Cybersecurity incident responses are coordinated with vendors, law enforcement, and other external entities as appropriate, including support for evidence collection and preservation
Context and Guidance: An event may become an organisational incident that has the potential to be a violation of local, state, or federal rules, laws, and regulations. This is often not known early in the investigation of an event, so the organisation must be vigilant in ensuring that all event and incident evidence is handled properly in case an eventual legal issue, civil or criminal, is raised. To properly collect, document, and preserve evidence, the organisation must have processes for these activities, and the processes must be known to all staff who are involved in any aspect of the incident life cycle. Because it is unpredictable whether an event or incident will result in legal action, an organisation must also consider early involvement of legal and possibly law enforcement staff in the incident identification and analysis process to avoid problems with evidence retention, destruction, and tampering. Note that "other external entities" may include third parties such as cloud resource providers.