CMMC Practice IR.L2-3.6.2 – Incident Reporting: Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Links to Publicly Available Resources
This resource from CMU provides an example procedure for how to respond to information security incidents. This white paper is about tabletop exercises can be used to help cybersecurity teams develop tactical strategies for securing their systems. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. How to build an incident response plan around the 6 phases of incident response, examples to get you started, and a peek at incident response automation. The document describes key activities within each phase but emphasizes that these phases should not be viewed as linear. NIST acknowledges that IR teams will likely move between phases several times during an incident. In this article, Kroll provides a high-level view of how to build an IRP and the types of questions you will want to address as you begin planning. This NIST Special Publication focuses on providing plans and procedures to facilitate resuming normal business operations as quickly as possible during a cybersecurity event. This NIST Special Publication offers guidance for incident response by identifying best practices and other recommendations. This guide from NIST discusses how important forensics can be for an organization during a cyber incident. This is a policy template from SANS for incident response management. This SANS whitepaper details procedural incident response steps, supplemented by tips and tricks for use on Windows and UNIX platforms. This SANS whitepaper discusses the need for annual incident handling testing and training. This link from the State of Washington discusses examples of tabletop exercises that can be used during monthly meetings to help organizations prepare for cybersecurity events. This document provides an overview of items that election officials should take into consideration when developing these policies and plans. Additionally, it provides usable checklists and other resources designed to help develop more in-depth procedures for implementing cyber incident response policies and procedures. This YouTube video covers key components of an effective incident response plan.
Discussion [NIST SP 800-171 R2]
Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies.
NIST SP 800-61 provides guidance on incident handling.
Further Discussion
Incident handling is the actions the organization takes to prevent or contain the impact of an incident to the organization while it is occurring or shortly after it has occurred. The majority of the process consists of incident identification, containment, eradication, and recovery. During this process, it is essential to track the work processes required in order to effectively respond. Designate a central hub to serve as the point to coordinate, communicate, and track activities. The hub should receive and document information from system administrators, incident handlers, and others involved throughout the process. As the incident process moves toward eradication, executives, affected business units, and any required external stakeholders should be kept aware of the incident in order to make decisions affecting the business. Report to designated authorities, taking into account applicable laws, directives, regulations, and other guidance. Specify staff responsible for communicating about the incident to internal and external stakeholders.