Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Incident response
Appendix 1.8 Incident response
IR-1 Policy and procedures
This control recommends the organization develop, document, disseminate, review, and update incident response policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of incident response action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
- NIST Special Publications 800-12, Rev. 1, page 64
- NIST Special Publications 800-61, Rev. 2
- NIST Special Publications 800-83, Rev. 1
- NIST Special Publications 800-100 124–30
- LIMSpec 7.1, 7.2
IR-2 Incident response training
This control recommends the organization provide incident response training to those system users with roles and responsibilities tied to incident response and, more broadly, business continuity planning. That training should occur initially, within an organization-defined period of time upon taking on a related role or responsibility, and when required by major changes to the system. Follow-up training should be conducted at a defined frequency afterwards.
Additional resources:
IR-4 Incident handling
This control recommends the organization, as part of its incident response planning (see IR-8), address how it will engage in preparation, detection and analysis, containment, eradication, and recovery from a security incident. That organization will also link its incident handling with its contingency planning activities and update its incident and business continuity plans, as well as affected training regiments, with "lessons learned" from internal and external events.
Additional resources:
- NIST Special Publications 800-61, Rev. 2
- No LIMSpec comp (organizational policy rather than system specification)
IR-4 (1) Incident handling: Automated incident handling processes
This control enhancement recommends the organization employ automated mechanisms to better handle incident response initiatives. NIST gives the example of online incident management systems as a possible automated tool to use.
Additional resources:
IR-5 Incident monitoring
This control recommends the organization track and document security incidents affecting the system. For these purposes, the organization may consider pulling information from "incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports."
Additional resources:
IR-6 Incident reporting
This control recommends the organization require security incidents, suspected and real, and any relevant information to be reported to the appropriate organizational personnel within a certain period of time.
Additional resources:
IR-6 (1) Incident reporting: Automated reporting
This control enhancement recommends the the organization employ automated mechanisms to better handle reporting of security incidents. These automated mechanisms would likely be tied to existing monitoring controls.
Additional resources:
IR-7 Incident response assistance
This control recommends the organization provide support resources that offer advice and assistance to system users confronted with handling and reporting security incidents. Those support resources could come in the form of help desk, a responsible individual designated in the incident response plan, or in-house or third-party forensic services.
Additional resources:
- No LIMSpec comp (organizational policy rather than system specification)
IR-8 Incident response plan
This control recommends the organization develop, document, disseminate, review, update, and protect an organizational incident response plan. That plan should be sophisticated enough to contain an incident response roadmap for implementing the developed plan, which should include how the overall plan meshes with business and cybersecurity goals, the resources and responsible individuals that are part of the plan, what should be reportable, and what the associated metrics will be for measuring incident response and its aftermath. The plan should be reviewed and approved by one or more designated personnel, usually leadership or management. Any changes to the plan should be communicated to appropriate personnel, and any affected training should be updated.
Additional resources:
- NIST Special Publications 800-61, Rev. 2
- No LIMSpec comp (organizational policy rather than system specification)
