home || catalog: SP800-53rev3 / class: Operational / family: (IR) Incident Response ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR

IR-01
IR-02
IR-03
IR-04 *
IR-05
IR-06
IR-07
IR-08

MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  IR-04: Incident Handling  

base control objective:
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures and implements the procedures accordingly.

supplemental objective information:
Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.

enhancements to the base objective:

(1) The organization employs automated mechanisms to support the incident handling process.
Enhancement Supplemental Guidance: An online, incident management system is an example of an automated mechanism.

(2) The organization includes dynamic reconfiguration of the information system as part of the incident response capability.
Enhancement Supplemental Guidance: Dynamic reconfiguration includes, for example, changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways.

(3) The organization identifies classes of incidents (e.g., targeted malicious attacks, untargeted malicious attacks, malfunctions due to design or implementation errors and omissions) and defines appropriate actions to take in response to ensure continuation of mission/business operations.
Enhancement Supplemental Guidance: Examples of incident response actions that may be appropriate depending on the circumstances, include for example, graceful degradation, information system shut down, fall back to manual mode or alternative technology whereby the system operates differently, employing deceptive measures (e.g. false data flows, false status measures), alternate information flows, or operating in a mode that is reserved solely for when a system is under attack.

(4) The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

(5) The organization implements a configurable capability to automatically disable the information system if any of the following security violations are detected: [Assignment: organization-defined list of security violations].

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1)     HIGH: base (1)  

related (regimented) controls:

AU-06   Audit Monitoring, Analysis, and Reporting
CP-02   Contingency Plan
PE-06   Monitoring Physical Access
SC-05   Denial of Service Protection
SC-07   Boundary Protection
SI-03   Malicious Code Protection
SI-04   Information System Monitoring
SI-07   Software and Information Integrity

documents referenced in SP800-53rev3 for IR-04:

Document Date Status Title
NIST SP800-101 August, 2006 DRAFT   Guidelines on Cell Phone Forensics
NIST SP800-36 October, 2003 current   Guide to Selecting Information Technology Security Products
NIST SP800-61 August, 2012 current   Computer Security Incident Handling Guide
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling
NIST SP800-86 August, 2006 current   Guide to Integrating Forensic Techniques into Incident Response
NIST SP800-92 September, 2006 current   Guide to Computer Security Log Management
NIST SP800-94 August, 2006 DRAFT   Guide to Intrusion Detection and Prevention Systems (IDPS)

Search SP800-53rev3 catalog: