Navigate

CCI-002794

CCI-002794 Definition

Develop an incident response plan.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if an incident response plan is developed that explicitly designates responsibility for incident response to [IR-08_ODP[03]; entities, personnel, or roles with designated responsibility for incident response are defined].

Validation Procedures

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response planning; incident response plan; system security plan; privacy plan; records of incident response plan reviews and approvals; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational incident response plan and related organizational processes].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002794.

Control	Description
IR-8	a: Develop an incident response plan that: 1: Provides the organization with a roadmap for implementing its incident response capability; 2: Describes the structure and organization of the incident response capability; 3: Provides a high-level approach for how the incident response capability fits into the overall organization; 4: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5: Defines reportable incidents; 6: Provides metrics for measuring the incident response capability within the organization; 7: Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8: Addresses the sharing of incident information; 9: Is reviewed and approved by [personnel or roles that review and approve the incident response plan is/are identified;] [the frequency at which to review and approve the incident response plan is defined;] ; and 10: Explicitly designates responsibility for incident response to [entities, personnel, or roles with designated responsibility for incident response are defined;]. b: Distribute copies of the incident response plan to [incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;]; c: Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; d: Communicate incident response plan changes to [one of ] ; and e: Protect the incident response plan from unauthorized disclosure and modification.

Control

Description

IR-8

a: Develop an incident response plan that:
- 1: Provides the organization with a roadmap for implementing its incident response capability;
- 2: Describes the structure and organization of the incident response capability;
- 3: Provides a high-level approach for how the incident response capability fits into the overall organization;
- 4: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
- 5: Defines reportable incidents;
- 6: Provides metrics for measuring the incident response capability within the organization;
- 7: Defines the resources and management support needed to effectively maintain and mature an incident response capability;
- 8: Addresses the sharing of incident information;
- 9: Is reviewed and approved by [personnel or roles that review and approve the incident response plan is/are identified;] [the frequency at which to review and approve the incident response plan is defined;] ; and
- 10: Explicitly designates responsibility for incident response to [entities, personnel, or roles with designated responsibility for incident response are defined;].

b: Distribute copies of the incident response plan to [incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;];

c: Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

d: Communicate incident response plan changes to [one of ] ; and

e: Protect the incident response plan from unauthorized disclosure and modification.