3.6.1 has a weight of -5 points

(Incident Response Family) 1/3

Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Video:

Example of System Security Plan (SSP):

    System Security Plan (SSP) – Control 3.6.1

    Control Title: Operational Incident-Handling Capability

    Control Requirement: Establish an operational incident-handling capability for organizational systems that encompasses the following activities: preparation, detection, analysis, containment, recovery, and user response.

    Implementation Status: Implemented

    Implementation Details:

    Incident Response Plan (IRP) Integration:

    1. Preparation:
      • The organization has defined and documented its approach to incident response within the Incident Response Plan (IRP).
      • All personnel undergo regular training and awareness sessions on the IRP, ensuring readiness to respond to potential incidents.
      • The organization maintains a dedicated Incident Response Team (IRT) equipped with the necessary tools and resources to handle incidents.
    2. Detection:
      • Using advanced monitoring solutions, potential security threats are detected in real-time.
      • Alerts are configured to notify the IRT of any anomalies or potential security breaches, ensuring swift detection.
    3. Analysis:
      • Upon receiving an alert, the IRT performs a comprehensive analysis to ascertain the nature, scope, and impact of the incident.
      • Correlation tools and threat intelligence platforms aid in understanding the threat context and the potential risk to organizational assets.
    4. Containment:
      • Immediate steps are taken to isolate the affected systems or components to prevent further compromise or spread of the incident.
      • Both short-term (immediate) and long-term (permanent) containment strategies are employed, as defined in the IRP.
    5. Recovery:
      • The IRT works diligently to restore and validate system functionality for business operations to resume.
      • Necessary patches, updates, or configuration changes are applied to ensure the vulnerability or entry point of the incident is addressed.
    6. User Response Activities:
      • The organization maintains open channels of communication to keep users informed during and after an incident.
      • Affected users receive guidance on protective and remedial measures they should take in the aftermath of an incident.

    The entirety of these activities and procedures is implemented via the organization’s Incident Response Plan (IRP) and its associated procedures. Regular audits and reviews ensure the IRP’s efficacy and alignment with evolving threat landscapes and organizational requirements.

    Review Date: [Quarterly/Bi-annually/Annually]

    Reviewer: [Incident Response Team Lead/ CISO]

    Example of POA&M:

    Plan of Action & Milestones (POA&M) – Control 3.6.1

    Control Title: Operational Incident-Handling Capability

    Description: Establish a proactive and reactive incident-handling capability for organizational systems that cover activities such as preparation, detection, analysis, containment, recovery, and user response.

    Issue/Weakness Identified: While an Incident Response Plan (IRP) and associated procedures are in place, certain elements within the processes, including specific monitoring tools and user training, require improvement to fully meet the standards and efficiently respond to incidents.

    Recommended Actions:

    1. Enhance Monitoring Solutions:

      • Action: Review and upgrade current monitoring tools to ensure real-time detection with reduced false positives.
      • Milestone Date: [Month/Day/Year]
      • Responsible Party: IT Security Team

    2. Refresher Training:

      • Action: Conduct a refresher training session for all personnel on the Incident Response Plan.
      • Milestone Date: [Month/Day/Year]
      • Responsible Party: Training and Development Team

    3. Incident Analysis Tools Upgrade:

      • Action: Integrate threat intelligence platforms for better contextual understanding during incident analysis.
      • Milestone Date: [Month/Day/Year]
      • Responsible Party: Incident Response Team (IRT)

    4. User Communication Strategy:

      • Action: Develop and implement a more streamlined communication strategy to keep users informed during and post-incident.
      • Milestone Date: [Month/Day/Year]
      • Responsible Party: Communication & PR Team

    5. Review and Update the IRP:

      • Action: Conduct a thorough review of the current IRP, focusing on identified gaps, and update accordingly.
      • Milestone Date: [Month/Day/Year]
      • Responsible Party: Policy Review Board 

    Metrics for Measurement:

    • Reduction in false positive alerts.
    • Speed and effectiveness of incident response actions.
    • User feedback on communication and guidance during incidents.
    • Successful IRP review and implementation of updates.

    Review Date: [Quarterly/Bi-annually/Annually]

    Reviewer: [POA&M Review Board/CISO]

    Status: Ongoing

    Remarks: Continuous improvement of the Incident Response Plan and procedures is crucial to adapt to the evolving threat landscape and safeguard organizational assets effectively. The POA&M will ensure that the necessary steps are undertaken to bridge any gaps in the incident-handling capability.

    Example of Incident Response Plan (IRP):

    Incident Response Procedures Plan 

    I. Purpose: The purpose of these procedures is to define the company’s approach to managing and responding to security incidents involving unauthorized acquisition, dissemination, use, or loss of nonpublic information.

    II. Scope: These procedures apply to all employees, contractors, and third-party agents who have access to company-controlled information.

    III. Definitions: Incident/Security Breach: An unauthorized acquisition, dissemination, use, or loss of nonpublic information.

    IV. Incident Reporting:

    • Every employee is obligated to notify the Facility Security Officer (FSO) immediately upon becoming aware of a potential security breach that may compromise nonpublic information.
    • All potential security breaches, whether suspected or confirmed, must be reported.

    V. Incident Response Procedures:

    1. Initial Assessment:
      • Managers shall conduct a thorough assessment of the reported security breach to determine its scope, impact, and potential damage.
      • Determine the type, nature, and amount of data involved.
    2. Containment:
      • Initiate immediate containment measures to prevent further unauthorized access, dissemination, or loss.
      • Isolate affected systems or processes to minimize the spread of damage.
    3. Legal Consultation:
      • Consult with legal counsel to ensure that the company’s response is compliant with all applicable laws and regulations.
    4. Regulatory Compliance:
      • Review and understand requirements under applicable state laws and regulations related to the breach.
      • Determine notification and reporting obligations.
    5. DIBNet Notification:
      • Contact DIBNet (Defense Industrial Base Network) under the following circumstances:
        • Compromise of Covered Defense Information (CDI).
        • Impact on the ability to provide operationally critical support.
        • Discovery of malicious software.
        • Unauthorized external access to systems.
        • Compromise of cyber-related tools or software.
        • Any other criteria stipulated under DFARS.
      • Ensure the timely reporting of incidents to DIBNet, typically within 72 hours of discovering the incident, in alignment with DFARS regulations.
      • Cooperate with the Department of Defense, providing further details upon request and assisting in any joint investigations if needed.
    6. Carrier Notification:
      • Notify the carriers whose policyholders may have been affected.
      • Inform the company’s cybersecurity coverage carrier about the incident.
    7. Notification of Affected Parties:
      • Notify affected individuals about the breach, detailing potential risks and protective actions they can take.
      • Notify appropriate regulatory and law enforcement authorities, if required or deemed appropriate.
      • Draft clear, concise, and accurate communications about the incident for affected individuals and, if appropriate, company customers.
    8. Corrective Actions:
      • Document and implement corrective actions to contain, control, and remedy the security breach.
      • Evaluate the effectiveness of the containment measures and modify as necessary.
    9. Investigation:
      • All security breaches will be fully investigated by the designated personnel, including managers, the FSO, and Managed Service Providers (MSP).
      • Ensure comprehensive documentation of the investigative process, findings, and decisions made.
    10. Briefing:
    • Maintain transparency by briefing all affected parties, such as the prime contractor, subcontractor, and government organization, about the incident and the company’s response actions.

    VI. Post-Incident Activities:

    • Conduct a post-incident review to identify lessons learned.
    • Make necessary updates to policies, procedures, and controls to prevent recurrence.
    • Provide necessary training and awareness sessions for employees.

    VII. Revision and Review:

    • This procedure will be reviewed annually and updated as needed to reflect changes in regulatory requirements and the company’s operational environment.

    Approval: [Signature] [Title] [Date]

    RELEVANT INFORMATION:

    Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. [SP 800-61] provides guidance on incident handling. [SP 800-86] and [SP 800-101] provide guidance on integrating forensic techniques into incident response. [SP 800-161] provides guidance on

    supply chain risk management.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.