The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and b. Reviews and updates the current: 1. Incident response policy [Assignment: organization-defined frequency]; and 2. Incident response procedures [Assignment: organization-defined frequency].
The organization provides incident response training to information system users consistent with assigned roles and responsibilities: a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter.
The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.
The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.
The organization coordinates incident response testing with organizational elements responsible for related plans.
The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
The organization employs automated mechanisms to support the incident handling process.
The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability.
The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected.
The organization implements incident handling capability for insider threats.
The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization].
The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.
The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents.
The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.
The organization tracks and documents information system security incidents.
The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.
The organization: a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and b. Reports security incident information to [Assignment: organization-defined authorities].
The organization employs automated mechanisms to assist in the reporting of security incidents.
The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel or roles].
The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.
The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.
The organization employs automated mechanisms to increase the availability of incident response-related information and support.
The organization: (a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and (b) Identifies organizational incident response team members to the external providers.
The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification.
The organization responds to information spills by: a. Identifying the specific information involved in the information system contamination; b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; c. Isolating the contaminated information system or system component; d. Eradicating the information from the contaminated information system or component; e. Identifying other information systems or system components that may have been subsequently contaminated; and f. Performing other [Assignment: organization-defined actions].
The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills.
The organization provides information spillage response training [Assignment: organization-defined frequency].
The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations.
The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.