IR - Incident Response
- Controls Count: 5
- Controls IDs: IR-2 (1), IR-2 (2), IR-4 (4), IR-4 (11), IR-5 (1)
Controls
IR-2 (1): Simulated Events
Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.
Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations.
simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.
Incident response policy
procedures addressing incident response training
incident response training curriculum
incident response training materials
incident response plan
system security plan
privacy plan
other relevant documents or records
Organizational personnel with incident response training and operational responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms that support and/or implement simulated events for incident response training
IR-2 (2): Automated Training Environments
Provide an incident response training environment using automated mechanisms used in an incident response training environment are defined;.
Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability.
an incident response training environment is provided using automated mechanisms used in an incident response training environment are defined;.
Incident response policy
procedures addressing incident response training
incident response training curriculum
incident response training materials
automated mechanisms supporting incident response training
incident response plan
system security plan
privacy plan
other relevant documents or records
Organizational personnel with incident response training and operational responsibilities
organizational personnel with information security and privacy responsibilities
Automated mechanisms that provide a thorough and realistic incident response training environment
IR-4 (4): Information Correlation
Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations.
incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.
Incident response policy
procedures addressing incident handling
incident response plan
privacy plan
mechanisms supporting incident and event correlation
system design documentation
system configuration settings and associated documentation
system security plan
privacy plan
incident management correlation logs
event management correlation logs
security information and event management logs
incident management correlation reports
event management correlation reports
security information and event management reports
audit records
other relevant documents or records
Organizational personnel with incident handling responsibilities
organizational personnel with information security and privacy responsibilities
organizational personnel with whom incident information and individual incident responses are to be correlated
Organizational processes for correlating incident information and individual incident responses
mechanisms that support and or implement the correlation of incident response information with individual incident responses
IR-4 (11): Integrated Incident Response Team
Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in the time period within which an integrated incident response team can be deployed is defined;.
An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security and privacy engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.
An integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient.
an integrated incident response team is established and maintained;
the integrated incident response team can be deployed to any location identified by the organization in the time period within which an integrated incident response team can be deployed is defined;.
Incident response policy
procedures addressing incident handling
procedures addressing incident response planning
incident response plan
system security plan
privacy plan
other relevant documents or records
Organizational personnel with incident handling responsibilities
organizational personnel with information security and privacy responsibilities
members of the integrated incident response team
IR-5 (1): Automated Tracking, Data Collection, and Analysis
Track incidents and collect and analyze incident information using organization-defined automated mechanisms.
Automated mechanisms for tracking incidents and collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices.
incidents are tracked using automated mechanisms used to track incidents are defined;;
incident information is collected using automated mechanisms used to collect incident information are defined;;
incident information is analyzed using automated mechanisms used to analyze incident information are defined;.
Incident response policy
procedures addressing incident monitoring
incident response records and documentation
system security plan
incident response plan
other relevant documents or records
Organizational personnel with incident monitoring responsibilities
organizational personnel with information security responsibilities
Incident monitoring capability for the organization
automated mechanisms supporting and/or implementing the tracking and documenting of system security incidents