NIST 800-171 - Incident Response Testing (3.6.3)

Overview:
Test the organizational incident response capability.

Action Items:
3.6.3[a]
Determine if: the incident response capability is tested.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Incident response policy; contingency planning policy; procedures addressing incident response testing; procedures addressing contingency plan testing; incident response testing material; incident response test results; incident response test plan; incident response plan; contingency plan; system security plan; other relevant documents or records].

2
Interview: Personnel with incident response testing responsibilities; personnel with information security responsibilities; personnel with responsibilities for testing plans related to incident response].

3
Test: Mechanisms and processes for incident response].

Related Documents (document name and content will vary by organization):
1) Incident response policy
2) contingency planning policy
3) procedures addressing incident response testing
4) procedures addressing contingency plan testing
5) incident response testing material
6) incident response test results
7) incident response test plan
8) incident response plan
9) contingency plan
10) system security plan
11) other relevant documents or records

Additional Guidance:
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. NIST Special Publication 800-84 provides guidance on testing programs for information technology capabilities.