Organizational Control: Incident Handling

Control ID: IR-4 Incident Handling Family: Incident Response Source: NIST 800-53r4
Control: The organization:
  1. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
  2. Coordinates incident handling activities with contingency planning activities; and
  3. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
Supplemental Guidance:
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).

Related Controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7
Control Enhancements:
(1) Incident Handling | Automated Incident Handling Processes
The organization employs automated mechanisms to support the incident handling process.
Supplemental Guidance: Automated mechanisms supporting incident handling processes include, for example, online incident management systems.
Related Controls: N/A

(4) Incident Handling | Information Correlation
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
Supplemental Guidance: Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations.
Related Controls: N/A
References: Executive Order 13587; NIST Special Publication 800-61.
Mechanisms:

Protocol Implementation Conformance Statements: N/A