← Back to catalog
IR-8

Incident Response Plan

Incident Response (IR)
Baselines
Low · IncludedModerate · IncludedHigh · Included
Description

Develop an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability within the organization; Defines the resources and management support needed to effectively maintain and mature an incident response capability; Addresses the sharing of incident information; Is reviewed and approved by [assignment] [assignment] ; and Explicitly designates responsibility for incident response to [assignment]. Distribute copies of the incident response plan to [assignment]; Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; Communicate incident response plan changes to [assignment] ; and Protect the incident response plan from unauthorized disclosure and modification.

Discussion

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

Implementation guidance

No content available.

CSF 2.0 crosswalk
DE.AE-03Information is correlated from multiple sourcesDetect
DE.AE-08Detect
ID.IM-01Improvements are identified from evaluationsIdentify
ID.IM-02Identify
ID.IM-03Improvements are identified from execution of operational processes, procedures, and activitiesIdentify
ID.IM-04Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improvedIdentify
RC.RP-01The recovery portion of the incident response plan is executed once initiated from the incident response processRecover
RC.RP-02Recovery actions are selected, scoped, prioritized, and performedRecover
RC.RP-04Critical mission functions and cybersecurity risk management are considered to establish post-incident operational normsRecover
RC.RP-06The end of incident recovery is declared based on criteria, and incident-related documentation is completedRecover
RS.AN-08An incident's magnitude is estimated and validatedRespond
RS.MA-01The incident response plan is executed in coordination with relevant third parties once an incident is declaredRespond
RS.MA-05The criteria for initiating incident recovery are appliedRespond