SI-4(7): Automated Response to Suspicious Events

Threats Addressed:


(Not part of any baseline)

Previous Version:

Control Statement

  1. Notify [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events; and
  2. Take the following actions upon detection: [Assignment: organization-defined least-disruptive actions to terminate suspicious events].

Supplemental Guidance

Least-disruptive actions include initiating requests for human responses.