IR — INCIDENT RESPONSE
IR-4: INCIDENT RESPONSE
NIST 800-53R4 Membership IR-4:
- a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
- b. Coordinates incident handling activities with contingency planning activities; and
- c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).
RELATED CONTROLS: IR-4
IR-4 (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES
NIST 800-53R4 Membership IR-4 (1):
The organization employs automated mechanisms to support the incident handling process.
Automated mechanisms supporting incident handling processes include, for example, online incident management systems.
IR-4 (2) INCIDENT HANDLING | DYNAMIC RECONFIGURATION
The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability.
Dynamic reconfiguration includes, for example, changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways. Organizations perform dynamic reconfiguration of information systems, for example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include time frames for achieving the reconfiguration of information systems in the definition of the reconfiguration capability, considering the potential need for rapid response in order to effectively address sophisticated cyber threats.
IR-4 (3) INCIDENT HANDLING | CONTINUITY OF OPERATIONS
The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.
Classes of incidents include, for example, malfunctions due to design/implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Appropriate incident response actions include, for example, graceful degradation, information system shutdown, fall back to manual mode/alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved solely for when systems are under attack.
IR-4 (4) INCIDENT HANDLING | INFORMATION CORRELATION
NIST 800-53R4 Membership IR-4 (4):
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations.
RELATED CONTROLS: IR-4 (2)
IR-4 (5) INCIDENT HANDLING | AUTOMATIC DISABLING OF INFORMATION SYSTEM
The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected.
Supplemental Guidance: NONE
IR-4 (6) INCIDENT HANDLING | INSIDER THREATS - SPECIFIC CAPABILITIES
The organization implements incident handling capability for insider threats.
While many organizations address insider threat incidents as an inherent part of their organizational incident response capability, this control enhancement provides additional emphasis on this type of threat and the need for specific incident handling capabilities (as defined within organizations) to provide appropriate and timely responses.
IR-4 (7) INCIDENT HANDLING | INSIDER THREATS - INTRA-ORGANIZATION COORDINATION
The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization].
Incident handling for insider threat incidents (including preparation, detection and analysis, containment, eradication, and recovery) requires close coordination among a variety of organizational components or elements to be effective. These components or elements include, for example, mission/business owners, information system owners, human resources offices, procurement offices, personnel/physical security offices, operations personnel, and risk executive (function). In addition, organizations may require external support from federal, state, and local law enforcement agencies.
IR-4 (8) INCIDENT HANDLING | CORRELATION WITH EXTERNAL ORGANIZATIONS
The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.
The coordination of incident information with external organizations including, for example, mission/business partners, military/coalition partners, customers, and multitiered developers, can provide significant benefits. Cross-organizational coordination with respect to incident handling can serve as an important risk management capability. This capability allows organizations to leverage critical information from a variety of sources to effectively respond to information security-related incidents potentially affecting the organization's operations, assets, and individuals.
IR-4 (9) INCIDENT HANDLING | DYNAMIC RESPONSE CAPABILITY
The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents.
This control enhancement addresses the deployment of replacement or new capabilities in a timely manner in response to security incidents (e.g., adversary actions during hostile cyber attacks). This includes capabilities implemented at the mission/business process level (e.g., activating alternative mission/business processes) and at the information system level.
RELATED CONTROLS: IR-4 (9)
IR-4 (10) INCIDENT HANDLING | SUPPLY CHAIN COORDINATION
The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.
Organizations involved in supply chain activities include, for example, system/product developers, integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include, for example, compromises/breaches involving information system components, information technology products, development processes or personnel, and distribution processes or warehousing facilities.
- Executive Order 13587
- NIST Special Publication 800-61