IR - Incident Response

  • Controls Count: 18
  • Controls IDs: IR-1, IR-2, IR-2 (1), IR-2 (2), IR-3, IR-3 (2), IR-4, IR-4 (1), IR-4 (4), IR-4 (11), IR-5, IR-5 (1), IR-6, IR-6 (1), IR-6 (3), IR-7, IR-7 (1), IR-8

Controls

IR-1: Policy and Procedures

Develop, document, and disseminate to organization-defined personnel or roles:

organization-level, mission/business process-level, and/or system-level incident response policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;

Designate an an official to manage the incident response policy and procedures is defined; to manage the development, documentation, and dissemination of the incident response policy and procedures; and

Review and update the current incident response:

Policy the frequency at which the current incident response policy is reviewed and updated is defined; and following events that would require the current incident response policy to be reviewed and updated are defined; ; and

Procedures the frequency at which the current incident response procedures are reviewed and updated is defined; and following events that would require the incident response procedures to be reviewed and updated are defined;.

Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

an incident response policy is developed and documented;

the incident response policy is disseminated to personnel or roles to whom the incident response policy is to be disseminated is/are defined;;

incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;

the incident response procedures are disseminated to personnel or roles to whom the incident response procedures are to be disseminated is/are defined;;

the organization-level, mission/business process-level, and/or system-level incident response policy addresses purpose;

the organization-level, mission/business process-level, and/or system-level incident response policy addresses scope;

the organization-level, mission/business process-level, and/or system-level incident response policy addresses roles;

the organization-level, mission/business process-level, and/or system-level incident response policy addresses responsibilities;

the organization-level, mission/business process-level, and/or system-level incident response policy addresses management commitment;

the organization-level, mission/business process-level, and/or system-level incident response policy addresses coordination among organizational entities;

the organization-level, mission/business process-level, and/or system-level incident response policy addresses compliance;

the organization-level, mission/business process-level, and/or system-level incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

the an official to manage the incident response policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;

the current incident response policy is reviewed and updated the frequency at which the current incident response policy is reviewed and updated is defined;;

the current incident response policy is reviewed and updated following events that would require the current incident response policy to be reviewed and updated are defined;;

the current incident response procedures are reviewed and updated the frequency at which the current incident response procedures are reviewed and updated is defined;;

the current incident response procedures are reviewed and updated following events that would require the incident response procedures to be reviewed and updated are defined;.

Incident response policy and procedures

system security plan

privacy plan

other relevant documents or records

Organizational personnel with incident response responsibilities

organizational personnel with information security and privacy responsibilities

IR-2: Incident Response Training

Provide incident response training to system users consistent with assigned roles and responsibilities:

Within a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined; of assuming an incident response role or responsibility or acquiring system access;

When required by system changes; and

frequency at which to provide incident response training to users is defined; thereafter; and

Review and update incident response training content frequency at which to review and update incident response training content is defined; and following events that initiate a review of the incident response training content are defined;.

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3 . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

incident response training is provided to system users consistent with assigned roles and responsibilities within a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined; of assuming an incident response role or responsibility or acquiring system access;

incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;

incident response training is provided to system users consistent with assigned roles and responsibilities frequency at which to provide incident response training to users is defined; thereafter;

incident response training content is reviewed and updated frequency at which to review and update incident response training content is defined;;

incident response training content is reviewed and updated following events that initiate a review of the incident response training content are defined;.

Incident response policy

procedures addressing incident response training

incident response training curriculum

incident response training materials

privacy plan

incident response plan

incident response training records

system security plan

privacy plan

other relevant documents or records

Organizational personnel with incident response training and operational responsibilities

organizational personnel with information security and privacy responsibilities

IR-2 (1): Simulated Events

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations.

simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.

Incident response policy

procedures addressing incident response training

incident response training curriculum

incident response training materials

incident response plan

system security plan

privacy plan

other relevant documents or records

Organizational personnel with incident response training and operational responsibilities

organizational personnel with information security and privacy responsibilities

Mechanisms that support and/or implement simulated events for incident response training

IR-2 (2): Automated Training Environments

Provide an incident response training environment using automated mechanisms used in an incident response training environment are defined;.

Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability.

an incident response training environment is provided using automated mechanisms used in an incident response training environment are defined;.

Incident response policy

procedures addressing incident response training

incident response training curriculum

incident response training materials

automated mechanisms supporting incident response training

incident response plan

system security plan

privacy plan

other relevant documents or records

Organizational personnel with incident response training and operational responsibilities

organizational personnel with information security and privacy responsibilities

Automated mechanisms that provide a thorough and realistic incident response training environment

IR-3: Incident Response Testing

Test the effectiveness of the incident response capability for the system frequency at which to test the effectiveness of the incident response capability for the system is defined; using the following tests: tests used to test the effectiveness of the incident response capability for the system are defined;.

Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.

the effectiveness of the incident response capability for the system is tested frequency at which to test the effectiveness of the incident response capability for the system is defined; using tests used to test the effectiveness of the incident response capability for the system are defined;.

Incident response policy

contingency planning policy

procedures addressing incident response testing

procedures addressing contingency plan testing

incident response testing material

incident response test results

incident response test plan

incident response plan

contingency plan

system security plan

privacy plan

other relevant documents or records

Organizational personnel with incident response testing responsibilities

organizational personnel with information security and privacy responsibilities

Coordinate incident response testing with organizational elements responsible for related plans.

Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans.

incident response testing is coordinated with organizational elements responsible for related plans.

Incident response policy

contingency planning policy

procedures addressing incident response testing

incident response testing documentation

incident response plan

business continuity plans

contingency plans

disaster recovery plans

continuity of operations plans

crisis communications plans

critical infrastructure plans

occupant emergency plans

system security plan

privacy plan

other relevant documents or records

Organizational personnel with incident response testing responsibilities

organizational personnel with responsibilities for testing organizational plans related to incident response testing

organizational personnel with information security and privacy responsibilities

IR-4: Incident Handling

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;

Coordinate incident handling activities with contingency planning activities;

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.

an incident handling capability for incidents is implemented that is consistent with the incident response plan;

the incident handling capability for incidents includes preparation;

the incident handling capability for incidents includes detection and analysis;

the incident handling capability for incidents includes containment;

the incident handling capability for incidents includes eradication;

the incident handling capability for incidents includes recovery;

incident handling activities are coordinated with contingency planning activities;

lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;

the changes resulting from the incorporated lessons learned are implemented accordingly;

the rigor of incident handling activities is comparable and predictable across the organization;

the intensity of incident handling activities is comparable and predictable across the organization;

the scope of incident handling activities is comparable and predictable across the organization;

the results of incident handling activities are comparable and predictable across the organization.

Incident response policy

contingency planning policy

procedures addressing incident handling

incident response plan

contingency plan

system security plan

privacy plan

other relevant documents or records

Organizational personnel with incident handling responsibilities

organizational personnel with contingency planning responsibilities

organizational personnel with information security and privacy responsibilities

Incident handling capability for the organization

IR-4 (1): Automated Incident Handling Processes

Support the incident handling process using automated mechanisms used to support the incident handling process are defined;.

Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis.

the incident handling process is supported using automated mechanisms used to support the incident handling process are defined;.

Incident response policy

procedures addressing incident handling

automated mechanisms supporting incident handling

system design documentation

system configuration settings and associated documentation

system audit records

incident response plan

system security plan

other relevant documents or records

Organizational personnel with incident handling responsibilities

organizational personnel with information security responsibilities

Automated mechanisms that support and/or implement the incident handling process

IR-4 (4): Information Correlation

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations.

incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.

Incident response policy

procedures addressing incident handling

incident response plan

privacy plan

mechanisms supporting incident and event correlation

system design documentation

system configuration settings and associated documentation

system security plan

privacy plan

incident management correlation logs

event management correlation logs

security information and event management logs

incident management correlation reports

event management correlation reports

security information and event management reports

audit records

other relevant documents or records

Organizational personnel with incident handling responsibilities

organizational personnel with information security and privacy responsibilities

organizational personnel with whom incident information and individual incident responses are to be correlated

Organizational processes for correlating incident information and individual incident responses

mechanisms that support and or implement the correlation of incident response information with individual incident responses

IR-4 (11): Integrated Incident Response Team

Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in the time period within which an integrated incident response team can be deployed is defined;.

An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security and privacy engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.

An integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient.

an integrated incident response team is established and maintained;

the integrated incident response team can be deployed to any location identified by the organization in the time period within which an integrated incident response team can be deployed is defined;.

Incident response policy

procedures addressing incident handling

procedures addressing incident response planning

incident response plan

system security plan

privacy plan

other relevant documents or records

Organizational personnel with incident handling responsibilities

organizational personnel with information security and privacy responsibilities

members of the integrated incident response team

IR-5: Incident Monitoring

Track and document incidents.

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.

incidents are tracked;

incidents are documented.

Incident response policy

procedures addressing incident monitoring

incident response records and documentation

incident response plan

system security plan

privacy plan

other relevant documents or records

Organizational personnel with incident monitoring responsibilities

organizational personnel with information security and privacy responsibilities

Incident monitoring capability for the organization

mechanisms supporting and/or implementing the tracking and documenting of system security incidents

IR-5 (1): Automated Tracking, Data Collection, and Analysis

Track incidents and collect and analyze incident information using organization-defined automated mechanisms.

Automated mechanisms for tracking incidents and collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices.

incidents are tracked using automated mechanisms used to track incidents are defined;;

incident information is collected using automated mechanisms used to collect incident information are defined;;

incident information is analyzed using automated mechanisms used to analyze incident information are defined;.

Incident response policy

procedures addressing incident monitoring

incident response records and documentation

system security plan

incident response plan

other relevant documents or records

Organizational personnel with incident monitoring responsibilities

organizational personnel with information security responsibilities

Incident monitoring capability for the organization

automated mechanisms supporting and/or implementing the tracking and documenting of system security incidents

IR-6: Incident Reporting

Require personnel to report suspected incidents to the organizational incident response capability within time period for personnel to report suspected incidents to the organizational incident response capability is defined; ; and

Report incident information to authorities to whom incident information is to be reported are defined;.

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.

personnel is/are required to report suspected incidents to the organizational incident response capability within time period for personnel to report suspected incidents to the organizational incident response capability is defined;;

incident information is reported to authorities to whom incident information is to be reported are defined;.

Incident response policy

procedures addressing incident reporting

incident reporting records and documentation

incident response plan

system security plan

privacy plan

other relevant documents or records

Organizational personnel with incident reporting responsibilities

organizational personnel with information security and privacy responsibilities

personnel who have/should have reported incidents

personnel (authorities) to whom incident information is to be reported

system users

Organizational processes for incident reporting

mechanisms supporting and/or implementing incident reporting

IR-6 (1): Automated Reporting

Report incidents using automated mechanisms used for reporting incidents are defined;.

The recipients of incident reports are specified in IR-6b . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs.

incidents are reported using automated mechanisms used for reporting incidents are defined;.

Incident response policy

procedures addressing incident reporting

automated mechanisms supporting incident reporting

system design documentation

system configuration settings and associated documentation

incident response plan

system security plan

other relevant documents or records

Organizational personnel with incident reporting responsibilities

organizational personnel with information security responsibilities

Organizational processes for incident reporting

automated mechanisms supporting and/or implementing the reporting of security incidents

IR-6 (3): Supply Chain Coordination

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident.

incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

Incident response policy

procedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council

acquisition policy

acquisition contracts

service-level agreements

incident response plan

supply chain risk management plan

system security plan

plans of other organizations involved in supply chain activities

other relevant documents or records

Organizational personnel with incident reporting responsibilities

organizational personnel with information security responsibilities

organizational personnel with supply chain risk management responsibilities

organization personnel with acquisition responsibilities

Organizational processes for incident reporting

organizational processes for supply chain risk information sharing

mechanisms supporting and/or implementing the reporting of incident information involved in the supply chain

IR-7: Incident Response Assistance

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.

an incident response support resource, integral to the organizational incident response capability, is provided;

the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.

Incident response policy

procedures addressing incident response assistance

incident response plan

system security plan

privacy plan

other relevant documents or records

Organizational personnel with incident response assistance and support responsibilities

organizational personnel with access to incident response support and assistance capability

organizational personnel with information security and privacy responsibilities

Organizational processes for incident response assistance

mechanisms supporting and/or implementing incident response assistance

IR-7 (1): Automation Support for Availability of Information and Support

Increase the availability of incident response information and support using automated mechanisms used to increase the availability of incident response information and support are defined;.

Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

the availability of incident response information and support is increased using automated mechanisms used to increase the availability of incident response information and support are defined;.

Incident response policy

procedures addressing incident response assistance

automated mechanisms supporting incident response support and assistance

system design documentation

system configuration settings and associated documentation

incident response plan

system security plan

other relevant documents or records

Organizational personnel with incident response support and assistance responsibilities

organizational personnel with access to incident response support and assistance capability

organizational personnel with information security responsibilities

Organizational processes for incident response assistance

automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support

IR-8: Incident Response Plan

Develop an incident response plan that:

Provides the organization with a roadmap for implementing its incident response capability;

Describes the structure and organization of the incident response capability;

Provides a high-level approach for how the incident response capability fits into the overall organization;

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

Defines reportable incidents;

Provides metrics for measuring the incident response capability within the organization;

Defines the resources and management support needed to effectively maintain and mature an incident response capability;

Addresses the sharing of incident information;

Is reviewed and approved by personnel or roles that review and approve the incident response plan is/are identified; the frequency at which to review and approve the incident response plan is defined; ; and

Explicitly designates responsibility for incident response to entities, personnel, or roles with designated responsibility for incident response are defined;.

Distribute copies of the incident response plan to incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;;

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

Communicate incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements ; and

Protect the incident response plan from unauthorized disclosure and modification.

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;

an incident response plan is developed that describes the structure and organization of the incident response capability;

an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;

an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;

an incident response plan is developed that defines reportable incidents;

an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;

an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;

an incident response plan is developed that addresses the sharing of incident information;

an incident response plan is developed that is reviewed and approved by personnel or roles that review and approve the incident response plan is/are identified; the frequency at which to review and approve the incident response plan is defined;;

an incident response plan is developed that explicitly designates responsibility for incident response to entities, personnel, or roles with designated responsibility for incident response are defined;.

copies of the incident response plan are distributed to incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;;

copies of the incident response plan are distributed to organizational elements to which copies of the incident response plan are to be distributed are defined;;

the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

incident response plan changes are communicated to incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;;

incident response plan changes are communicated to organizational elements to which changes to the incident response plan are communicated are defined;;

the incident response plan is protected from unauthorized disclosure;

the incident response plan is protected from unauthorized modification.

Incident response policy

procedures addressing incident response planning

incident response plan

system security plan

privacy plan

records of incident response plan reviews and approvals

other relevant documents or records

Organizational personnel with incident response planning responsibilities

organizational personnel with information security and privacy responsibilities

Organizational incident response plan and related organizational processes