IR - Incident Response
- Controls Count: 7
- Controls IDs: IR-1, IR-2, IR-4, IR-5, IR-6, IR-7, IR-8
Controls
IR-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level incident response policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;
Designate an an official to manage the incident response policy and procedures is defined; to manage the development, documentation, and dissemination of the incident response policy and procedures; and
Review and update the current incident response:
Policy the frequency at which the current incident response policy is reviewed and updated is defined; and following events that would require the current incident response policy to be reviewed and updated are defined; ; and
Procedures the frequency at which the current incident response procedures are reviewed and updated is defined; and following events that would require the incident response procedures to be reviewed and updated are defined;.
Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
an incident response policy is developed and documented;
the incident response policy is disseminated to personnel or roles to whom the incident response policy is to be disseminated is/are defined;;
incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;
the incident response procedures are disseminated to personnel or roles to whom the incident response procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level incident response policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level incident response policy addresses scope;
the organization-level, mission/business process-level, and/or system-level incident response policy addresses roles;
the organization-level, mission/business process-level, and/or system-level incident response policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level incident response policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level incident response policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level incident response policy addresses compliance;
the organization-level, mission/business process-level, and/or system-level incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the incident response policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;
the current incident response policy is reviewed and updated the frequency at which the current incident response policy is reviewed and updated is defined;;
the current incident response policy is reviewed and updated following events that would require the current incident response policy to be reviewed and updated are defined;;
the current incident response procedures are reviewed and updated the frequency at which the current incident response procedures are reviewed and updated is defined;;
the current incident response procedures are reviewed and updated following events that would require the incident response procedures to be reviewed and updated are defined;.
Incident response policy and procedures
system security plan
privacy plan
other relevant documents or records
Organizational personnel with incident response responsibilities
organizational personnel with information security and privacy responsibilities
IR-2: Incident Response Training
Provide incident response training to system users consistent with assigned roles and responsibilities:
Within a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined; of assuming an incident response role or responsibility or acquiring system access;
When required by system changes; and
frequency at which to provide incident response training to users is defined; thereafter; and
Review and update incident response training content frequency at which to review and update incident response training content is defined; and following events that initiate a review of the incident response training content are defined;.
Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3 . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
incident response training is provided to system users consistent with assigned roles and responsibilities within a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined; of assuming an incident response role or responsibility or acquiring system access;
incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
incident response training is provided to system users consistent with assigned roles and responsibilities frequency at which to provide incident response training to users is defined; thereafter;
incident response training content is reviewed and updated frequency at which to review and update incident response training content is defined;;
incident response training content is reviewed and updated following events that initiate a review of the incident response training content are defined;.
Incident response policy
procedures addressing incident response training
incident response training curriculum
incident response training materials
privacy plan
incident response plan
incident response training records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with incident response training and operational responsibilities
organizational personnel with information security and privacy responsibilities
IR-4: Incident Handling
Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;
Coordinate incident handling activities with contingency planning activities;
Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.
an incident handling capability for incidents is implemented that is consistent with the incident response plan;
the incident handling capability for incidents includes preparation;
the incident handling capability for incidents includes detection and analysis;
the incident handling capability for incidents includes containment;
the incident handling capability for incidents includes eradication;
the incident handling capability for incidents includes recovery;
incident handling activities are coordinated with contingency planning activities;
lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;
the changes resulting from the incorporated lessons learned are implemented accordingly;
the rigor of incident handling activities is comparable and predictable across the organization;
the intensity of incident handling activities is comparable and predictable across the organization;
the scope of incident handling activities is comparable and predictable across the organization;
the results of incident handling activities are comparable and predictable across the organization.
Incident response policy
contingency planning policy
procedures addressing incident handling
incident response plan
contingency plan
system security plan
privacy plan
other relevant documents or records
Organizational personnel with incident handling responsibilities
organizational personnel with contingency planning responsibilities
organizational personnel with information security and privacy responsibilities
Incident handling capability for the organization
IR-5: Incident Monitoring
Track and document incidents.
Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.
incidents are tracked;
incidents are documented.
Incident response policy
procedures addressing incident monitoring
incident response records and documentation
incident response plan
system security plan
privacy plan
other relevant documents or records
Organizational personnel with incident monitoring responsibilities
organizational personnel with information security and privacy responsibilities
Incident monitoring capability for the organization
mechanisms supporting and/or implementing the tracking and documenting of system security incidents
IR-6: Incident Reporting
Require personnel to report suspected incidents to the organizational incident response capability within time period for personnel to report suspected incidents to the organizational incident response capability is defined; ; and
Report incident information to authorities to whom incident information is to be reported are defined;.
The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.
personnel is/are required to report suspected incidents to the organizational incident response capability within time period for personnel to report suspected incidents to the organizational incident response capability is defined;;
incident information is reported to authorities to whom incident information is to be reported are defined;.
Incident response policy
procedures addressing incident reporting
incident reporting records and documentation
incident response plan
system security plan
privacy plan
other relevant documents or records
Organizational personnel with incident reporting responsibilities
organizational personnel with information security and privacy responsibilities
personnel who have/should have reported incidents
personnel (authorities) to whom incident information is to be reported
system users
Organizational processes for incident reporting
mechanisms supporting and/or implementing incident reporting
IR-7: Incident Response Assistance
Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.
Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.
an incident response support resource, integral to the organizational incident response capability, is provided;
the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.
Incident response policy
procedures addressing incident response assistance
incident response plan
system security plan
privacy plan
other relevant documents or records
Organizational personnel with incident response assistance and support responsibilities
organizational personnel with access to incident response support and assistance capability
organizational personnel with information security and privacy responsibilities
Organizational processes for incident response assistance
mechanisms supporting and/or implementing incident response assistance
IR-8: Incident Response Plan
Develop an incident response plan that:
Provides the organization with a roadmap for implementing its incident response capability;
Describes the structure and organization of the incident response capability;
Provides a high-level approach for how the incident response capability fits into the overall organization;
Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
Defines reportable incidents;
Provides metrics for measuring the incident response capability within the organization;
Defines the resources and management support needed to effectively maintain and mature an incident response capability;
Addresses the sharing of incident information;
Is reviewed and approved by personnel or roles that review and approve the incident response plan is/are identified; the frequency at which to review and approve the incident response plan is defined; ; and
Explicitly designates responsibility for incident response to entities, personnel, or roles with designated responsibility for incident response are defined;.
Distribute copies of the incident response plan to incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;;
Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
Communicate incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements ; and
Protect the incident response plan from unauthorized disclosure and modification.
It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.
an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;
an incident response plan is developed that describes the structure and organization of the incident response capability;
an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;
an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;
an incident response plan is developed that defines reportable incidents;
an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;
an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;
an incident response plan is developed that addresses the sharing of incident information;
an incident response plan is developed that is reviewed and approved by personnel or roles that review and approve the incident response plan is/are identified; the frequency at which to review and approve the incident response plan is defined;;
an incident response plan is developed that explicitly designates responsibility for incident response to entities, personnel, or roles with designated responsibility for incident response are defined;.
copies of the incident response plan are distributed to incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;;
copies of the incident response plan are distributed to organizational elements to which copies of the incident response plan are to be distributed are defined;;
the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
incident response plan changes are communicated to incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;;
incident response plan changes are communicated to organizational elements to which changes to the incident response plan are communicated are defined;;
the incident response plan is protected from unauthorized disclosure;
the incident response plan is protected from unauthorized modification.
Incident response policy
procedures addressing incident response planning
incident response plan
system security plan
privacy plan
records of incident response plan reviews and approvals
other relevant documents or records
Organizational personnel with incident response planning responsibilities
organizational personnel with information security and privacy responsibilities
Organizational incident response plan and related organizational processes