Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
ir-8 |
incident response plan |
|||
|
assessment objective: Determine if the organization: |
|||
ir-8(a) |
develops an incident response plan that: |
|||
ir-8(a)(1) |
provides the organization with a roadmap for implementing its incident response capability; |
|||
ir-8(a)(2) |
describes the structure and organization of the incident response capability; |
|||
ir-8(a)(3) |
provides a high-level approach for how the incident response capability fits into the overall organization; |
|||
ir-8(a)(4) |
meets the unique requirements of the organization, which relate to: |
|||
ir-8(a)(4)[1] |
mission; |
|||
ir-8(a)(4)[2] |
size; |
|||
ir-8(a)(4)[3] |
structure; |
|||
ir-8(a)(4)[4] |
functions; |
|||
ir-8(a)(5) |
defines reportable incidents; |
|||
ir-8(a)(6) |
provides metrics for measuring the incident response capability within the organization; |
|||
ir-8(a)(7) |
defines the resources and management support needed to effectively maintain and mature an incident response capability; |
|||
ir-8(a)(8) |
ir-8(a)(8)[1] |
defines personnel or roles to review and approve the incident response plan; |
||
ir-8(a)(8)[2] |
is reviewed and approved by organization-defined personnel or roles; |
|||
ir-8(b) |
ir-8(b)[1] |
ir-8(b)[1][a] |
defines incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed; |
|
ir-8(b)[1][b] |
defines organizational elements to whom copies of the incident response plan are to be distributed; |
|||
ir-8(b)[2] |
distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; |
|||
ir-8(c) |
ir-8(c)[1] |
defines the frequency to review the incident response plan; |
||
ir-8(c)[2] |
reviews the incident response plan with the organization-defined frequency; |
|||
ir-8(d) |
updates the incident response plan to address system/organizational changes or problems encountered during plan: |
|||
ir-8(d)[1] |
implementation; |
|||
ir-8(d)[2] |
execution; or |
|||
ir-8(d)[3] |
testing; |
|||
ir-8(e) |
ir-8(e)[1] |
ir-8(e)[1][a] |
defines incident response personnel (identified by name and/or by role) to whom incident response plan changes are to be communicated; |
|
ir-8(e)[1][b] |
defines organizational elements to whom incident response plan changes are to be communicated; |
|||
ir-8(e)[2] |
communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and |
|||
ir-8(f) |
protects the incident response plan from unauthorized disclosure and modification. |
|||
potential assessment methods and objects: Examine: [select from: Incident response policy; procedures addressing incident response planning; incident response plan; records of incident response plan reviews and approvals; other relevant documents or records]. Interview: [select from: Organizational personnel with incident response planning responsibilities; organizational personnel with information security responsibilities]. Test: [select from: Organizational incident response plan and related organizational processes]. |
||||
