SPARC

Incident Response

Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 70

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

IR-1

Incident Response Policy and Procedures 3 params

The organization: a. Develops, documents, and disseminates to {{ insert: param, ir-1_prm_1 }}: 1. An incident response policy that addresses purpose, scope, roles, responsibilities, managemen...

► View parameters

Param ID	Label	Constraint / Choices
ir-1_prm_1	organization-defined personnel or roles	Organization-defined
ir-1_prm_2	organization-defined frequency	Organization-defined
ir-1_prm_3	organization-defined frequency	Organization-defined

—

IR-2

Incident Response Training 2 params

The organization provides incident response training to information system users consistent with assigned roles and responsibilities: a. Within {{ insert: param, ir-2_prm_1 }} of assuming an inci...

► View parameters

Param ID	Label	Constraint / Choices
ir-2_prm_1	organization-defined time period	Organization-defined
ir-2_prm_2	organization-defined frequency	Organization-defined

—

IR-2(1)

Simulated Events

The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

—

IR-2(2)

Automated Training Environments

The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

—

IR-3

Incident Response Testing 2 params

The organization tests the incident response capability for the information system {{ insert: param, ir-3_prm_1 }} using {{ insert: param, ir-3_prm_2 }} to determine the incident response effective...

► View parameters

Param ID	Label	Constraint / Choices
ir-3_prm_1	organization-defined frequency	Organization-defined
ir-3_prm_2	organization-defined tests	Organization-defined

—

IR-3(1)

Automated Testing

The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.

—

IR-3(2)

Coordination with Related Plans

The organization coordinates incident response testing with organizational elements responsible for related plans.

—

IR-4

Incident Handling

The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates ...

—

IR-4(1)

Automated Incident Handling Processes

The organization employs automated mechanisms to support the incident handling process.

—

IR-4(2)

Dynamic Reconfiguration 1 param

The organization includes dynamic reconfiguration of {{ insert: param, ir-4.2_prm_1 }} as part of the incident response capability.

► View parameters

Param ID	Label	Constraint / Choices
ir-4.2_prm_1	organization-defined information system components	Organization-defined

—

IR-4(3)

Continuity of Operations 2 params

The organization identifies {{ insert: param, ir-4.3_prm_1 }} and {{ insert: param, ir-4.3_prm_2 }} to ensure continuation of organizational missions and business functions.

► View parameters

Param ID	Label	Constraint / Choices
ir-4.3_prm_1	organization-defined classes of incidents	Organization-defined
ir-4.3_prm_2	organization-defined actions to take in response to classes of incidents	Organization-defined

—

IR-4(4)

Information Correlation

The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

—

IR-4(5)

Automatic Disabling of Information System 1 param

The organization implements a configurable capability to automatically disable the information system if {{ insert: param, ir-4.5_prm_1 }} are detected.

► View parameters

Param ID	Label	Constraint / Choices
ir-4.5_prm_1	organization-defined security violations	Organization-defined

—

IR-4(6)

Insider Threats - Specific Capabilities

The organization implements incident handling capability for insider threats.

—

IR-4(7)

Insider Threats - Intra-organization Coordination 1 param

The organization coordinates incident handling capability for insider threats across {{ insert: param, ir-4.7_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-4.7_prm_1	organization-defined components or elements of the organization	Organization-defined

—

IR-4(8)

Correlation with External Organizations 2 params

The organization coordinates with {{ insert: param, ir-4.8_prm_1 }} to correlate and share {{ insert: param, ir-4.8_prm_2 }} to achieve a cross-organization perspective on incident awareness and mo...

► View parameters

Param ID	Label	Constraint / Choices
ir-4.8_prm_1	organization-defined external organizations	Organization-defined
ir-4.8_prm_2	organization-defined incident information	Organization-defined

—

IR-4(9)

Dynamic Response Capability 1 param

The organization employs {{ insert: param, ir-4.9_prm_1 }} to effectively respond to security incidents.

► View parameters

Param ID	Label	Constraint / Choices
ir-4.9_prm_1	organization-defined dynamic response capabilities	Organization-defined

—

IR-4(10)

Supply Chain Coordination

The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.

—

IR-5

Incident Monitoring

The organization tracks and documents information system security incidents.

—

IR-5(1)

Automated Tracking / Data Collection / Analysis

The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

—

IR-6

Incident Reporting 2 params

The organization: a. Requires personnel to report suspected security incidents to the organizational incident response capability within {{ insert: param, ir-6_prm_1 }}; and b. Reports security...

► View parameters

Param ID	Label	Constraint / Choices
ir-6_prm_1	organization-defined time period	Organization-defined
ir-6_prm_2	organization-defined authorities	Organization-defined

—

IR-6(1)

Automated Reporting

The organization employs automated mechanisms to assist in the reporting of security incidents.

—

IR-6(2)

Vulnerabilities Related to Incidents 1 param

The organization reports information system vulnerabilities associated with reported security incidents to {{ insert: param, ir-6.2_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-6.2_prm_1	organization-defined personnel or roles	Organization-defined

—

IR-6(3)

Coordination with Supply Chain

The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.

—

IR-7

Incident Response Assistance

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for...

—

IR-7(1)

Automation Support for Availability of Information / Support

The organization employs automated mechanisms to increase the availability of incident response-related information and support.

—

IR-7(2)

Coordination with External Providers

The organization: (a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and (b) Identif...

—

IR-8

Incident Response Plan 4 params

The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and...

► View parameters

Param ID	Label	Constraint / Choices
ir-8_prm_1	organization-defined personnel or roles	Organization-defined
ir-8_prm_2	organization-defined incident response personnel (identified by name and/or by role) and organizational elements	Organization-defined
ir-8_prm_3	organization-defined frequency	Organization-defined
ir-8_prm_4	organization-defined incident response personnel (identified by name and/or by role) and organizational elements	Organization-defined

—

IR-9

Information Spillage Response 2 params

The organization responds to information spills by: a. Identifying the specific information involved in the information system contamination; b. Alerting {{ insert: param, ir-9_prm_1 }} of the ...

► View parameters

Param ID	Label	Constraint / Choices
ir-9_prm_1	organization-defined personnel or roles	Organization-defined
ir-9_prm_2	organization-defined actions	Organization-defined

—

IR-9(1)

Responsible Personnel 1 param

The organization assigns {{ insert: param, ir-9.1_prm_1 }} with responsibility for responding to information spills.

► View parameters

Param ID	Label	Constraint / Choices
ir-9.1_prm_1	organization-defined personnel or roles	Organization-defined

—

IR-9(2)

Training 1 param

The organization provides information spillage response training {{ insert: param, ir-9.2_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-9.2_prm_1	organization-defined frequency	Organization-defined

—

IR-9(3)

Post-spill Operations 1 param

The organization implements {{ insert: param, ir-9.3_prm_1 }} to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated syst...

► View parameters

Param ID	Label	Constraint / Choices
ir-9.3_prm_1	organization-defined procedures	Organization-defined

—

IR-9(4)

Exposure to Unauthorized Personnel 1 param

The organization employs {{ insert: param, ir-9.4_prm_1 }} for personnel exposed to information not within assigned access authorizations.

► View parameters

Param ID	Label	Constraint / Choices
ir-9.4_prm_1	organization-defined security safeguards	Organization-defined

—

IR-10

Integrated Information Security Analysis Team

The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.

—

└ ir-1a

Develops, documents, and disseminates to {{ insert: param, ir-1_prm_1 }}:

—

└ ir-1a.1

An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entiti...

—

└ ir-1a.2

Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and

—

└ ir-1b

Reviews and updates the current:

—

└ ir-1b.1

Incident response policy {{ insert: param, ir-1_prm_2 }}; and

—

└ ir-1b.2

Incident response procedures {{ insert: param, ir-1_prm_3 }}.

—

└ ir-2a

Within {{ insert: param, ir-2_prm_1 }} of assuming an incident response role or responsibility;

—

└ ir-2b

When required by information system changes; and

—

└ ir-2c

{{ insert: param, ir-2_prm_2 }} thereafter.

—

└ ir-4a

Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and ...

—

└ ir-4b

Coordinates incident handling activities with contingency planning activities; and

—

└ ir-4c

Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the...

—

└ ir-6a

Requires personnel to report suspected security incidents to the organizational incident response capability within {{ insert: param, ir-6_prm_1 }}...

—

└ ir-6b

Reports security incident information to {{ insert: param, ir-6_prm_2 }}.

—

└ ir-7.2.(a)

Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection cap...

—

└ ir-7.2.(b)

Identifies organizational incident response team members to the external providers.

—

└ ir-8a

Develops an incident response plan that:

—

└ ir-8a.1

Provides the organization with a roadmap for implementing its incident response capability;

—

└ ir-8a.2

Describes the structure and organization of the incident response capability;

—

└ ir-8a.3

Provides a high-level approach for how the incident response capability fits into the overall organization;

—

└ ir-8a.4

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

—

└ ir-8a.5

Defines reportable incidents;

—

└ ir-8a.6

Provides metrics for measuring the incident response capability within the organization;

—

└ ir-8a.7

Defines the resources and management support needed to effectively maintain and mature an incident response capability; and

—

└ ir-8a.8

Is reviewed and approved by {{ insert: param, ir-8_prm_1 }};

—

└ ir-8b

Distributes copies of the incident response plan to {{ insert: param, ir-8_prm_2 }};

—

└ ir-8c

Reviews the incident response plan {{ insert: param, ir-8_prm_3 }};

—

└ ir-8d

Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;

—

└ ir-8e

Communicates incident response plan changes to {{ insert: param, ir-8_prm_4 }}; and

—

└ ir-8f

Protects the incident response plan from unauthorized disclosure and modification.

—

└ ir-9a

Identifying the specific information involved in the information system contamination;

—

└ ir-9b

Alerting {{ insert: param, ir-9_prm_1 }} of the information spill using a method of communication not associated with the spill;

—

└ ir-9c

Isolating the contaminated information system or system component;

—

└ ir-9d

Eradicating the information from the contaminated information system or component;

—

└ ir-9e

Identifying other information systems or system components that may have been subsequently contaminated; and

—

└ ir-9f

Performing other {{ insert: param, ir-9_prm_2 }}.

—