IR.L2-3.6.3 Incident Response Testing
Test the organizational incident response capability.
Source: NIST SP 800-171 Rev 2 3.6.3
Discussion: Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. [SP 800-84] provides guidance on testing programs for information technology capabilities.
Assessment Objectives:
Determine if:
- [a] the incident response capability is tested.
Examine: [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident response testing; procedures addressing contingency plan testing; incident response testing material; incident response test results; incident response test plan; incident response plan; contingency plan; security plan; other relevant documents or records].
Interview: [SELECT FROM: Personnel with incident response testing responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms and processes for incident response].
SPRS Score: 1
POA&M Allowed: Yes