Cybersecurity incident response is executed according to defined plans and procedures
Context and Guidance: The organisation should execute incident response based on the defined plans and procedures. This may include responding to actual incidents or potential incidents due to major vulnerabilities. The organisation should consider whether adequate resources will be available to perform the roles identified in the plan. This may require engaging with others prior to an incident to develop requests for technical assistance with law enforcement and government entities, mutual aid agreements with peer organisations, or contracts and retainers with vendors. These agreements may be prepared in advance to allow for immediate activation when response is needed. Additionally, it may be useful to pre-clear access for individuals providing response to avoid delays that may be caused by badging, access provisioning, and mandatory trainings. Following completion of response to an incident, the organisation should conduct reviews or assessments to determine whether the defined plans and procedures are being followed effectively.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RESPONSE-3b, RESPONSE-3e, RESPONSE-3h, RESPONSE-3i, RESPONSE-3l.