IR.L2-3.6.3 Incident Response Testing

Test the organizational incident response capability.

Source: NIST SP 800-171 Rev 2 3.6.3

Discussion: Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. [SP 800-84] provides guidance on testing programs for information technology capabilities.

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident response testing; procedures addressing contingency plan testing; incident response testing material; incident response test results; incident response test plan; incident response plan; contingency plan; security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with incident response testing responsibilities; personnel with information security responsibilities].

Test: [SELECT FROM: Mechanisms and processes for incident response].

SPRS Score: 1

POA&M Allowed: Yes