Navigate

CCI-000844

CCI-000844 Definition

Develop an incident response plan that is reviewed and approved by organization-defined personnel or roles on an organization-defined frequency.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if an incident response plan is developed that is reviewed and approved by [IR-08_ODP[01]; personnel or roles that review and approve the incident response plan is/are identified] [IR-08_ODP[02]; the frequency at which to review and approve the incident response plan is defined].

Validation Procedures

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response planning; incident response plan; system security plan; privacy plan; records of incident response plan reviews and approvals; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational incident response plan and related organizational processes].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000844.

Control	Description
IR-8	a: Develop an incident response plan that: 1: Provides the organization with a roadmap for implementing its incident response capability; 2: Describes the structure and organization of the incident response capability; 3: Provides a high-level approach for how the incident response capability fits into the overall organization; 4: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5: Defines reportable incidents; 6: Provides metrics for measuring the incident response capability within the organization; 7: Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8: Addresses the sharing of incident information; 9: Is reviewed and approved by [personnel or roles that review and approve the incident response plan is/are identified;] [the frequency at which to review and approve the incident response plan is defined;] ; and 10: Explicitly designates responsibility for incident response to [entities, personnel, or roles with designated responsibility for incident response are defined;]. b: Distribute copies of the incident response plan to [incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;]; c: Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; d: Communicate incident response plan changes to [one of ] ; and e: Protect the incident response plan from unauthorized disclosure and modification.

Control

Description

IR-8

a: Develop an incident response plan that:
- 1: Provides the organization with a roadmap for implementing its incident response capability;
- 2: Describes the structure and organization of the incident response capability;
- 3: Provides a high-level approach for how the incident response capability fits into the overall organization;
- 4: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
- 5: Defines reportable incidents;
- 6: Provides metrics for measuring the incident response capability within the organization;
- 7: Defines the resources and management support needed to effectively maintain and mature an incident response capability;
- 8: Addresses the sharing of incident information;
- 9: Is reviewed and approved by [personnel or roles that review and approve the incident response plan is/are identified;] [the frequency at which to review and approve the incident response plan is defined;] ; and
- 10: Explicitly designates responsibility for incident response to [entities, personnel, or roles with designated responsibility for incident response are defined;].

b: Distribute copies of the incident response plan to [incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;];

c: Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

d: Communicate incident response plan changes to [one of ] ; and

e: Protect the incident response plan from unauthorized disclosure and modification.