IR-08 Incident Response Plan
a. Develop an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability;
8. Addresses the sharing of incident information;
9. Is reviewed and approved by ir-08_odp.01 ir-08_odp.02 ; and
10. Explicitly designates responsibility for incident response to ir-08_odp.03.
b. Distribute copies of the incident response plan to ir-08_odp.04;
c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
d. Communicate incident response plan changes to ir-8_prm_5 ; and
e. Protect the incident response plan from unauthorized disclosure and modification.
| Parameter ID | Definition |
|---|---|
| ir-8_prm_5 | organization-defined incident response personnel (identified by name and/or by role) and organizational elements |
| ir-08_odp.01 | personnel or roles |
| ir-08_odp.02 | frequency |
| ir-08_odp.03 | entities, personnel, or roles |
| ir-08_odp.04 | incident response personnel |
| ir-08_odp.05 | organizational elements |
| ir-08_odp.06 | incident response personnel |
| ir-08_odp.07 | organizational elements |
Baselines
- L
- M
- H
- P
Guidance
It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.
References 3
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- SP 800-61 Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2.
- OMB M-17-12 Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017.
Control Enhancements 1
- IR-08(01) Breaches L M H P
Related controls 11
- AC-02 Account Management L M H P
- CP-02 Contingency Plan L M H P
- CP-04 Contingency Plan Testing L M H P
- IR-04 Incident Handling L M H P
- IR-07 Incident Response Assistance L M H P
- IR-09 Information Spillage Response L M H P
- PE-06 Monitoring Physical Access L M H P
- PL-02 System Security and Privacy Plans L M H P
- SA-15 Development Process, Standards, and Tools L M H P
- SI-12 Information Management and Retention L M H P
- SR-08 Notification Agreements L M H P