The chief information security officer shall implement an information security incident response plan which outlines the Agency's process to address the prevention, detection, response, remediation, and reporting of information security incidents.
The organization is unable to manage the initial phase of an incident since the plan is not well designed and documented.
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification.
The organization has a written, document incident response plan in place.
The state organization has an incident management policy that describes the requirements for dealing with computer security incidents including prevention, detection, response, remediation, and reporting.
Obtain Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records and ascertain if:
(I)the organization develops an incident response plan that:
-provides the organization with a roadmap for implementing its incident response capability;
-describes the structure and organization of the incident response capability;
-provides a high-level approach for how the incident response capability fits into the overall organization;
-meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
-defines reportable incidents;
-provides metrics for measuring the incident response capability within the organization;
-defines the resources and management support needed to effectively maintain and -mature an incident response capability; and
-is reviewed and approved by designated officials within the organization