Navigate

IR-8

IR-8: Incident Response Plan

The organization:

a: Develops an incident response plan that:
- 1: Provides the organization with a roadmap for implementing its incident response capability;
- 2: Describes the structure and organization of the incident response capability;
- 3: Provides a high-level approach for how the incident response capability fits into the overall organization;
- 4: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
- 5: Defines reportable incidents;
- 6: Provides metrics for measuring the incident response capability within the organization;
- 7: Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
- 8: Is reviewed and approved by [one of ];

b: Distributes copies of the incident response plan to [one of ];

c: Reviews the incident response plan [one of ];

d: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;

e: Communicates incident response plan changes to [one of ]; and

f: Protects the incident response plan from unauthorized disclosure and modification.

Supplemental

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

CSF Categories
DE.AE-3, DE.AE-5, ID.SC-5, PR.IP-7, PR.IP-9, RC.IM-1, RC.IM-2, RC.RP-1, RS.AN-4, RS.CO-1, RS.CO-2, RS.CO-3, RS.CO-4, RS.IM-1, RS.IM-2, RS.RP-1

Related Controls

The controls below (if any) were marked by NIST as being related to IR-8.

Control	Description
MP-2	The organization restricts access to [one of ] to [one of ].
MP-4	The organization: a: Physically controls and securely stores [one of ] within [one of ]; and b: Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-5	The organization: a: Protects and controls [one of ] during transport outside of controlled areas using [one of ]; b: Maintains accountability for information system media during transport outside of controlled areas; c: Documents activities associated with the transport of information system media; and d: Restricts the activities associated with the transport of information system media to authorized personnel.

Enhancements

The controls below (if any) add on to the requirements of IR-8.

Control	Description
No controls

Related CCIs

The CCIs below are tied to IR-8.

CCI	Definition
CCI-000844	Develop an incident response plan that is reviewed and approved by organization-defined personnel or roles on an organization-defined frequency.
CCI-000845	Defines incident response personnel (identified by name and/or by role) and organizational elements to whom copies of the incident response plan are distributed.
CCI-000846	Distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.
CCI-000847	The organization defines the frequency for reviewing the incident response plan.
CCI-000848	The organization reviews the incident response plan on an organization-defined frequency.
CCI-000849	Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing.
CCI-000850	Communicate incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.
CCI-002794	Develop an incident response plan.
CCI-002795	Develop an incident response plan that provides the organization with a roadmap for implementing its incident response capability.
CCI-002796	Develop an incident response plan that describes the structure and organization of the incident response capability.
CCI-002797	Develop an incident response plan that provides a high-level approach for how the incident response capability fits into the overall organization.
CCI-002798	Develop an incident response plan that meets the unique requirements of the organization, which relate to mission, size, structure, and functions.
CCI-002799	Develop an incident response plan that defines reportable incidents.
CCI-002800	Develop an incident response plan that provides metrics for measuring the incident response capability within the organization.
CCI-002801	Develop an incident response plan that defines the resources and management support needed to effectively maintain and mature an incident response capability.
CCI-002802	Defines personnel or roles to review and approve the incident response plan.
CCI-002803	Defines incident response personnel (identified by name and/or by role) and organizational elements to whom incident response plan changes will be communicated.
CCI-002804	Protect the incident response plan from unauthorized disclosure and modification.