Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ir-3

incident response testing  

assessment objective:

Determine if the organization: 

ir-3[1]  

defines incident response tests to test the incident response capability for the information system;

ir-3[2]  

defines the frequency to test the incident response capability for the information system; and

ir-3[3]

tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results.

potential assessment methods and objects:

Examine: [select from: Incident response policy; contingency planning policy; procedures addressing incident response testing; procedures addressing contingency plan testing; incident response testing material; incident response test results; incident response test plan; incident response plan; contingency plan; security plan; other relevant documents or records].

Interview: [select from: Organizational personnel with incident response testing responsibilities; organizational personnel with information security responsibilities].