IR.L3-3.6.2e Cyber Incident Response Team
Establish and maintain a cyber-incident response team that can be deployed by the organization within 24 hours.
Source: NIST SP 800-172 3.6.2e
Discussion: A cyber incident response team (CIRT) is a team of experts that assesses, documents, and responds to cyber incidents so that organizational systems can recover quickly and implement the necessary controls to avoid future incidents. CIRT personnel include, for example, forensic analysts, malicious code analysts, systems security engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. The team members may or may not be full-time but need to be available to respond in the time period required. The size and specialties of the team are based on known and anticipated threats. The team is typically pre-equipped with the software and hardware (e.g., forensic tools) necessary for rapid identification, quarantine, mitigation, and recovery and is familiar with how to preserve evidence and maintain chain of custody for law enforcement or counterintelligence uses. For some organizations, the CIRT can be implemented as a cross-organizational entity or as part of the Security Operations Center (SOC). [SP 800-61] provides guidance on incident handling. [SP 800-86] and [SP 800-101] provide guidance on integrating forensic techniques into incident response. [SP 800-150] provides guidance on cyber threat information sharing. [SP 800-184] provides guidance on cybersecurity event recovery.
Assessment Objectives:
Determine if:
- [a] A cyber incident response team is established;
- [b] The cyber incident response team can be deployed by the organization within 24 hours; and
- [c] The cyber incident response team is maintained.
Examine: [SELECT FROM: Incident response policy; procedures addressing incident response; incident response plan; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for incident response; organizational personnel from the incident response team; organizational personnel responsible for information security].
Test: [SELECT FROM: Mechanisms supporting and/or implementing incident response].
SPRS Score: 1
POA&M Allowed: No