C.7 Incident response.MD

C.7 Incident response

(a) Incident response policy and procedures

1. The organization develops, documents, and disseminates to relevant personnel, an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

2. The organization develops, documents, and disseminates to relevant personnel, procedures to facilitate the implementation of the incident response policy and associated incident response controls.

3. The organization reviews and updates the current Incident response policy and Incident response procedures every 6 months.

(b) Incident response training

1. The organization provides incident response training to information system users consistent with assigned roles and responsibilities (a) Within 1 day of assuming an incident response role or responsibility (b) When required by information system changes and every 3 months thereafter.

2. The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

3. The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

(c) Incident response testing

1. The organization tests the incident response capability for the blockchain every week using defined tests to determine the incident response effectiveness and documents the results.

2. The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.

3. The organization coordinates incident response testing with organizational elements responsible for related plans such as Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans.

(d) Incident handling

1. The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

2. The organization coordinates incident handling activities with contingency planning activities.

3. The organization incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

4. The organization employs automated mechanisms to support the incident handling process.

5. The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability.

6. The organization identifies classes of incidents and actions to take in response to classes of incidents to ensure continuation of organizational missions and business functions.

7. The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

8. The organization implements incident handling capability for insider threats.

9. The organization coordinates incident handling capability for insider threats across defined components or elements of the organization.

10. The organization coordinates with relevant external organizations to correlate and share incident information to achieve a cross-organization perspective on incident awareness and more effective incident responses.

11. The organization employs dynamic response capabilities] to effectively respond to security incidents.

12. The organization coordinates incident handling activities involving supply chain security events (e.g. compromises / breaches involving information system components, information technology products, development processes or personnel, and distribution processes or warehousing facilities.) with other organizations involved in the supply chain (e.g. system/product developers, integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers).

(e) Incident Monitoring

1. The organization tracks and documents information system security incidents. Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.

2. The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

(f) Incident reporting

1. The organization requires personnel to report suspected security incidents (e.g. the receipt of suspicious email communications that can potentially contain malicious code.) to the organizational incident response capability in real time.

2. The organization reports security incident information to the blockchain administrator.

3. The organization employs automated mechanisms to assist in the reporting of security incidents.

4. The organization reports information system vulnerabilities associated with reported security incidents to the blockchain administrator.

5. The organization provides security incident information to other organizations involved in the supply chain (e.g. system / product developers, integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers) for information systems or information system components related to the incident.

(g) Incident response assistance

1. The organization provides an incident response support resource (e.g. help desks, assistance groups, and access to forensics services,), integral to the organizational incident response capability that offers advice and assistance to users of the blockchain for the handling and reporting of security incidents.

2. The organization employs automated mechanisms to increase the availability of incident response-related information and support.

3. The organization establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability.

4. The organization identifies organizational incident response team members to the external providers.

(h) Incident response plan

1. The organization develops an incident response plan that: a. Provides the organization with a roadmap for implementing its incident response capability; b. Describes the structure and organization of the incident response capability; c. Provides a high-level approach for how the incident response capability fits into the overall organization; d. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; e. Defines reportable incidents; f. Provides metrics for measuring the incident response capability within the organization; g. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and h. Is reviewed and approved by specified personnel.

2. The organization distributes copies of the incident response plan to incident response personnel.

3. The organization reviews the incident response plan every month.

4. The organization updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing.

5. The organization communicates incident response plan changes to incident response personnel.

6. The organization protects the incident response plan from unauthorized disclosure and modification.

(i) Information spillage response

1. The organization responds to information spills by: a. Identifying the specific information involved in the information system contamination; b. Alerting relevant personnel the information spill using a method of communication not associated with the spill; c. Isolating the contaminated information system or system component; d. Eradicating the information from the contaminated information system or component; e. Identifying other information systems or system components that may have been subsequently contaminated.

2. The organization assigns relevant personnel with responsibility for responding to information spills.

3. The organization provides information spillage response training regularly.

4. The organization implements procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

(j) Integrated information security analysis team

The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.