Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/IR

Template:Doc:NIST SP 800-53r3 Appendix F/IR-1

Determine if: (i) the organization develops and formally documents incident response policy; (ii) the organization incident response policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented incident response policy to elements within the organization having associated incident response roles and responsibilities; (iv) the organization develops and formally documents incident response procedures; (v) the organization incident response procedures facilitate implementation of the incident response policy and associated incident response controls; and (vi) the organization disseminates formal documented incident response procedures to elements within the organization having associated incident response roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response responsibilities].

Determine if: (i) the organization defines the frequency of incident response policy reviews/updates; (ii) the organization reviews/updates incident response policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of incident response procedure reviews/updates; and (iv) the organization reviews/updates incident response procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-2

Determine if: (i) the organization identifies personnel with incident response roles and responsibilities with respect to the information system; (ii) the organization provides incident response training to personnel with incident response roles and responsibilities with respect to the information system; (iii) incident response training material addresses the procedures and activities necessary to fulfill identified organizational incident response roles and responsibilities; (iv) the organization defines the frequency of refresher incident response training; and (v) the organization provides refresher incident response training in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; security plan; incident response plan; incident response training records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-2/1

Determine if the organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-2/2

Determine if the organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; automated mechanisms supporting incident response training; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-3

Determine if: (i) the organization defines incident response tests/exercises; (ii) the organization defines the frequency of incident response tests/exercises; (iii) the organization tests/exercises the incident response capability for the information system using organization-defined tests/exercises in accordance with organization-defined frequency; (iv) the organization documents the results of incident response tests/exercises; and (v) the organization determines the effectiveness of the incident response capability.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response testing and exercises; security plan; incident response testing material; incident response test results; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response testing responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-3/1

Determine if the organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability for the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response testing and exercises; security plan; incident response testing documentation; automated mechanisms supporting incident response tests/exercises; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response testing responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-4

Determine if: (i) the organization implements an incident handling capability for security incidents that includes: preparation; detection and analysis; containment; eradication; and recovery; (ii) the organization coordinates incident handling activities with contingency planning activities; and (iii) the organization incorporates lessons learned from ongoing incident handling activities into: incident response procedures; training; and testing/exercises; and (iv) the organization implements the resulting changes to incident response procedures, training and testing/exercise accordingly.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with contingency planning responsibilities].

Test: [SELECT FROM: Incident handling capability for the organization].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-4/1

Determine if the organization employs automated mechanisms to support the incident handling process.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-4/2

Determine if the organization includes dynamic reconfiguration of the information system as part of the incident response capability.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-4/3

Determine if: (i) the organization identifies classes of incidents; and (ii) the organization defines the appropriate actions to take in response to each class of incidents to ensure continuation of organizational missions and business functions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; security plan; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-4/4

Determine if the organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; incident response plan; automated mechanisms supporting incident handling; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-4/5

Determine if: (i) the organization defines a list of security violations that, if detected, initiate a configurable capability to automatically disable the information system; and (ii) the organization implements a configurable capability to automatically disable the information system if any of the organization-defined security violations are detected.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; security plan; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-5

Determine if the organization tracks and documents information system security incidents.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident monitoring; incident response records and documentation; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident monitoring responsibilities].

Test: [SELECT FROM: Incident monitoring capability for the organization].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-5/1

Determine if: (i) the organization employs automated mechanisms to assist in the tracking of security incidents; (ii) the organization employs automated mechanisms to assist in the collection of security incident information; and (iii) the organization employs automated mechanisms to assist in the analysis of security incident information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident monitoring; information system design documentation; information system configuration settings and associated documentation; automated mechanisms supporting incident monitoring; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident monitoring responsibilities].

Test: [SELECT FROM: Automated mechanisms assisting in tracking of security incidents and in the collection and analysis of incident information].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-6

Determine if: (i) the organization defines in the time period required to report suspected security incidents to the organizational incident response capability; (ii) the organization requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period; and (iii) the organization reports security incident information to designated authorities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; incident reporting records and documentation; security plan; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-6/1

Determine if the organization employs automated mechanisms to assist in the reporting of security incidents.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; automated mechanisms supporting incident reporting; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-6/2

Determine if the organization reports information system weaknesses, deficiencies, and/or vulnerabilities associated with reported security incidents to appropriate organizational officials.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; automated mechanisms supporting incident reporting; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-7

Determine if: (i) the organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents; and (ii) the incident response support resource is an integral part of the organization's incident response capability.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response assistance and support responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-7/1

Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; automated mechanisms supporting incident response support and assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response support and assistance responsibilities; organizational personnel that require incident response support and assistance].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-7/2

Determine if: (i) the organization establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and (ii) the organization identifies organizational incident response team members to the external providers.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; automated mechanisms supporting incident response support and assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response support and assistance responsibilities; external providers of information system protection capability].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-8

Determine if the organization develops an incident response plan that: provides the organization with a roadmap for implementing its incident response capability; describes the structure and organization of the incident response capability; provides a high-level approach for how the incident response capability fits into the overall organization; meets the unique requirements of the organization, which relate to mission, size, structure, and functions; defines reportable incidents; provides metrics for measuring the incident response capability within the organization; defines the resources and management support needed to effectively maintain and mature an incident response capability; and is reviewed and approved by designated officials within the organization.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities].

Determine if: (i) the organization defines, in the incident response plan, incident response personnel (identified by name and/or role) and organizational elements; (ii) the organization distributes copies of the incident response plan to incident response personnel and organizational elements identified in the plan; (iii) the organization defines, in the incident response plan, the frequency to review the plan; (iv) the organization reviews the incident response plan in accordance with the organization-defined frequency; (v) the organization revises the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; and (vi) the organization communicates incident response plan changes to incident response personnel and organizational elements identified in the plan.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities].