IR-04 Incident Handling
a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinate incident handling activities with contingency planning activities;
c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
Baselines
- L
- M
- H
- P
Guidance
Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.
References 10
- FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
- 41 CFR 201 "Federal Acquisition Supply Chain Security Act; Rule," 85 Federal Register 54263 (September 1, 2020), pp 54263-54271.
- OMB M-17-12 Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017.
- SP 800-61 Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2.
- SP 800-86 Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86.
- SP 800-101 Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1.
- SP 800-150 Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150.
- SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.
- SP 800-184 Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184.
- IR 7559 Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559.
Control Enhancements 15
- IR-04(01) Automated Incident Handling Processes L M H P
- IR-04(02) Dynamic Reconfiguration L M H P
- IR-04(03) Continuity of Operations L M H P
- IR-04(04) Information Correlation L M H P
- IR-04(05) Automatic Disabling of System L M H P
- IR-04(06) Insider Threats L M H P
- IR-04(07) Insider Threats — Intra-organization Coordination L M H P
- IR-04(08) Correlation with External Organizations L M H P
- IR-04(09) Dynamic Response Capability L M H P
- IR-04(10) Supply Chain Coordination L M H P
- IR-04(11) Integrated Incident Response Team L M H P
- IR-04(12) Malicious Code and Forensic Analysis L M H P
- IR-04(13) Behavior Analysis L M H P
- IR-04(14) Security Operations Center L M H P
- IR-04(15) Public Relations and Reputation Repair L M H P
Related controls 21
- AC-19 Access Control for Mobile Devices L M H P
- AU-06 Audit Record Review, Analysis, and Reporting L M H P
- AU-07 Audit Record Reduction and Report Generation L M H P
- CM-06 Configuration Settings L M H P
- CP-02 Contingency Plan L M H P
- CP-03 Contingency Training L M H P
- CP-04 Contingency Plan Testing L M H P
- IR-02 Incident Response Training L M H P
- IR-03 Incident Response Testing L M H P
- IR-05 Incident Monitoring L M H P
- IR-06 Incident Reporting L M H P
- IR-08 Incident Response Plan L M H P
- PE-06 Monitoring Physical Access L M H P
- PL-02 System Security and Privacy Plans L M H P
- PM-12 Insider Threat Program L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SC-05 Denial-of-service Protection L M H P
- SC-07 Boundary Protection L M H P
- SI-03 Malicious Code Protection L M H P
- SI-04 System Monitoring L M H P
- SI-07 Software, Firmware, and Information Integrity L M H P