Incidents are mishandled due to lack of defined and tested incident management plans.
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
The agency conducted periodic testing of the incident reporting mechanisms.
No statewide control
Obtain incident response policy; procedures addressing incident response testing and exercises; security plan; incident response testing material; incident response test results; other relevant documents or records and ascertain if :
(I)the organization defines in the security plan, explicitly or by reference, incident response tests/exercises.
(ii)the organization defines in the security plan, explicitly or by reference, the frequency of incident response tests/exercises and the frequency is at least annually.
(iii)the organization tests/exercises the incident response capability for the information system using organization-defined tests/exercises in accordance with organization-defined frequency.
(iv)the organization documents the results of incident response tests/exercises.
(v)the organization determines the effectiveness of the incident response capability.
