Cybersecurity incident response plans that address all phases of the incident lifecycle are established and maintained
Context and Guidance: The organisation should create a well-structured and comprehensive plan describing incident management procedures so that response activities will be repeatable, will be performed at the same level of rigor during times of stress, and will have consistent outcomes. The organisation may want to consult existing guidance or outside expertise for information about incident management best practices. These are examples of incident response activities that might be described in the plan: • containing damage; • collecting evidence; • communicating to stakeholders, including asset owners and incident owners; • communicating with response team members - including backup or out of band communication methods; • developing and implementing corrective actions and controls; • implementing continuity and restoration plans or other emergency actions; • conducting lessons learned reviews; • the types of actions that should be avoided during response. Activities should be included in the plan for all phases of the incident lifecycle (for example, triage, escalation, handling, communication, coordination, and closure). Incident response plans should be comprehensive enough to address the high-level categories of incidents that may affect the organisation. Incident response plans should also address potential incidents that may occur due to new vulnerabilities or technological advances that have a significant potential impact on the organisation, such as vulnerabilities in commonly used technologies (e.g., MS17-010) and emerging technologies that would reduce the effectiveness of current cybersecurity controls (e.g., quantum computing). As part of incident response planning organisations may consider what legal agreements may be necessary in different types of response scenarios (e.g., authorisation for a federal employee to review a system, agreements related to obtaining assistance from outside organisations) and whether performing legal review in advance is warranted. Additionally, as technology used to complete operational activities continues to shift to more dispersed and mobile options, organisations may consider whether the assets involved in an incident will be physically available during response and what remote response capabilities may be necessary.
Related Practices • Input From: Implementing RESPONSE-4a and RESPONSE-4h provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RESPONSE-3a, RESPONSE-3d, RESPONSE-3f, RESPONSE-3g, RESPONSE-3h, RESPONSE-3i.