Incident Response Management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Why Is This Control Critical?
Cyber incidents are now just part of our way of life. Even large, well-funded, and technically sophisticated enterprises struggle to keep up with the frequency and complexity of attacks. The question of a successful cyber attack against an enterprise is not 'if' but 'when.' When an incident occurs, if an enterprise does not already have a well-planned incident response capability, victims tend to make a series of mistakes that can delay remediation or exacerbate the damages from the attack.
Related Policy Templates
Safeguards (9)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 17.1 | Designate Personnel to Manage Incident Handling | Respond |
IG1
IG2
IG3
|
12 | 9 |
| 17.2 | Establish and Maintain Contact Information for Reporting Security Incidents | Respond |
IG1
IG2
IG3
|
9 | 7 |
| 17.3 | Establish and Maintain an Enterprise Process for Reporting Incidents | Respond |
IG1
IG2
IG3
|
7 | 5 |
| 17.4 | Establish and Maintain an Incident Response Process | Respond |
IG2
IG3
|
7 | 5 |
| 17.5 | Assign Key Roles and Responsibilities | Respond |
IG2
IG3
|
7 | 5 |
| 17.6 | Define Mechanisms for Communicating During Incident Response | Respond |
IG2
IG3
|
9 | 6 |
| 17.7 | Conduct Routine Incident Response Exercises | Recover |
IG2
IG3
|
7 | 5 |
| 17.8 | Conduct Post>Incident Reviews | Recover |
IG2
IG3
|
7 | 5 |
| 17.9 | Establish and Maintain Security Incident Thresholds | Recover |
IG3
|
10 | 7 |
Audit Verification Details
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Response procedures and playbooks are documented and current.
Response playbooks with review dates
Incident response plan is documented, current, and includes escalation paths.
IR plan with review date, escalation contact list
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Automated backups run on schedule and backup jobs complete successfully.
Backup job status reports, success/failure rates
Backups are stored securely with offsite or air-gapped copies.
Backup storage architecture, offsite replication evidence
Response procedures have been exercised through tabletop or simulation within the past 12 months.
Exercise reports, participant sign-off, lessons learned
Incident response actions are logged and tracked to completion.
Incident tickets, action item tracking, post-incident reviews
Backup restoration has been tested and data integrity verified.
Restoration test results with integrity verification
Post-incident reviews are conducted and findings drive improvements.
Post-incident review reports, corrective action tracking
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Technical | Backup job status reports and success rates | Reviewed weekly |
| Record | Backup restoration test results | Tested quarterly |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Response procedures and playbooks are documented and current.
Response playbooks with review dates
Incident response plan is documented, current, and includes escalation paths.
IR plan with review date, escalation contact list
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Response procedures have been exercised through tabletop or simulation within the past 12 months.
Exercise reports, participant sign-off, lessons learned
Incident response actions are logged and tracked to completion.
Incident tickets, action item tracking, post-incident reviews
Post-incident reviews are conducted and findings drive improvements.
Post-incident review reports, corrective action tracking
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Response procedures and playbooks are documented and current.
Response playbooks with review dates
Incident response plan is documented, current, and includes escalation paths.
IR plan with review date, escalation contact list
Response procedures have been exercised through tabletop or simulation within the past 12 months.
Exercise reports, participant sign-off, lessons learned
Incident response actions are logged and tracked to completion.
Incident tickets, action item tracking, post-incident reviews
Post-incident reviews are conducted and findings drive improvements.
Post-incident review reports, corrective action tracking
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Response procedures and playbooks are documented and current.
Response playbooks with review dates
Incident response plan is documented, current, and includes escalation paths.
IR plan with review date, escalation contact list
Response procedures have been exercised through tabletop or simulation within the past 12 months.
Exercise reports, participant sign-off, lessons learned
Incident response actions are logged and tracked to completion.
Incident tickets, action item tracking, post-incident reviews
Post-incident reviews are conducted and findings drive improvements.
Post-incident review reports, corrective action tracking
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Response procedures and playbooks are documented and current.
Response playbooks with review dates
Incident response plan is documented, current, and includes escalation paths.
IR plan with review date, escalation contact list
Response procedures have been exercised through tabletop or simulation within the past 12 months.
Exercise reports, participant sign-off, lessons learned
Incident response actions are logged and tracked to completion.
Incident tickets, action item tracking, post-incident reviews
Post-incident reviews are conducted and findings drive improvements.
Post-incident review reports, corrective action tracking
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Response procedures and playbooks are documented and current.
Response playbooks with review dates
Incident response plan is documented, current, and includes escalation paths.
IR plan with review date, escalation contact list
Email authentication (SPF, DKIM, DMARC) is configured and passing.
DNS record verification, DMARC aggregate reports
Email filtering is active for attachments and URLs.
Email gateway configuration, filtering statistics
Response procedures have been exercised through tabletop or simulation within the past 12 months.
Exercise reports, participant sign-off, lessons learned
Incident response actions are logged and tracked to completion.
Incident tickets, action item tracking, post-incident reviews
Post-incident reviews are conducted and findings drive improvements.
Post-incident review reports, corrective action tracking
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Technical | Email security configuration (SPF, DKIM, DMARC records) | Verified quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision making, and workflows. Conduct testing on an annual basis, at a minimum.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Recovery objectives (RTO/RPO) are defined and documented.
Recovery plan with stated RTO/RPO values
Incident response plan is documented, current, and includes escalation paths.
IR plan with review date, escalation contact list
Recovery procedures have been tested and results meet stated objectives.
Recovery test reports showing actual vs. target RTO/RPO
Recovery procedures are updated based on test results and lessons learned.
Updated procedures with revision history
Post-incident reviews are conducted and findings drive improvements.
Post-incident review reports, corrective action tracking
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Recovery plan documentation | Reviewed annually |
| Record | Recovery test results and lessons learned | Tested quarterly |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Recovery objectives (RTO/RPO) are defined and documented.
Recovery plan with stated RTO/RPO values
Incident response plan is documented, current, and includes escalation paths.
IR plan with review date, escalation contact list
Recovery procedures have been tested and results meet stated objectives.
Recovery test reports showing actual vs. target RTO/RPO
Recovery procedures are updated based on test results and lessons learned.
Updated procedures with revision history
Post-incident reviews are conducted and findings drive improvements.
Post-incident review reports, corrective action tracking
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Recovery plan documentation | Reviewed annually |
| Record | Recovery test results and lessons learned | Tested quarterly |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Recovery objectives (RTO/RPO) are defined and documented.
Recovery plan with stated RTO/RPO values
Incident response plan is documented, current, and includes escalation paths.
IR plan with review date, escalation contact list
Vulnerability scans cover all in-scope assets and run at the defined frequency.
Scan reports with scope and schedule evidence
Recovery procedures have been tested and results meet stated objectives.
Recovery test reports showing actual vs. target RTO/RPO
Recovery procedures are updated based on test results and lessons learned.
Updated procedures with revision history
Vulnerabilities are remediated within defined SLAs by severity.
Remediation tracking with SLA compliance metrics
Exceptions and risk acceptances are documented and approved.
Exception/waiver records with management sign-off
Post-incident reviews are conducted and findings drive improvements.
Post-incident review reports, corrective action tracking
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Recovery plan documentation | Reviewed annually |
| Record | Recovery test results and lessons learned | Tested quarterly |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |