Navigate

IR-3

IR-3: Incident Response Testing

The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.

Supplemental

Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to IR-3.

Control	Description
CP-4	The organization: CP-4a.: Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; CP-4b.: Reviews the contingency plan test results; and CP-4c.: Initiates corrective actions, if needed.
IR-8	The organization: IR-8a.: Develops an incident response plan that: IR-8a.1.: Provides the organization with a roadmap for implementing its incident response capability; IR-8a.2.: Describes the structure and organization of the incident response capability; IR-8a.3.: Provides a high-level approach for how the incident response capability fits into the overall organization; IR-8a.4.: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; IR-8a.5.: Defines reportable incidents; IR-8a.6.: Provides metrics for measuring the incident response capability within the organization; IR-8a.7.: Defines the resources and management support needed to effectively maintain and mature an incident response capability; and IR-8a.8.: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; IR-8b.: Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; IR-8c.: Reviews the incident response plan [Assignment: organization-defined frequency]; IR-8d.: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; IR-8e.: Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and IR-8f.: Protects the incident response plan from unauthorized disclosure and modification.

Control

Description

CP-4

The organization:

CP-4a.: Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;

CP-4b.: Reviews the contingency plan test results; and

CP-4c.: Initiates corrective actions, if needed.

IR-8

The organization:

IR-8a.: Develops an incident response plan that:
- IR-8a.1.: Provides the organization with a roadmap for implementing its incident response capability;
- IR-8a.2.: Describes the structure and organization of the incident response capability;
- IR-8a.3.: Provides a high-level approach for how the incident response capability fits into the overall organization;
- IR-8a.4.: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
- IR-8a.5.: Defines reportable incidents;
- IR-8a.6.: Provides metrics for measuring the incident response capability within the organization;
- IR-8a.7.: Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
- IR-8a.8.: Is reviewed and approved by [Assignment: organization-defined personnel or roles];

IR-8b.: Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];

IR-8c.: Reviews the incident response plan [Assignment: organization-defined frequency];

IR-8d.: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;

IR-8e.: Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and

IR-8f.: Protects the incident response plan from unauthorized disclosure and modification.

Enhancements

The controls below (if any) add on to the requirements of IR-3.

Control	Description
IR-3 (1)	The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.
IR-3 (2)	The organization coordinates incident response testing with organizational elements responsible for related plans.

Related CCIs

The CCIs below are tied to IR-3.

CCI	Definition
CCI-000818	The organization tests the incident response capability for the information system on an organization-defined frequency using organization-defined tests to determine the incident response effectiveness.
CCI-000819	The organization defines a frequency for incident response tests.
CCI-000820	The organization defines tests for incident response.
CCI-001624	The organization documents the results of incident response tests.