The chief information security officer shall coordinate the information security incident handling capability for the Agency, to include: (a) the integration of automated systems to facilitate the detection, analysis, containment, and eradication of, and the recovery from, information security incidents, and (b) the use of internal and external incident response providers to support information security incident handling. All information security incidents shall be concluded with an after-action review which includes recommendations for remediating the incident's root cause to prevent future similar occurrences.
Security incidents continue to occur due to lack of learning from past security incidents.
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.
The incident management process evolves based on testing, usage, and feedback.
The state organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
Obtain incident response policy; procedures addressing incident handling; NIST Special Publication 800-61;automated mechanisms supporting incident handling; other relevant documents or records and ascertain if :
(I)the organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
(ii)the organization incorporates the lessons learned from ongoing incident handling activities into the incident response procedures and implements the procedures accordingly.
(iii)the organization employs automated mechanisms to support the incident handling process.