IR 2 INCIDENT RESPONSE TRAINING - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Provide incident response training to system users consistent with assigned roles and responsibilities:
  • 1 . Within [ Assignment: organization-defined time period ] of assuming an incident response role or responsibility or acquiring system access;
  • 2 . When required by system changes; and
  • 3 . [ Assignment: organization-defined frequency ] thereafter; and
• b. Review and update incident response training content [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ].

Discussion: Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3. Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Related Controls: AT-2, AT-3, AT-4, CP-3, IR-3, IR-4, IR-8, IR-9.

Control Enhancements:

• (1) INCIDENT RESPONSE TRAINING | SIMULATED EVENTS
  Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

  Discussion: Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations. Incident response training includes tabletop exercises that simulate a breach. See IR-2(3).

  Related Controls: None.

• (2) INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING ENVIRONMENTS
  Provide an incident response training environment using [ Assignment: organization-defined automated mechanisms ].

  Discussion: Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability.

  Related Controls: None.

• (3) INCIDENT RESPONSE TRAINING | BREACH
  Provide incident response training on how to identify and respond to a breach, including organization’s process for reporting a breach.

  Discussion: For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The incident response training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Incident response training includes tabletop exercises that simulate a breach. See IR-2(1).

  Related Controls: None.

References: [OMB M-17-12], [SP 800-50].