Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ir-6

incident reporting  

assessment objective:

Determine if the organization:

ir-6(a)

ir-6(a)[1]

defines the time period within which personnel report suspected security incidents to the organizational incident response capability;

ir-6(a)[2]

requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;

ir-6(b)

ir-6(b)[1]

defines authorities to whom security incident information is to be reported; and

ir-6(b)[2]

reports security incident information to organization-defined authorities.

potential assessment methods and objects:

Examine: [select from: Incident response policy; procedures addressing incident reporting; incident reporting records and documentation; incident response plan; security plan; other relevant documents or records].

Interview: [select from: Organizational personnel with incident reporting responsibilities; organizational personnel with information security responsibilities; personnel who have/should have reported incidents; personnel (authorities) to whom incident information is to be reported].

Test: [select from: Organizational processes for incident reporting; automated mechanisms supporting and/or implementing incident reporting].