Navigate

IR-4

IR-4: Incident Handling

The organization:

IR-4a.: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

IR-4b.: Coordinates incident handling activities with contingency planning activities; and

IR-4c.: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

Supplemental

Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to IR-4.

Control	Description
AU-6	The organization: AU-6a.: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and AU-6b.: Reports findings to [Assignment: organization-defined personnel or roles].
CM-6	The organization: CM-6a.: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; CM-6b.: Implements the configuration settings; CM-6c.: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and CM-6d.: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CP-2	The organization: CP-2a.: Develops a contingency plan for the information system that: CP-2a.1.: Identifies essential missions and business functions and associated contingency requirements; CP-2a.2.: Provides recovery objectives, restoration priorities, and metrics; CP-2a.3.: Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.4.: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; CP-2a.5.: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and CP-2a.6.: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; CP-2b.: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2c.: Coordinates contingency planning activities with incident handling activities; CP-2d.: Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; CP-2e.: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; CP-2f.: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and CP-2g.: Protects the contingency plan from unauthorized disclosure and modification.
CP-4	The organization: CP-4a.: Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; CP-4b.: Reviews the contingency plan test results; and CP-4c.: Initiates corrective actions, if needed.
IR-2	The organization provides incident response training to information system users consistent with assigned roles and responsibilities: IR-2a.: Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility; IR-2b.: When required by information system changes; and IR-2c.: [Assignment: organization-defined frequency] thereafter.
IR-3	The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
IR-8	The organization: IR-8a.: Develops an incident response plan that: IR-8a.1.: Provides the organization with a roadmap for implementing its incident response capability; IR-8a.2.: Describes the structure and organization of the incident response capability; IR-8a.3.: Provides a high-level approach for how the incident response capability fits into the overall organization; IR-8a.4.: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; IR-8a.5.: Defines reportable incidents; IR-8a.6.: Provides metrics for measuring the incident response capability within the organization; IR-8a.7.: Defines the resources and management support needed to effectively maintain and mature an incident response capability; and IR-8a.8.: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; IR-8b.: Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; IR-8c.: Reviews the incident response plan [Assignment: organization-defined frequency]; IR-8d.: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; IR-8e.: Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and IR-8f.: Protects the incident response plan from unauthorized disclosure and modification.
PE-6	The organization: PE-6a.: Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents; PE-6b.: Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and PE-6c.: Coordinates results of reviews and investigations with the organizational incident response capability.
SC-5	The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].
SC-7	The information system: SC-7a.: Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; SC-7b.: Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and SC-7c.: Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
SI-3	The organization: SI-3a.: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; SI-3b.: Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; SI-3c.: Configures malicious code protection mechanisms to: SI-3c.1.: Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and SI-3c.2.: [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and SI-3d.: Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
SI-4	The organization: SI-4a.: Monitors the information system to detect: SI-4a.1.: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and SI-4a.2.: Unauthorized local, network, and remote connections; SI-4b.: Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; SI-4c.: Deploys monitoring devices: SI-4c.1.: Strategically within the information system to collect organization-determined essential information; and SI-4c.2.: At ad hoc locations within the system to track specific types of transactions of interest to the organization; SI-4d.: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; SI-4e.: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; SI-4f.: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and SI-4g.: Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].
SI-7	The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].

Enhancements

The controls below (if any) add on to the requirements of IR-4.

Control	Description
IR-4 (1)	The organization employs automated mechanisms to support the incident handling process.
IR-4 (2)	The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability.
IR-4 (3)	The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.
IR-4 (4)	The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
IR-4 (5)	The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected.
IR-4 (6)	The organization implements incident handling capability for insider threats.
IR-4 (7)	The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization].
IR-4 (8)	The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.
IR-4 (9)	The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents.
IR-4 (10)	The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.

Related CCIs

The CCIs below are tied to IR-4.

CCI	Definition
CCI-000822	The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
CCI-000823	The organization coordinates incident handling activities with contingency planning activities.
CCI-000824	The organization incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises.
CCI-001625	The organization implements the resulting incident handling activity changes to incident response procedures, training, and testing/exercises accordingly.