IR-4: Incident Handling
Generated
2019-04-12 13:01:48.067729
Status
Statements
The organization:
| Code | Description |
|---|---|
| IR-4a. | Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; |
| IR-4b. | Coordinates incident handling activities with contingency planning activities; and |
| IR-4c. | Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly. |
Additional Guidance
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).