Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/IR/Moderate

IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES

Control: The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:

a. A formal, documented incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b. Formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls.

Supplemental Guidance: This control is intended to produce the policy and procedures that are required for the effective implementation of selected security controls and control enhancements in the incident response family. The policy and procedures are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The incident response policy can be included as part of the general information security policy for the organization. Incident response procedures can be developed for the security program in general and for a particular information system, when required. The organizational risk management strategy is a key factor in the development of the incident response policy. Related control: PM-9.

Control Enhancements: None.

Determine if: (i) the organization develops and formally documents incident response policy; (ii) the organization incident response policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented incident response policy to elements within the organization having associated incident response roles and responsibilities; (iv) the organization develops and formally documents incident response procedures; (v) the organization incident response procedures facilitate implementation of the incident response policy and associated incident response controls; and (vi) the organization disseminates formal documented incident response procedures to elements within the organization having associated incident response roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response responsibilities].

Determine if: (i) the organization defines the frequency of incident response policy reviews/updates; (ii) the organization reviews/updates incident response policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of incident response procedure reviews/updates; and (iv) the organization reviews/updates incident response procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response responsibilities].

IR-2 INCIDENT RESPONSE TRAINING

Control: The organization:

a. Trains personnel in their incident response roles and responsibilities with respect to the information system; and

b. Provides refresher training [Assignment: organization-defined frequency].

Supplemental Guidance: Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related control: AT-3.

Control Enhancements:

Determine if: (i) the organization identifies personnel with incident response roles and responsibilities with respect to the information system; (ii) the organization provides incident response training to personnel with incident response roles and responsibilities with respect to the information system; (iii) incident response training material addresses the procedures and activities necessary to fulfill identified organizational incident response roles and responsibilities; (iv) the organization defines the frequency of refresher incident response training; and (v) the organization provides refresher incident response training in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; security plan; incident response plan; incident response training records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities].

IR-3 INCIDENT RESPONSE TESTING AND EXERCISES

Control: The organization tests and/or exercises the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests and/or exercises] to determine the incident response effectiveness and documents the results.

Supplemental Guidance: None.

Control Enhancements:

Determine if: (i) the organization defines incident response tests/exercises; (ii) the organization defines the frequency of incident response tests/exercises; (iii) the organization tests/exercises the incident response capability for the information system using organization-defined tests/exercises in accordance with organization-defined frequency; (iv) the organization documents the results of incident response tests/exercises; and (v) the organization determines the effectiveness of the incident response capability.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response testing and exercises; security plan; incident response testing material; incident response test results; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response testing responsibilities].

IR-4 INCIDENT HANDLING

Control: The organization:

a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

b. Coordinates incident handling activities with contingency planning activities; and

c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.

Supplemental Guidance: Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Related controls: AU-6, CP-2, IR-2, IR-3, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7.

Control Enhancements:

Determine if: (i) the organization implements an incident handling capability for security incidents that includes: preparation; detection and analysis; containment; eradication; and recovery; (ii) the organization coordinates incident handling activities with contingency planning activities; and (iii) the organization incorporates lessons learned from ongoing incident handling activities into: incident response procedures; training; and testing/exercises; and (iv) the organization implements the resulting changes to incident response procedures, training and testing/exercise accordingly.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with contingency planning responsibilities].

Test: [SELECT FROM: Incident handling capability for the organization].

(1) The organization employs automated mechanisms to support the incident handling process.

Enhancement Supplemental Guidance: An online incident management system is an example of an automated mechanism.

Determine if the organization employs automated mechanisms to support the incident handling process.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].

IR-5 INCIDENT MONITORING

Control: The organization tracks and documents information system security incidents.

Supplemental Guidance: Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.

Control Enhancements:

Determine if the organization tracks and documents information system security incidents.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident monitoring; incident response records and documentation; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident monitoring responsibilities].

Test: [SELECT FROM: Incident monitoring capability for the organization].

IR-6 INCIDENT REPORTING

Control: The organization:

a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period]; and

b. Reports security incident information to designated authorities.

Supplemental Guidance: The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. The types of security incidents reported, the content and timeliness of the reports, and the list of designated reporting authorities are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5.

Control Enhancements:

Determine if: (i) the organization defines in the time period required to report suspected security incidents to the organizational incident response capability; (ii) the organization requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period; and (iii) the organization reports security incident information to designated authorities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; incident reporting records and documentation; security plan; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities].

(1) The organization employs automated mechanisms to assist in the reporting of security incidents.

Determine if the organization employs automated mechanisms to assist in the reporting of security incidents.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; automated mechanisms supporting incident reporting; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities].

IR-7 INCIDENT RESPONSE ASSISTANCE

Control: The organization provides an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

Supplemental Guidance: Possible implementations of incident response support resources in an organization include a help desk or an assistance group and access to forensics services, when required. Related controls: IR-4, IR-6.

Control Enhancements:

Determine if: (i) the organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents; and (ii) the incident response support resource is an integral part of the organization's incident response capability.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response assistance and support responsibilities].

(1) The organization employs automated mechanisms to increase the availability of incident response-related information and support.

Enhancement Supplemental Guidance: Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; automated mechanisms supporting incident response support and assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response support and assistance responsibilities; organizational personnel that require incident response support and assistance].

IR-8 INCIDENT RESPONSE PLAN

Control: The organization:

a. Develops an incident response plan that:

- Provides the organization with a roadmap for implementing its incident response capability;

- Describes the structure and organization of the incident response capability;

- Provides a high-level approach for how the incident response capability fits into the overall organization;

- Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

- Defines reportable incidents;

- Provides metrics for measuring the incident response capability within the organization. - Defines the resources and management support needed to effectively maintain and mature an incident response capability; and

- Is reviewed and approved by designated officials within the organization;

b. Distributes copies of the incident response plan to [Assignment: organization-defined list of incident response personnel (identified by name and/or by role) and organizational elements];

c. Reviews the incident response plan [Assignment: organization-defined frequency];

d. Revises the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; and

e. Communicates incident response plan changes to [Assignment: organization-defined list of incident response personnel (identified by name and/or by role) and organizational elements].

Supplemental Guidance: It is important that organizations have a formal, focused, and coordinated approach to responding to incidents. The organization's mission, strategies, and goals for incident response help determine the structure of its incident response capability.

Control Enhancements: None.

Determine if the organization develops an incident response plan that: provides the organization with a roadmap for implementing its incident response capability; describes the structure and organization of the incident response capability; provides a high-level approach for how the incident response capability fits into the overall organization; meets the unique requirements of the organization, which relate to mission, size, structure, and functions; defines reportable incidents; provides metrics for measuring the incident response capability within the organization; defines the resources and management support needed to effectively maintain and mature an incident response capability; and is reviewed and approved by designated officials within the organization.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities].

Determine if: (i) the organization defines, in the incident response plan, incident response personnel (identified by name and/or role) and organizational elements; (ii) the organization distributes copies of the incident response plan to incident response personnel and organizational elements identified in the plan; (iii) the organization defines, in the incident response plan, the frequency to review the plan; (iv) the organization reviews the incident response plan in accordance with the organization-defined frequency; (v) the organization revises the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; and (vi) the organization communicates incident response plan changes to incident response personnel and organizational elements identified in the plan.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities].