IR-02 Incident Response Training

Baselines

Guidance

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3 . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

References 2

• OMB M-17-12 Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017.
• SP 800-50 Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50.

Control Enhancements 3

• IR-02(01) Simulated Events L M H P
• IR-02(02) Automated Training Environments L M H P
• IR-02(03) Breach L M H P

Related controls 8

• AT-02 Literacy Training and Awareness L M H P
• AT-03 Role-based Training L M H P
• AT-04 Training Records L M H P
• CP-03 Contingency Training L M H P
• IR-03 Incident Response Testing L M H P
• IR-04 Incident Handling L M H P
• IR-08 Incident Response Plan L M H P
• IR-09 Information Spillage Response L M H P