Systems are subject to a wide range of threat events, from corrupted data files to viruses to natural disasters. Vulnerability to some threat events can be lessened by having standard operating procedures that can be followed in the event of an incident. For example, frequently occurring events like mistakenly deleting a file can usually be repaired through restoration from the backup file. More severe threat events, such as outages caused by natural disasters, are normally addressed in a company’s contingency plan. Threat events can also result from a virus, other malicious code, or a system intruder (either an insider or an outsider). They can more generally refer to those incidents that could result in severe damage without a technical expert response. An example of a threat event that would require an immediate technical response would be an organization experiencing a denial-of service attack. This kind of attack would require swift action on the part of the incident response team to reduce the affect the attack will have on the organization. The definition of a threat event is somewhat flexible and may vary by company and computing environment. Although the threats that hackers and malicious code pose to systems and networks are well known, the occurrence of such harmful events remains unpredictable.
Security incidents on larger networks (e.g., the internet), such as break-ins and service disruptions, have harmed many companies’ computing capabilities. When initially confronted with such incidents, most companies respond in an ad hoc manner. However, recurrence of similar incidents can make it cost-beneficial to develop a standard capability for quick discovery of and response to such events. This is especially true since incidents can often “spread” when left unchecked, thus escalating the damage and seriously harming an organization. Incident handling is closely related to contingency planning. An incident handling capability may be viewed as a component of contingency planning because it allows for the ability to react quickly and efficiently to disruptions in normal processing. Broadly speaking, contingency planning addresses events with the potential to interrupt system operations. Incident handling can be considered that portion of contingency planning specifically that responds to malicious technical threats. Examples of incident response requirements include: incident response training, incident response testing, incident handling, incident monitoring, and incident reporting. Companies should establish an operational incident handling capability for company systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities and track, document, and report incidents to company management and/or authorities
Related Articles
Security Assessment: SP 800-171 Security Family 3.12
A security requirement assessment is the testing and/or evaluation of the management, operational, and technical security requirements on a system to determine the extent to which the requirements are implemented correctly, operating as intended, and ...
Personnel Security: SP 800-171 Security Family 3.9
Users play a vital role in protecting a system as many important issues in information security involve users, designers, implementers, and managers. How these individuals interact with the system and the level of access they need to do their jobs ...
CMMC IR.3.099 - Test Incident Response Capability
Requirement text: IR.3.099: Test the organizational incident response capability. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify ...
CMMC IR.5.108 - Establish Cyber Incident Response Team
Requirement text: IR.5.108: Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B A cyber incident response team ...
CMMC IR.5.106 - Utilize Forensic Data for Incident Response
Requirement text: IR.5.106: In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data. DISCUSSION FROM SOURCE: CMMC Organizations need to have the ability to ...