IR 3 INCIDENT RESPONSE TESTING - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control: Test the effectiveness of the incident response capability for the system [ Assignment: organization-defined frequency ] using the following tests: [ Assignment: organization-defined tests ].

Discussion: Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.

Related Controls: CP-3, CP-4, IR-2, IR-4, IR-8, PM-14.

Control Enhancements:

• (1) INCIDENT RESPONSE TESTING | AUTOMATED TESTING
  Test the incident response capability using [ Assignment: organization-defined automated mechanisms ].

  Discussion: Organizations use automated mechanisms to more thoroughly and effectively test incident response capabilities. This can be accomplished by providing more complete coverage of incident response issues, selecting realistic test scenarios and environments, and stressing the response capability.

  Related Controls: None.

• (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS
  Coordinate incident response testing with organizational elements responsible for related plans.

  Discussion: Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans.

  Related Controls: None.

• (3) INCIDENT RESPONSE TESTING | CONTINUOUS IMPROVEMENT
  Use qualitative and quantitative data from testing to:

  • (a) Determine the effectiveness of incident response processes;
  • (b) Continuously improve incident response processes; and
  • (c) Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.

  Discussion: To help incident response activities function as intended, organizations may use metrics and evaluation criteria to assess incident response programs as part of an effort to continually improve response performance. These efforts facilitate improvement in incident response efficacy and lessen the impact of incidents.

  Related Controls: None.

References: [OMB A-130], [SP 800-84], [SP 800-115].