Function: Respond (RS)
Category: Response Planning (RP)
“Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.”
RS.RP-1: Response plan is executed during or after an event.
An incident response plan should be in place that includes preparation, detection and analysis, containment, eradication, and recovery. Reportable incidents should be defined and communication of incidents should be planned for. The incident response plan should be coordinated with contingency planning activities that have identified critical systems and business functions, recovery objectives, and roles and responsibilities.
Audit Considerations
Auditors may determine if the organization has approved incident response and business continuity plans. Reports from previous incidents may be obtained to validate that the incident response plan, including the “lessons learned” components were executed.
Applicable CIS Critical Controls:
CIS Control 19 – Incident Response and Management
Incident response plans, defined roles, training, communications, and oversight are all components of an incident response infrastructure necessary to quickly discover an attack and effectively contain the damage, eradicate the attacker’s presence, and restore the network and systems.
Testing the incident response plan periodically by conducting incident scenario sessions helps flush out areas that need to be updated or corrected before an incident occurs. Post incident sessions, also called “lessons learned”, are used to review the response activities to find areas of improvement that can be implemented.