Incident response

Estimated reading time: 8 minutes

IR-1 Incident Response Policy And Procedures

Description

The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
  2. Reviews and updates the current:
    1. Incident response policy [Assignment: organization-defined frequency]; and
    2. Incident response procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

IR-2 Incident Response Training

Description

The organization provides incident response training to information system users consistent with assigned roles and responsibilities:

  1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
  2. When required by information system changes; and
  3. [Assignment: organization-defined frequency] thereafter.

Control Information

Responsible role(s) - Organization

IR-2 (1) Simulated Events

Description

The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

Control Information

Responsible role(s) - Organization

IR-2 (2) Automated Training Environments

Description

The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

Control Information

Responsible role(s) - Organization

IR-3 Incident Response Testing

Description

The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.

Control Information

Responsible role(s) - Organization

IR-3 (1) Automated Testing

Description

The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.

Control Information

Responsible role(s) - Organization

Description

The organization coordinates incident response testing with organizational elements responsible for related plans.

Control Information

Responsible role(s) - Organization

IR-4 Incident Handling

Description

The organization:

  1. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
  2. Coordinates incident handling activities with contingency planning activities; and
  3. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

Control Information

Responsible role(s) - Organization

IR-4 (1) Automated Incident Handling Processes

Description

The organization employs automated mechanisms to support the incident handling process.

Control Information

Responsible role(s) - Organization

IR-4 (2) Dynamic Reconfiguration

Description

The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability.

Control Information

Responsible role(s) - Organization

IR-4 (3) Continuity Of Operations

Description

The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.

Control Information

Responsible role(s) - Organization

IR-4 (4) Information Correlation

Description

The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

Control Information

Responsible role(s) - Organization

IR-4 (5) Automatic Disabling Of Information System

Description

The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected.

Control Information

Responsible role(s) - Organization

IR-4 (6) Insider Threats - Specific Capabilities

Description

The organization implements incident handling capability for insider threats.

Control Information

Responsible role(s) - Organization

IR-4 (7) Insider Threats - Intra-Organization Coordination

Description

The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization].

Control Information

Responsible role(s) - Organization

IR-4 (8) Correlation With External Organizations

Description

The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.

Control Information

Responsible role(s) - Organization

IR-4 (9) Dynamic Response Capability

Description

The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents.

Control Information

Responsible role(s) - Organization

IR-4 (10) Supply Chain Coordination

Description

The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.

Control Information

Responsible role(s) - Organization

IR-5 Incident Monitoring

Description

The organization tracks and documents information system security incidents.

Control Information

Responsible role(s) - Organization

IR-5 (1) Automated Tracking / Data Collection / Analysis

Description

The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

Control Information

Responsible role(s) - Organization

IR-6 Incident Reporting

Description

The organization:

  1. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
  2. Reports security incident information to [Assignment: organization-defined authorities].

Control Information

Responsible role(s) - Organization

IR-6 (1) Automated Reporting

Description

The organization employs automated mechanisms to assist in the reporting of security incidents.

Control Information

Responsible role(s) - Organization

Description

The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel or roles].

Control Information

Responsible role(s) - Organization

IR-6 (3) Coordination With Supply Chain

Description

The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.

Control Information

Responsible role(s) - Organization

IR-7 Incident Response Assistance

Description

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

Control Information

Responsible role(s) - Organization

IR-7 (1) Automation Support For Availability Of Information / Support

Description

The organization employs automated mechanisms to increase the availability of incident response-related information and support.

Control Information

Responsible role(s) - Organization

IR-7 (2) Coordination With External Providers

Description

The organization:

  1. Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and
  2. Identifies organizational incident response team members to the external providers.

Control Information

Responsible role(s) - Organization

IR-8 Incident Response Plan

Description

The organization:

  1. Develops an incident response plan that:
    1. Provides the organization with a roadmap for implementing its incident response capability;
    2. Describes the structure and organization of the incident response capability;
    3. Provides a high-level approach for how the incident response capability fits into the overall organization;
    4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
    5. Defines reportable incidents;
    6. Provides metrics for measuring the incident response capability within the organization;
    7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
    8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
  2. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
  3. Reviews the incident response plan [Assignment: organization-defined frequency];
  4. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
  5. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
  6. Protects the incident response plan from unauthorized disclosure and modification.

Control Information

Responsible role(s) - Organization

IR-9 Information Spillage Response

Description

The organization responds to information spills by:

  1. Identifying the specific information involved in the information system contamination;
  2. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
  3. Isolating the contaminated information system or system component;
  4. Eradicating the information from the contaminated information system or component;
  5. Identifying other information systems or system components that may have been subsequently contaminated; and
  6. Performing other [Assignment: organization-defined actions].

Control Information

Responsible role(s) - Organization

IR-9 (1) Responsible Personnel

Description

The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills.

Control Information

Responsible role(s) - Organization

IR-9 (2) Training

Description

The organization provides information spillage response training [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

IR-9 (3) Post-Spill Operations

Description

The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

Control Information

Responsible role(s) - Organization

IR-9 (4) Exposure To Unauthorized Personnel

Description

The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations.

Control Information

Responsible role(s) - Organization

IR-10 Integrated Information Security Analysis Team

Description

The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, Incident response