Overview:
Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
Action Items:
3.6.1[a]
Determine if: an operational incident-handling capability is established.
3.6.1[b]
Determine if: the operational incident-handling capability includes preparation.
3.6.1[c]
Determine if: the operational incident-handling capability includes detection.
3.6.1[d]
Determine if: the operational incident-handling capability includes analysis.
3.6.1[e]
Determine if: the operational incident-handling capability includes containment.
3.6.1[f]
Determine if: the operational incident-handling capability includes recovery.
3.6.1[g]
Determine if: the operational incident-handling capability includes user response activities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Incident response policy; contingency planning policy; procedures addressing incident handling; procedures addressing incident response assistance; incident response plan; contingency plan; system security plan; procedures addressing incident response training; incident response training curriculum; incident response training materials; incident response training records; other relevant documents or records].
2
Interview: Personnel with incident handling responsibilities; personnel with contingency planning responsibilities; personnel with incident response training and operational responsibilities; personnel with incident response assistance and support responsibilities; personnel with access to incident response support and assistance capability; personnel with information security responsibilities].
3
Test: Incident-handling capability for the organization; organizational processes for incident response assistance; mechanisms supporting or implementing incident response assistance].
Related Documents (document name and content will vary by organization):
1) Incident response policy
2) contingency planning policy
3) procedures addressing incident handling
4) procedures addressing incident response assistance
5) incident response plan
6) contingency plan
7) system security plan
8) procedures addressing incident response training
9) incident response training curriculum
10) incident response training materials
11) incident response training records
12) other relevant documents or records
Additional Guidance:
Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive.
As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. NIST Special Publication 800-61 provides guidance on incident handling. NIST Special Publications 800-86 and 800-101 provide guidance on integrating forensic techniques into incident response.
Article ID: 160
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-incident-response-plan-3-6-1-160.html