Control: The organisation:
Incident Handling Supplemental Guidance:
Organisations recognise that incident response capability is dependent on the capabilities of organisational information systems and the mission/business processes being supported by those systems. Therefore, organisations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organisational entities including, for example, mission/business owners, information system owners, authorising officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).
Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7.
Incident Handling Control Enhancements:
IR-4 (1) Incident Handling - Automated Incident Handling processes
The organisation employs automated mechanisms to support the incident handling process.
Supplemental Guidance: Automated mechanisms supporting incident handling processes include, for example, online incident management systems.
IR-4 (2) Incident Handling - Dynamic Reconfiguration
The organisation includes dynamic reconfiguration of [Assignment: organisation-defined information system components] as part of the incident response capability.
Supplemental Guidance: Dynamic reconfiguration includes, for example, changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways. Organisations perform dynamic reconfiguration of information systems, for example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organisations include time frames for achieving the reconfiguration of information systems in the definition of the reconfiguration capability, considering the potential need for rapid response in order to effectively address sophisticated cyber threats.
IR-4 (3) Incident Handling - Continuity of Operations
The organisation identifies [Assignment: organisation-defined classes of incidents] and [Assignment: organisation-defined actions to take in response to classes of incidents] to ensure continuation of organisational missions and business functions.
Supplemental Guidance: Classes of incidents include, for example, malfunctions due to design/implementation errors and omissions, targeted malicious attacks, and un-targeted malicious attacks. Appropriate incident response actions include, for example, graceful degradation, information system shutdown, fall back to manual mode/alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved solely for when systems are under attack.
IR-4 (4) Incident Handling - Information Correlation
The organisation correlates incident information and individual incident responses to achieve an organisation-wide perspective on incident awareness and response.
Supplemental Guidance: Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organisations.
IR-4 (5) Incident Handling - Automatic Disabling of Information System
The organisation implements a configurable capability to automatically disable the information
system if [Assignment: organisation-defined security violations] are detected.
IR-4 (6) Incident Handling - Insider Threats - Specific Capabilities
The organisation implements incident handling capability for insider threats.
Supplemental Guidance: While many organisations address insider threat incidents as an inherent part of their organisational incident response capability, this control enhancement provides additional emphasis on this type of threat and the need for specific incident handling capabilities (as defined within organisations) to provide appropriate and timely responses.
IR-4 (7) Incident Handling - Insider Threats - Intra-organisation Coordination
The organisation coordinates incident handling capability for insider threats across [Assignment: organisation-defined components or elements of the organisation].
Supplemental Guidance: Incident handling for insider threat incidents (including preparation, detection and analysis, containment, eradication, and recovery) requires close coordination among a variety of organisational components or elements to be effective. These components or elements include, for example, mission/business owners, information system owners, human resources offices, procurement offices, personnel/physical security offices, operations personnel, and risk executive (function). In addition, organisations may require external support from federal, state, and local law enforcement agencies.
IR-4 (8) Incident Handling - Correlation with External Organisations
The organisation coordinates with [Assignment: organisation-defined external organisations] to correlate and share [Assignment: organisation-defined incident information] to achieve a cross- organisation perspective on incident awareness and more effective incident responses.
Supplemental Guidance: The coordination of incident information with external organisations including, for example, mission/business partners, military/coalition partners, customers, and multitiered developers, can provide significant benefits. Cross-organisational coordination with respect to incident handling can serve as an important risk management capability. This capability allows organisations to leverage critical information from a variety of sources to effectively respond to information security-related incidents potentially affecting the organisation’s operations, assets, and individuals.
IR-4 (9) Incident Handling - Dynamic Response Capability
The organisation employs [Assignment: organisation-defined dynamic response capabilities] to effectively respond to security incidents.
Supplemental Guidance: This control enhancement addresses the deployment of replacement or new capabilities in a timely manner in response to security incidents (e.g., adversary actions during hostile cyber attacks). This includes capabilities implemented at the mission/business process level (e.g., activating alternative mission/business processes) and at the information system level.
Related control: CP-10.
IR-4 (10) Incident Handling - Supply Chain Coordination
The organisation coordinates incident handling activities involving supply chain events with other organisations involved in the supply chain.
Supplemental Guidance: Organisations involved in supply chain activities include, for example, system/product developers, integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include, for example, compromises/breaches involving information system components, information technology products, development processes or personnel, and distribution processes or warehousing facilities.