Navigate

CCI-000824

CCI-000824 Definition

The organization incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed will conduct after action reviews from incidents to identify lessons learned and will incorporate them into procedures, training, and testing/exercises. The organization must maintain records of after action reviews.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines after action reports or meeting minutes to identify actionable lessons learned to verify that lessons learned are incorporated into the plan as changes are necessary.

Compelling Evidence

1.) After action reports

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000824.

Control	Description
IR-4	The organization: IR-4a.: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; IR-4b.: Coordinates incident handling activities with contingency planning activities; and IR-4c.: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

Control

Description

IR-4

The organization:

IR-4a.: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

IR-4b.: Coordinates incident handling activities with contingency planning activities; and

IR-4c.: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.