users following takeover
- Unplanned response actions without documented procedures introduce errors that worsen security posture or destroy evidence
Testing procedure
How an auditor verifies this control
- Request and obtain the current version of the documented account takeover incident response plan, including version number and approval date.
- Verify the plan includes specific detection criteria and indicators of compromise for account takeover scenarios including anomalous login patterns, geographical inconsistencies, and privilege escalation.
- Review documented roles and responsibilities to confirm assignment of specific personnel or teams for ATO detection, analysis, containment, eradication, and recovery activities.
- Examine containment procedures to verify they include immediate steps such as session termination, credential reset, MFA enforcement, and account suspension with appropriate escalation thresholds.
- Confirm the plan specifies communication and notification requirements including timelines for user notification, management escalation, legal consultation, and regulatory reporting where applicable.
- Review evidence preservation and forensic collection procedures to ensure they address authentication logs, access logs, session data, and system snapshots relevant to ATO investigations.
- Obtain records of plan testing or tabletop exercises conducted within the past 12 months that specifically simulated account takeover scenarios, including participant lists and lessons learned.
- Interview incident response team members to validate their familiarity with ATO-specific procedures and verify the plan has been communicated and is accessible during actual incidents.
Where this control is tested