NIST 800-171 | INCIDENT RESPONSE
Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
Safeguarding Controlled Unclassified Information (CUI) when working with a federal customer is critical to federal agencies and can directly impact your business. NIST SP 800-171 provides recommended minimal controls for protecting CUI. The requirements apply to all of the non-federal systems that process, store, or transmit CUI, or provide security protection for such components.
Requirements are specifically broken out into "Families" with sub-requirements underneath each family.
3.6.1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems.
Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems.
Incident-related information can be obtained from a variety of sources
As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training.
Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources.
NIST Special Publication 800-61 provides guidance on incident handling.
3.6.2 Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
Tracking and documenting system security incidents includes
Maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics
Evaluating incident details, trends, and handling
Incident information can be obtained from a variety of sources including
Incident response teams
Physical access monitoring
Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization.
Suspected security incidents may also be reported and include, for example, the receipt of suspicious email communications that can potentially contain malicious code.
NIST Special Publication 800-61 provides guidance on incident handling
3.6.3 Test the organizational incident response capability.
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies.
Incident response testing includes
The use of checklists
Walk-through or tabletop exercises
Incident response testing can also include:
Determination of the effects on organizational operations
Individuals due to incident response.
NIST Special Publication 800-84 provides guidance on testing programs for information technology capabilities.
For further Information and Demo, please contact us: