Function: Respond (RS)
Category: Analysis (RA)
“Analysis is conducted to ensure adequate response and support recovery activities.”
RS.AN-1: Notifications from detection systems are investigated
Automating security alerts from monitoring account usage, remote access, wireless connectivity, configuration settings, communications at organization boundaries, among a host of other sources, is necessary to overcome the large volume of available data. When notifications and alerts are provided, processes and procedures must be in place to rapidly identify and respond to real incidents.
Auditors may look for evidence of event notifications (e.g. detection alerts, reports) from multiple information sources. Who receives these alerts and what actions are taken may be determined and any actions taken should follow the incident response plan.
Applicable CIS Critical Controls:
CIS Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
SIEM or log analytics tools for log aggregation and consolidation from multiple systems allows for automated alerting of common events. Tuning these systems is critical to limit false positives so that personnel can focus on unusual activity and more rapidly respond to anomalies and incidents.
RS.AN-2: The impact of the incident is understood
Identifying critical systems is part of contingency planning which leads itself to understanding the impact of any outage on customers and personnel. An inventory of your information systems and identifying the criticality of each helps with this.
Auditors may review an incident response plan or a contingency plan to determine if there is a process to formally analyze and classify incidents based on their potential impact.
RS.AN-3: Forensics are performed
The incident response plan should identify potential instances where forensics collection processes and analysis are performed. Appropriate tools to collect data, proper processes to maintain it without causing changes to the collected data and having trained personnel to do the work are important. If trained in-house personnel are not available, a plan to bring in outside forensics expertise should be outlined in the incident response plan.
Auditors may review the incident response plan for processes related to forensics investigation and if there is analysis expertise on the staff to perform such work. Controls around forensics should include chain of custody to support potential legal action.
RS.AN-4: Incidents are categorized consistent with response plans
The incident response plan should ensure that incidents are prioritized by category to enable faster response for significant incidents or vulnerabilities.
Auditors may review the incident response plan to determine if it is designed to prioritize incidents based on significance or impact. Copies of recent incident reports may be reviewed to validate that activity was based upon pre-defined categories.