IR-4: Incident Handling
From NIST's SP800-53:
a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| ID.SC-5 | Response and recovery planning and testing are conducted with suppliers and third-party providers |
| DE.AE-3 | Event data are collected and correlated from multiple sources and sensors |
| RC.CO-3 | Recovery activities are communicated to internal and external stakeholders as well as executive and management teams |
| RS.CO-4 | Coordination with stakeholders occurs consistent with response plans |
| RC.IM-2 | Recovery strategies are updated |
| RS.CO-3 | Information is shared consistent with response plans |
| RS.MI-2 | Incidents are mitigated |
| RS.IM-2 | Response strategies are updated |
| RS.IM-1 | Response plans incorporate lessons learned |
| RS.AN-3 | Forensics are performed |
| DE.AE-5 | Incident alert thresholds are established |
| RS.AN-1 | Notifications from detection systems are investigated |
| RS.RP-1 | Response plan is executed during or after an incident |
| DE.AE-2 | Detected events are analyzed to understand attack targets and methods |
| RS.AN-2 | The impact of the incident is understood |
| RC.RP-1 | Recovery plan is executed during or after a cybersecurity incident |
| DE.AE-4 | Impact of events is determined |
| RC.IM-1 | Recovery plans incorporate lessons learned |
| RS.AN-4 | Incidents are categorized consistent with response plans |
| RS.MI-1 | Incidents are contained |