Overview:
Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
Action Items:
3.6.2[a]
Determine if: incidents are tracked.
3.6.2[b]
Determine if: incidents are documented.
3.6.2[c]
Determine if: authorities to whom incidents are to be reported are identified.
3.6.2[d]
Determine if: organizational officials to whom incidents are to be reported are identified.
3.6.2[e]
Determine if: identified authorities are notified of incidents.
3.6.2[f]
Determine if: identified organizational officials are notified of incidents.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Incident response policy; procedures addressing incident monitoring; incident response records and documentation; procedures addressing incident reporting; incident reporting records and documentation; incident response plan; system security plan; other relevant documents or records].
2
Interview: Personnel with incident monitoring responsibilities; personnel with incident reporting responsibilities; personnel who have or should have reported incidents; personnel (authorities) to whom incident information is to be reported; personnel with information security responsibilities].
3
Test: Incident monitoring capability for the organization; mechanisms supporting or implementing tracking and documenting of system security incidents; organizational processes for incident reporting; mechanisms supporting or implementing incident reporting].
Related Documents (document name and content will vary by organization):
1) Incident response policy
2) procedures addressing incident monitoring
3) incident response records and documentation
4) procedures addressing incident reporting
5) incident reporting records and documentation
6) incident response plan
7) system security plan
8) other relevant documents or records
Additional Guidance:
Tracking and documenting system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.
Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. NIST Special Publication 800-61 provides guidance on incident handling.
Article ID: 161
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-incident-reporting-3-6-2-161.html