Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/IR/High

Template:Doc:NIST SP 800-53r3 Appendix F/IR-1

Determine if: (i) the organization develops and formally documents incident response policy; (ii) the organization incident response policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented incident response policy to elements within the organization having associated incident response roles and responsibilities; (iv) the organization develops and formally documents incident response procedures; (v) the organization incident response procedures facilitate implementation of the incident response policy and associated incident response controls; and (vi) the organization disseminates formal documented incident response procedures to elements within the organization having associated incident response roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response responsibilities].

Determine if: (i) the organization defines the frequency of incident response policy reviews/updates; (ii) the organization reviews/updates incident response policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of incident response procedure reviews/updates; and (iv) the organization reviews/updates incident response procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-2

Determine if: (i) the organization identifies personnel with incident response roles and responsibilities with respect to the information system; (ii) the organization provides incident response training to personnel with incident response roles and responsibilities with respect to the information system; (iii) incident response training material addresses the procedures and activities necessary to fulfill identified organizational incident response roles and responsibilities; (iv) the organization defines the frequency of refresher incident response training; and (v) the organization provides refresher incident response training in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; security plan; incident response plan; incident response training records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-2/1

Determine if the organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-2/2

Determine if the organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; automated mechanisms supporting incident response training; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-3

Determine if: (i) the organization defines incident response tests/exercises; (ii) the organization defines the frequency of incident response tests/exercises; (iii) the organization tests/exercises the incident response capability for the information system using organization-defined tests/exercises in accordance with organization-defined frequency; (iv) the organization documents the results of incident response tests/exercises; and (v) the organization determines the effectiveness of the incident response capability.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response testing and exercises; security plan; incident response testing material; incident response test results; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response testing responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-3/1

Determine if the organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability for the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response testing and exercises; security plan; incident response testing documentation; automated mechanisms supporting incident response tests/exercises; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response testing responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-4

Determine if: (i) the organization implements an incident handling capability for security incidents that includes: preparation; detection and analysis; containment; eradication; and recovery; (ii) the organization coordinates incident handling activities with contingency planning activities; and (iii) the organization incorporates lessons learned from ongoing incident handling activities into: incident response procedures; training; and testing/exercises; and (iv) the organization implements the resulting changes to incident response procedures, training and testing/exercise accordingly.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with contingency planning responsibilities].

Test: [SELECT FROM: Incident handling capability for the organization].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-4/1

Determine if the organization employs automated mechanisms to support the incident handling process.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-5

Determine if the organization tracks and documents information system security incidents.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident monitoring; incident response records and documentation; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident monitoring responsibilities].

Test: [SELECT FROM: Incident monitoring capability for the organization].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-5/1

Determine if: (i) the organization employs automated mechanisms to assist in the tracking of security incidents; (ii) the organization employs automated mechanisms to assist in the collection of security incident information; and (iii) the organization employs automated mechanisms to assist in the analysis of security incident information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident monitoring; information system design documentation; information system configuration settings and associated documentation; automated mechanisms supporting incident monitoring; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident monitoring responsibilities].

Test: [SELECT FROM: Automated mechanisms assisting in tracking of security incidents and in the collection and analysis of incident information].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-6

Determine if: (i) the organization defines in the time period required to report suspected security incidents to the organizational incident response capability; (ii) the organization requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period; and (iii) the organization reports security incident information to designated authorities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; incident reporting records and documentation; security plan; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-6/1

Determine if the organization employs automated mechanisms to assist in the reporting of security incidents.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; automated mechanisms supporting incident reporting; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-7

Determine if: (i) the organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents; and (ii) the incident response support resource is an integral part of the organization's incident response capability.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response assistance and support responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-7/1

Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; automated mechanisms supporting incident response support and assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response support and assistance responsibilities; organizational personnel that require incident response support and assistance].

Template:Doc:NIST SP 800-53r3 Appendix F/IR-8

Determine if the organization develops an incident response plan that: provides the organization with a roadmap for implementing its incident response capability; describes the structure and organization of the incident response capability; provides a high-level approach for how the incident response capability fits into the overall organization; meets the unique requirements of the organization, which relate to mission, size, structure, and functions; defines reportable incidents; provides metrics for measuring the incident response capability within the organization; defines the resources and management support needed to effectively maintain and mature an incident response capability; and is reviewed and approved by designated officials within the organization.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities].

Determine if: (i) the organization defines, in the incident response plan, incident response personnel (identified by name and/or role) and organizational elements; (ii) the organization distributes copies of the incident response plan to incident response personnel and organizational elements identified in the plan; (iii) the organization defines, in the incident response plan, the frequency to review the plan; (iv) the organization reviews the incident response plan in accordance with the organization-defined frequency; (v) the organization revises the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; and (vi) the organization communicates incident response plan changes to incident response personnel and organizational elements identified in the plan.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities].