IR-4

IR-4 INCIDENT HANDLING

Overview

Number	Title	Impact	Priority	Subject Area
IR-4	Incident Handling	LOW	P1	Incident Response

Instructions
The organization: IR-4a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; IR-4b. Coordinates incident handling activities with contingency planning activities; and IR-4c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.

Instructions

The organization:

IR-4a.

Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

IR-4b.

Coordinates incident handling activities with contingency planning activities; and

IR-4c.

Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.

Guidance
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).

Guidance

Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).

Enhancements

IR-4 (1) Automated Incident Handling Processes

MODERATE

Automated mechanisms supporting incident handling processes include, for example, online incident management systems.

The organization employs automated mechanisms to support the incident handling process.

IR-4 (2) Dynamic Reconfiguration

Dynamic reconfiguration includes, for example, changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways. Organizations perform dynamic reconfiguration of information systems, for example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include time frames for achieving the reconfiguration of information systems in the definition of the reconfiguration capability, considering the potential need for rapid response in order to effectively address sophisticated cyber threats.

The organization includes dynamic reconfiguration of Assignment: organization-defined information system components as part of the incident response capability.

IR-4 (3) Continuity Of Operations

Classes of incidents include, for example, malfunctions due to design/implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Appropriate incident response actions include, for example, graceful degradation, information system shutdown, fall back to manual mode/alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved solely for when systems are under attack.

The organization identifies Assignment: organization-defined classes of incidents and Assignment: organization-defined actions to take in response to classes of incidents to ensure continuation of organizational missions and business functions.

IR-4 (4) Information Correlation

HIGH

Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations.

The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

IR-4 (5) Automatic Disabling Of Information System

The organization implements a configurable capability to automatically disable the information system if Assignment: organization-defined security violations are detected.

IR-4 (6) Insider Threats - Specific Capabilities

While many organizations address insider threat incidents as an inherent part of their organizational incident response capability, this control enhancement provides additional emphasis on this type of threat and the need for specific incident handling capabilities (as defined within organizations) to provide appropriate and timely responses.

The organization implements incident handling capability for insider threats.

IR-4 (7) Insider Threats - Intra-Organization Coordination

Incident handling for insider threat incidents (including preparation, detection and analysis, containment, eradication, and recovery) requires close coordination among a variety of organizational components or elements to be effective. These components or elements include, for example, mission/business owners, information system owners, human resources offices, procurement offices, personnel/physical security offices, operations personnel, and risk executive (function). In addition, organizations may require external support from federal, state, and local law enforcement agencies.

The organization coordinates incident handling capability for insider threats across Assignment: organization-defined components or elements of the organization.

IR-4 (8) Correlation With External Organizations

The coordination of incident information with external organizations including, for example, mission/business partners, military/coalition partners, customers, and multitiered developers, can provide significant benefits. Cross-organizational coordination with respect to incident handling can serve as an important risk management capability. This capability allows organizations to leverage critical information from a variety of sources to effectively respond to information security-related incidents potentially affecting the organization�s operations, assets, and individuals.

The organization coordinates with Assignment: organization-defined external organizations to correlate and share Assignment: organization-defined incident information to achieve a cross-organization perspective on incident awareness and more effective incident responses.

IR-4 (9) Dynamic Response Capability

This control enhancement addresses the deployment of replacement or new capabilities in a timely manner in response to security incidents (e.g., adversary actions during hostile cyber attacks). This includes capabilities implemented at the mission/business process level (e.g., activating alternative mission/business processes) and at the information system level.

The organization employs Assignment: organization-defined dynamic response capabilities to effectively respond to security incidents.

IR-4 (10) Supply Chain Coordination

Organizations involved in supply chain activities include, for example, system/product developers, integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include, for example, compromises/breaches involving information system components, information technology products, development processes or personnel, and distribution processes or warehousing facilities.

The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.