IR-8: Incident Response Plan
From NIST's SP800-53:
a. Develop an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8. Addresses the sharing of incident information; 9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and 10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and e. Protect the incident response plan from unauthorized disclosure and modification.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| RC.RP-1 | Recovery plan is executed during or after a cybersecurity incident |
| RS.AN-4 | Incidents are categorized consistent with response plans |
| PR.IP-9 | Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed |
| RC.IM-1 | Recovery plans incorporate lessons learned |
| RS.RP-1 | Response plan is executed during or after an incident |
| PR.IP-7 | Protection processes are improved |
| RS.CO-2 | Incidents are reported consistent with established criteria |
| RS.CO-4 | Coordination with stakeholders occurs consistent with response plans |
| RS.CO-3 | Information is shared consistent with response plans |
| DE.AE-5 | Incident alert thresholds are established |
| RS.IM-2 | Response strategies are updated |
| ID.SC-5 | Response and recovery planning and testing are conducted with suppliers and third-party providers |
| RS.IM-1 | Response plans incorporate lessons learned |
| RS.CO-1 | Personnel know their roles and order of operations when a response is needed |
| DE.AE-3 | Event data are collected and correlated from multiple sources and sensors |
| RC.IM-2 | Recovery strategies are updated |