IR-4: Incident Handling

From NIST's SP800-53:

a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

SP800-53 Control Mapped to NIST Cyber Security Framework

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Search:

Control ID	Description
ID.SC-5	Response and recovery planning and testing are conducted with suppliers and third-party providers
DE.AE-3	Event data are collected and correlated from multiple sources and sensors
RC.CO-3	Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
RS.CO-4	Coordination with stakeholders occurs consistent with response plans
RC.IM-2	Recovery strategies are updated
RS.CO-3	Information is shared consistent with response plans
RS.MI-2	Incidents are mitigated
RS.IM-2	Response strategies are updated
RS.IM-1	Response plans incorporate lessons learned
RS.AN-3	Forensics are performed
DE.AE-5	Incident alert thresholds are established
RS.AN-1	Notifications from detection systems are investigated
RS.RP-1	Response plan is executed during or after an incident
DE.AE-2	Detected events are analyzed to understand attack targets and methods
RS.AN-2	The impact of the incident is understood
RC.RP-1	Recovery plan is executed during or after a cybersecurity incident
DE.AE-4	Impact of events is determined
RC.IM-1	Recovery plans incorporate lessons learned
RS.AN-4	Incidents are categorized consistent with response plans
RS.MI-1	Incidents are contained

Showing 1 to 20 of 20 entries