Incident response
Estimated reading time: 8 minutesIR-1 Incident Response Policy And Procedures
Description
The organization:
- Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
- Reviews and updates the current:
- Incident response policy [Assignment: organization-defined frequency]; and
- Incident response procedures [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
IR-2 Incident Response Training
Description
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
- Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
- When required by information system changes; and
- [Assignment: organization-defined frequency] thereafter.
Control Information
Responsible role(s) - Organization
IR-2 (1) Simulated Events
Description
The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.
Control Information
Responsible role(s) - Organization
IR-2 (2) Automated Training Environments
Description
The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.
Control Information
Responsible role(s) - Organization
IR-3 Incident Response Testing
Description
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
Control Information
Responsible role(s) - Organization
IR-3 (1) Automated Testing
Description
The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.
Control Information
Responsible role(s) - Organization
IR-3 (2) Coordination With Related Plans
Description
The organization coordinates incident response testing with organizational elements responsible for related plans.
Control Information
Responsible role(s) - Organization
IR-4 Incident Handling
Description
The organization:
- Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
- Coordinates incident handling activities with contingency planning activities; and
- Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
Control Information
Responsible role(s) - Organization
IR-4 (1) Automated Incident Handling Processes
Description
The organization employs automated mechanisms to support the incident handling process.
Control Information
Responsible role(s) - Organization
IR-4 (2) Dynamic Reconfiguration
Description
The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability.
Control Information
Responsible role(s) - Organization
IR-4 (3) Continuity Of Operations
Description
The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.
Control Information
Responsible role(s) - Organization
IR-4 (4) Information Correlation
Description
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
Control Information
Responsible role(s) - Organization
IR-4 (5) Automatic Disabling Of Information System
Description
The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected.
Control Information
Responsible role(s) - Organization
IR-4 (6) Insider Threats - Specific Capabilities
Description
The organization implements incident handling capability for insider threats.
Control Information
Responsible role(s) - Organization
IR-4 (7) Insider Threats - Intra-Organization Coordination
Description
The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization].
Control Information
Responsible role(s) - Organization
IR-4 (8) Correlation With External Organizations
Description
The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Control Information
Responsible role(s) - Organization
IR-4 (9) Dynamic Response Capability
Description
The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents.
Control Information
Responsible role(s) - Organization
IR-4 (10) Supply Chain Coordination
Description
The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.
Control Information
Responsible role(s) - Organization
IR-5 Incident Monitoring
Description
The organization tracks and documents information system security incidents.
Control Information
Responsible role(s) - Organization
IR-5 (1) Automated Tracking / Data Collection / Analysis
Description
The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.
Control Information
Responsible role(s) - Organization
IR-6 Incident Reporting
Description
The organization:
- Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
- Reports security incident information to [Assignment: organization-defined authorities].
Control Information
Responsible role(s) - Organization
IR-6 (1) Automated Reporting
Description
The organization employs automated mechanisms to assist in the reporting of security incidents.
Control Information
Responsible role(s) - Organization
IR-6 (2) Vulnerabilities Related To Incidents
Description
The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel or roles].
Control Information
Responsible role(s) - Organization
IR-6 (3) Coordination With Supply Chain
Description
The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.
Control Information
Responsible role(s) - Organization
IR-7 Incident Response Assistance
Description
The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.
Control Information
Responsible role(s) - Organization
IR-7 (1) Automation Support For Availability Of Information / Support
Description
The organization employs automated mechanisms to increase the availability of incident response-related information and support.
Control Information
Responsible role(s) - Organization
IR-7 (2) Coordination With External Providers
Description
The organization:
- Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and
- Identifies organizational incident response team members to the external providers.
Control Information
Responsible role(s) - Organization
IR-8 Incident Response Plan
Description
The organization:
- Develops an incident response plan that:
- Provides the organization with a roadmap for implementing its incident response capability;
- Describes the structure and organization of the incident response capability;
- Provides a high-level approach for how the incident response capability fits into the overall organization;
- Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
- Defines reportable incidents;
- Provides metrics for measuring the incident response capability within the organization;
- Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
- Is reviewed and approved by [Assignment: organization-defined personnel or roles];
- Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
- Reviews the incident response plan [Assignment: organization-defined frequency];
- Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
- Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
- Protects the incident response plan from unauthorized disclosure and modification.
Control Information
Responsible role(s) - Organization
IR-9 Information Spillage Response
Description
The organization responds to information spills by:
- Identifying the specific information involved in the information system contamination;
- Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
- Isolating the contaminated information system or system component;
- Eradicating the information from the contaminated information system or component;
- Identifying other information systems or system components that may have been subsequently contaminated; and
- Performing other [Assignment: organization-defined actions].
Control Information
Responsible role(s) - Organization
IR-9 (1) Responsible Personnel
Description
The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills.
Control Information
Responsible role(s) - Organization
IR-9 (2) Training
Description
The organization provides information spillage response training [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
IR-9 (3) Post-Spill Operations
Description
The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
Control Information
Responsible role(s) - Organization
IR-9 (4) Exposure To Unauthorized Personnel
Description
The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations.
Control Information
Responsible role(s) - Organization
IR-10 Integrated Information Security Analysis Team
Description
The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.
Control Information
Responsible role(s) - Organization