>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

IR-2Incident Response Training

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Provide incident response training to system users consistent with assigned roles and responsibilities:

1.

Within organization-defined time period of assuming an incident response role or responsibility or acquiring system access;

2.

When required by system changes; and

3.

organization-defined frequency thereafter; and

b

Review and update incident response training content organization-defined frequency and following organization-defined events.

>DoD Impact Level Requirements

FedRAMP Parameter Values

IR-2 (a) (1) [ten (10) days for privileged users, thirty (30) days for Incident Response roles] IR-2 (a) (3) [at least annually] IR-2 (b) [at least annually]

>Discussion

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources.

Incident response training for users may be provided as part of AT-2 or AT-3. Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

>Programmatic Queries

Beta

Related Services

AWS Security Hub
AWS Skill Builder
Amazon GuardDuty

CLI Commands

List Security Hub findings for training gaps
aws securityhub get-findings --filters '{"Type":[{"Value":"Software and Configuration Checks","Comparison":"PREFIX"}]}' --max-items 10
Check GuardDuty detector status (incident readiness)
aws guardduty list-detectors
List IAM users to audit training coverage
aws iam list-users --query 'Users[].{Name:UserName,Created:CreateDate}'
Describe Security Hub standards subscriptions
aws securityhub get-enabled-standards
Open AWS ConsoleDocumentation

>Related Controls

AT-2
AT-3
AT-4
CP-3
IR-3
IR-4
IR-8
IR-9

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IR-2 (Incident Response Training)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IR-2?
  • How frequently is the IR-2 policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IR-2 requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IR-2 requirements.
  • What automated tools, systems, or technologies are deployed to implement IR-2?
  • How is IR-2 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IR-2 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IR-2?
  • What audit logs, records, reports, or monitoring data validate IR-2 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IR-2 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IR-2 compliance?

Ask AI

Configure your API key to use AI features.