SPARC

Incident Response

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 94

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

IR-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}: 1. {{ insert: param, ir-01_odp.03 }} incident response policy that: (a) Addresses purpose, scope, roles, respon...

► View parameters

Param ID	Label	Constraint / Choices
ir-1_prm_1	organization-defined personnel or roles	Organization-defined
ir-01_odp.01	personnel or roles	personnel or roles to whom the incident response policy is to be disseminated is/are defined;
ir-01_odp.02	personnel or roles	personnel or roles to whom the incident response procedures are to be disseminated is/are defined;
ir-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
ir-01_odp.04	official	an official to manage the incident response policy and procedures is defined;
ir-01_odp.05	frequency	the frequency at which the current incident response policy is reviewed and updated is defined;
ir-01_odp.06	events	events that would require the current incident response policy to be reviewed and updated are defined;
ir-01_odp.07	frequency	the frequency at which the current incident response procedures are reviewed and updated is defined;
ir-01_odp.08	events	events that would require the incident response procedures to be reviewed and updated are defined;

—

IR-02

Incident Response Training 4 params

a. Provide incident response training to system users consistent with assigned roles and responsibilities: 1. Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or...

► View parameters

Param ID	Label	Constraint / Choices
ir-02_odp.01	time period	a time period within which incident response training is to be provided to system users assuming an incident response...
ir-02_odp.02	frequency	frequency at which to provide incident response training to users is defined;
ir-02_odp.03	frequency	frequency at which to review and update incident response training content is defined;
ir-02_odp.04	events	events that initiate a review of the incident response training content are defined;

—

IR-02(01)

Simulated Events

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

—

IR-02(02)

Automated Training Environments 1 param

Provide an incident response training environment using {{ insert: param, ir-02.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-02.02_odp	automated mechanisms	automated mechanisms used in an incident response training environment are defined;

—

IR-02(03)

Breach

Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.

—

IR-03

Incident Response Testing 2 params

Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-03_odp.01	frequency	frequency at which to test the effectiveness of the incident response capability for the system is defined;
ir-03_odp.02	tests	tests used to test the effectiveness of the incident response capability for the system are defined;

—

IR-03(01)

Automated Testing 1 param

Test the incident response capability using {{ insert: param, ir-03.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-03.01_odp	automated mechanisms	automated mechanisms used to test the incident response capability are defined;

—

IR-03(02)

Coordination with Related Plans

Coordinate incident response testing with organizational elements responsible for related plans.

—

IR-03(03)

Continuous Improvement

Use qualitative and quantitative data from testing to: (a) Determine the effectiveness of incident response processes; (b) Continuously improve incident response processes; and (c) Provide in...

—

IR-04

Incident Handling

a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recov...

—

IR-04(01)

Automated Incident Handling Processes 1 param

Support the incident handling process using {{ insert: param, ir-04.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-04.01_odp	automated mechanisms	automated mechanisms used to support the incident handling process are defined;

—

IR-04(02)

Dynamic Reconfiguration 2 params

Include the following types of dynamic reconfiguration for {{ insert: param, ir-04.02_odp.02 }} as part of the incident response capability: {{ insert: param, ir-04.02_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-04.02_odp.01	types of dynamic reconfiguration	types of dynamic reconfiguration for system components are defined;
ir-04.02_odp.02	system components	system components that require dynamic reconfiguration are defined;

—

IR-04(03)

Continuity of Operations 2 params

Identify {{ insert: param, ir-04.03_odp.01 }} and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: {{ insert: param...

► View parameters

Param ID	Label	Constraint / Choices
ir-04.03_odp.01	classes of incidents	classes of incidents requiring an organization-defined action (defined in IR-04(03)_ODP[02]) to be taken are defined;
ir-04.03_odp.02	actions	actions to be taken in response to organization-defined classes of incidents are defined;

—

IR-04(04)

Information Correlation

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

—

IR-04(05)

Automatic Disabling of System 1 param

Implement a configurable capability to automatically disable the system if {{ insert: param, ir-04.05_odp }} are detected.

► View parameters

Param ID	Label	Constraint / Choices
ir-04.05_odp	security violations	security violations that automatically disable a system are defined;

—

IR-04(06)

Insider Threats

Implement an incident handling capability for incidents involving insider threats.

—

IR-04(07)

Insider Threats — Intra-organization Coordination 1 param

Coordinate an incident handling capability for insider threats that includes the following organizational entities {{ insert: param, ir-04.07_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-04.07_odp	entities	entities that require coordination for an incident handling capability for insider threats are defined;

—

IR-04(08)

Correlation with External Organizations 2 params

Coordinate with {{ insert: param, ir-04.08_odp.01 }} to correlate and share {{ insert: param, ir-04.08_odp.02 }} to achieve a cross-organization perspective on incident awareness and more effective...

► View parameters

Param ID	Label	Constraint / Choices
ir-04.08_odp.01	external organizations	external organizations with whom organizational incident information is to be coordinated and shared are defined;
ir-04.08_odp.02	incident information	incident information to be correlated and shared with organization-defined external organizations are defined;

—

IR-04(09)

Dynamic Response Capability 1 param

Employ {{ insert: param, ir-04.09_odp }} to respond to incidents.

► View parameters

Param ID	Label	Constraint / Choices
ir-04.09_odp	dynamic response capabilities	dynamic response capabilities to be employed to respond to incidents are defined;

—

IR-04(10)

Supply Chain Coordination

Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.

—

IR-04(11)

Integrated Incident Response Team 1 param

Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-04.11_odp	time period	the time period within which an integrated incident response team can be deployed is defined;

—

IR-04(12)

Malicious Code and Forensic Analysis

Analyze malicious code and/or other residual artifacts remaining in the system after the incident.

—

IR-04(13)

Behavior Analysis 1 param

Analyze anomalous or suspected adversarial behavior in or related to {{ insert: param, ir-04.13_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-04.13_odp	environments or resources	environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defi...

—

IR-04(14)

Security Operations Center

Establish and maintain a security operations center.

—

IR-04(15)

Public Relations and Reputation Repair

(a) Manage public relations associated with an incident; and (b) Employ measures to repair the reputation of the organization.

—

IR-05

Incident Monitoring

Track and document incidents.

—

IR-05(01)

Automated Tracking, Data Collection, and Analysis 4 params

Track incidents and collect and analyze incident information using {{ insert: param, ir-5.1_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-5.1_prm_1	organization-defined automated mechanisms	Organization-defined
ir-05.01_odp.01	automated mechanisms	automated mechanisms used to track incidents are defined;
ir-05.01_odp.02	automated mechanisms	automated mechanisms used to collect incident information are defined;
ir-05.01_odp.03	automated mechanisms	automated mechanisms used to analyze incident information are defined;

—

IR-06

Incident Reporting 2 params

a. Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and b. Report incident information to {{ insert:...

► View parameters

Param ID	Label	Constraint / Choices
ir-06_odp.01	time period	time period for personnel to report suspected incidents to the organizational incident response capability is defined;
ir-06_odp.02	authorities	authorities to whom incident information is to be reported are defined;

—

IR-06(01)

Automated Reporting 1 param

Report incidents using {{ insert: param, ir-06.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-06.01_odp	automated mechanisms	automated mechanisms used for reporting incidents are defined;

—

IR-06(02)

Vulnerabilities Related to Incidents 1 param

Report system vulnerabilities associated with reported incidents to {{ insert: param, ir-06.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-06.02_odp	personnel or roles	personnel or roles to whom system vulnerabilities associated with reported incidents are reported to is/are defined;

—

IR-06(03)

Supply Chain Coordination

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to th...

—

IR-07

Incident Response Assistance

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting o...

—

IR-07(01)

Automation Support for Availability of Information and Support 1 param

Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-07.01_odp	automated mechanisms	automated mechanisms used to increase the availability of incident response information and support are defined;

—

IR-07(02)

Coordination with External Providers

(a) Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and (b) Identify organizational incident respon...

—

IR-08

Incident Response Plan 8 params

a. Develop an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of th...

► View parameters

Param ID	Label	Constraint / Choices
ir-8_prm_5	organization-defined incident response personnel (identified by name and/or by role) and organizational elements	Organization-defined
ir-08_odp.01	personnel or roles	personnel or roles that review and approve the incident response plan is/are identified;
ir-08_odp.02	frequency	the frequency at which to review and approve the incident response plan is defined;
ir-08_odp.03	entities, personnel, or roles	entities, personnel, or roles with designated responsibility for incident response are defined;
ir-08_odp.04	incident response personnel	incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to b...
ir-08_odp.05	organizational elements	organizational elements to which copies of the incident response plan are to be distributed are defined;
ir-08_odp.06	incident response personnel	incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are ...
ir-08_odp.07	organizational elements	organizational elements to which changes to the incident response plan are communicated are defined;

—

IR-08(01)

Breaches

Include the following in the Incident Response Plan for breaches involving personally identifiable information: (a) A process to determine if notice to individuals or other organizations, includi...

—

IR-09

Information Spillage Response 3 params

Respond to information spills by: a. Assigning {{ insert: param, ir-09_odp.01 }} with responsibility for responding to information spills; b. Identifying the specific information involved in th...

► View parameters

Param ID	Label	Constraint / Choices
ir-09_odp.01	personnel or roles	personnel or roles assigned the responsibility for responding to information spills is/are defined;
ir-09_odp.02	personnel or roles	personnel or roles to be alerted of the information spill using a method of communication not associated with the spi...
ir-09_odp.03	actions	actions to be performed are defined;

—

IR-09(01)

Responsible Personnel

—

IR-09(02)

Training 1 param

Provide information spillage response training {{ insert: param, ir-09.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-09.02_odp	frequency	frequency at which to provide information spillage response training is defined;

—

IR-09(03)

Post-spill Operations 1 param

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing correcti...

► View parameters

Param ID	Label	Constraint / Choices
ir-09.03_odp	procedures	procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to c...

—

IR-09(04)

Exposure to Unauthorized Personnel 1 param

Employ the following controls for personnel exposed to information not within assigned access authorizations: {{ insert: param, ir-09.04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ir-09.04_odp	controls	controls employed for personnel exposed to information not within assigned access authorizations are defined;

—

IR-10

Integrated Information Security Analysis Team

—

└ ir-1a

Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:

—

└ ir-1a.1

{{ insert: param, ir-01_odp.03 }} incident response policy that:

—

└ ir-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ ir-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ ir-1a.2

Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;

—

└ ir-1b

Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and proc...

—

└ ir-1c

Review and update the current incident response:

—

└ ir-1c.1

Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and

—

└ ir-1c.2

Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}.

—

└ ir-2a

Provide incident response training to system users consistent with assigned roles and responsibilities:

—

└ ir-2a.1

Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;

—

└ ir-2a.2

When required by system changes; and

—

└ ir-2a.3

{{ insert: param, ir-02_odp.02 }} thereafter; and

—

└ ir-2b

Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}.

—

└ ir-3.3.(a)

Determine the effectiveness of incident response processes;

—

└ ir-3.3.(b)

Continuously improve incident response processes; and

—

└ ir-3.3.(c)

Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.

—

└ ir-4.15.(a)

Manage public relations associated with an incident; and

—

└ ir-4.15.(b)

Employ measures to repair the reputation of the organization.

—

└ ir-4a

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and ...

—

└ ir-4b

Coordinate incident handling activities with contingency planning activities;

—

└ ir-4c

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the r...

—

└ ir-4d

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

—

└ ir-6a

Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and

—

└ ir-6b

Report incident information to {{ insert: param, ir-06_odp.02 }}.

—

└ ir-7.2.(a)

Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and

—

└ ir-7.2.(b)

Identify organizational incident response team members to the external providers.

—

└ ir-8.1.(a)

A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;

—

└ ir-8.1.(b)

An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms t...

—

└ ir-8.1.(c)

Identification of applicable privacy requirements.

—

└ ir-8a

Develop an incident response plan that:

—

└ ir-8a.1

Provides the organization with a roadmap for implementing its incident response capability;

—

└ ir-8a.10

Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.

—

└ ir-8a.2

Describes the structure and organization of the incident response capability;

—

└ ir-8a.3

Provides a high-level approach for how the incident response capability fits into the overall organization;

—

└ ir-8a.4

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

—

└ ir-8a.5

Defines reportable incidents;

—

└ ir-8a.6

Provides metrics for measuring the incident response capability within the organization;

—

└ ir-8a.7

Defines the resources and management support needed to effectively maintain and mature an incident response capability;

—

└ ir-8a.8

Addresses the sharing of incident information;

—

└ ir-8a.9

Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and

—

└ ir-8b

Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};

—

└ ir-8c

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or te...

—

└ ir-8d

Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and

—

└ ir-8e

Protect the incident response plan from unauthorized disclosure and modification.

—

└ ir-9a

Assigning {{ insert: param, ir-09_odp.01 }} with responsibility for responding to information spills;

—

└ ir-9b

Identifying the specific information involved in the system contamination;

—

└ ir-9c

Alerting {{ insert: param, ir-09_odp.02 }} of the information spill using a method of communication not associated with the spill;

—

└ ir-9d

Isolating the contaminated system or system component;

—

└ ir-9e

Eradicating the information from the contaminated system or component;

—

└ ir-9f

Identifying other systems or system components that may have been subsequently contaminated; and

—

└ ir-9g

Performing the following additional actions: {{ insert: param, ir-09_odp.03 }}.

—