IR - Incident Response
- Controls Count: 6
- Controls IDs: IR-3, IR-3 (2), IR-4 (1), IR-6 (1), IR-6 (3), IR-7 (1)
Controls
IR-3: Incident Response Testing
Test the effectiveness of the incident response capability for the system frequency at which to test the effectiveness of the incident response capability for the system is defined; using the following tests: tests used to test the effectiveness of the incident response capability for the system are defined;.
Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.
the effectiveness of the incident response capability for the system is tested frequency at which to test the effectiveness of the incident response capability for the system is defined; using tests used to test the effectiveness of the incident response capability for the system are defined;.
Incident response policy
contingency planning policy
procedures addressing incident response testing
procedures addressing contingency plan testing
incident response testing material
incident response test results
incident response test plan
incident response plan
contingency plan
system security plan
privacy plan
other relevant documents or records
Organizational personnel with incident response testing responsibilities
organizational personnel with information security and privacy responsibilities
IR-3 (2): Coordination with Related Plans
Coordinate incident response testing with organizational elements responsible for related plans.
Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans.
incident response testing is coordinated with organizational elements responsible for related plans.
Incident response policy
contingency planning policy
procedures addressing incident response testing
incident response testing documentation
incident response plan
business continuity plans
contingency plans
disaster recovery plans
continuity of operations plans
crisis communications plans
critical infrastructure plans
occupant emergency plans
system security plan
privacy plan
other relevant documents or records
Organizational personnel with incident response testing responsibilities
organizational personnel with responsibilities for testing organizational plans related to incident response testing
organizational personnel with information security and privacy responsibilities
IR-4 (1): Automated Incident Handling Processes
Support the incident handling process using automated mechanisms used to support the incident handling process are defined;.
Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis.
the incident handling process is supported using automated mechanisms used to support the incident handling process are defined;.
Incident response policy
procedures addressing incident handling
automated mechanisms supporting incident handling
system design documentation
system configuration settings and associated documentation
system audit records
incident response plan
system security plan
other relevant documents or records
Organizational personnel with incident handling responsibilities
organizational personnel with information security responsibilities
Automated mechanisms that support and/or implement the incident handling process
IR-6 (1): Automated Reporting
Report incidents using automated mechanisms used for reporting incidents are defined;.
The recipients of incident reports are specified in IR-6b . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs.
incidents are reported using automated mechanisms used for reporting incidents are defined;.
Incident response policy
procedures addressing incident reporting
automated mechanisms supporting incident reporting
system design documentation
system configuration settings and associated documentation
incident response plan
system security plan
other relevant documents or records
Organizational personnel with incident reporting responsibilities
organizational personnel with information security responsibilities
Organizational processes for incident reporting
automated mechanisms supporting and/or implementing the reporting of security incidents
IR-6 (3): Supply Chain Coordination
Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.
Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident.
incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.
Incident response policy
procedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council
acquisition policy
acquisition contracts
service-level agreements
incident response plan
supply chain risk management plan
system security plan
plans of other organizations involved in supply chain activities
other relevant documents or records
Organizational personnel with incident reporting responsibilities
organizational personnel with information security responsibilities
organizational personnel with supply chain risk management responsibilities
organization personnel with acquisition responsibilities
Organizational processes for incident reporting
organizational processes for supply chain risk information sharing
mechanisms supporting and/or implementing the reporting of incident information involved in the supply chain
IR-7 (1): Automation Support for Availability of Information and Support
Increase the availability of incident response information and support using automated mechanisms used to increase the availability of incident response information and support are defined;.
Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.
the availability of incident response information and support is increased using automated mechanisms used to increase the availability of incident response information and support are defined;.
Incident response policy
procedures addressing incident response assistance
automated mechanisms supporting incident response support and assistance
system design documentation
system configuration settings and associated documentation
incident response plan
system security plan
other relevant documents or records
Organizational personnel with incident response support and assistance responsibilities
organizational personnel with access to incident response support and assistance capability
organizational personnel with information security responsibilities
Organizational processes for incident response assistance
automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support