IR-4: Incident Handling
Control Family:
CSF v1.1 References:
Next Version:
- NIST Special Publication 800-53 Revision 5:
- IR-4: Incident Handling
Control Statement
The organization:
- Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
- Coordinates incident handling activities with contingency planning activities; and
- Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
Supplemental Guidance
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).
Control Enhancements
IR-4(1): Automated Incident Handling Processes
Baseline(s):
- Moderate
- High
The organization employs automated mechanisms to support the incident handling process.
IR-4(2): Dynamic Reconfiguration
Baseline(s):
The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability.
IR-4(3): Continuity Of Operations
Baseline(s):
The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.
IR-4(4): Information Correlation
Baseline(s):
- High
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
IR-4(5): Automatic Disabling Of Information System
Baseline(s):
The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected.
IR-4(6): Insider Threats – Specific Capabilities
Baseline(s):
The organization implements incident handling capability for insider threats.
IR-4(7): Insider Threats – Intra-Organization Coordination
Baseline(s):
The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization].
IR-4(8): Correlation With External Organizations
Baseline(s):
The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.
IR-4(9): Dynamic Response Capability
Baseline(s):
The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents.
IR-4(10): Supply Chain Coordination
Baseline(s):
The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.