IR-04-727 Incident Handling

Incident Handling

Control ID

IR-04-727

Control Name

Incident Handling

Control Category

Incident Response

Functional Areas

Respond

Sub-Areas

Cyber-Security Incident Response

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

February 13, 2018

Agency Implementation

The chief information security officer shall coordinate the information security incident handling capability for the Agency, to include: (a) the integration of automated systems to facilitate the detection, analysis, containment, and eradication of, and the recovery from, information security incidents, and (b) the use of internal and external incident response providers to support information security incident handling. All information security incidents shall be concluded with an after-action review which includes recommendations for remediating the incident's root cause to prevent future similar occurrences.

Risk Statement

Security incidents continue to occur due to lack of learning from past security incidents.

Control Description

The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.

Control Example

The incident management process evolves based on testing, usage, and feedback.

State Implementation

The state organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

Testing Procedures

Obtain incident response policy; procedures addressing incident handling; NIST Special Publication 800-61;automated mechanisms supporting incident handling; other relevant documents or records and ascertain if : (I)the organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. (ii)the organization incorporates the lessons learned from ongoing incident handling activities into the incident response procedures and implements the procedures accordingly. (iii)the organization employs automated mechanisms to support the incident handling process.