IR-8

IR-8 INCIDENT RESPONSE PLAN

Overview

Number	Title	Impact	Priority	Subject Area
IR-8	Incident Response Plan	LOW	P1	Incident Response

Instructions
The organization: IR-8a. Develops an incident response plan that: IR-8a.1. Provides the organization with a roadmap for implementing its incident response capability; IR-8a.2. Describes the structure and organization of the incident response capability; IR-8a.3. Provides a high-level approach for how the incident response capability fits into the overall organization; IR-8a.4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; IR-8a.5. Defines reportable incidents; IR-8a.6. Provides metrics for measuring the incident response capability within the organization; IR-8a.7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and IR-8a.8. Is reviewed and approved by Assignment: organization-defined personnel or roles; IR-8b. Distributes copies of the incident response plan to Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements; IR-8c. Reviews the incident response plan Assignment: organization-defined frequency; IR-8d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; IR-8e. Communicates incident response plan changes to Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and IR-8f. Protects the incident response plan from unauthorized disclosure and modification.

Instructions

The organization:

IR-8a.

Develops an incident response plan that:

IR-8a.1.

Provides the organization with a roadmap for implementing its incident response capability;

IR-8a.2.

Describes the structure and organization of the incident response capability;

IR-8a.3.

Provides a high-level approach for how the incident response capability fits into the overall organization;

IR-8a.4.

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

IR-8a.5.

Defines reportable incidents;

IR-8a.6.

Provides metrics for measuring the incident response capability within the organization;

IR-8a.7.

Defines the resources and management support needed to effectively maintain and mature an incident response capability; and

IR-8a.8.

Is reviewed and approved by Assignment: organization-defined personnel or roles;

IR-8b.

Distributes copies of the incident response plan to Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements;

IR-8c.

Reviews the incident response plan Assignment: organization-defined frequency;

IR-8d.

Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;

IR-8e.

Communicates incident response plan changes to Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and

IR-8f.

Protects the incident response plan from unauthorized disclosure and modification.

Guidance
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.

Guidance

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.

Enhancements