IR: Incident Response

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and Reviews and updates the current: Incident response policy…

The organization provides incident response training to information system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility; When required by information system changes; and [Assignment: organization-defined frequency] thereafter.

The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.

The organization: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; Coordinates incident handling activities with contingency planning activities; and Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

The organization tracks and documents information system security incidents.

The organization: Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and Reports security incident information to [Assignment: organization-defined authorities].

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

The organization: Develops an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to…

The organization responds to information spills by: Identifying the specific information involved in the information system contamination; Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; Isolating the contaminated information system or system component; Eradicating the information from the contaminated information system or component;…

The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.