KSI-CED-RRT—Reviewing Response and Recovery Training
Formerly KSI-CED-04
>Control Description
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express data classification through automated discovery and DLP enforcement — classification engines scanning data stores, DLP policies enforcing handling rules by sensitivity level, and protection controls applied automatically based on classification metadata. The classification scheme drives automated protection rather than just labeling data for manual handling.
Data Loss Prevention Overview
How DLP capabilities enforce data classification — automated scanning, exfiltration prevention, and handling rules by sensitivity level
Data Protection Controls Matrix
Matrix mapping data classification levels to automated protection controls (encryption, access, monitoring, DLP rules)
Data Classification Policy
Human-readable data classification scheme describing sensitivity levels and handling requirements — the intent behind automated DLP enforcement
>Programmatic Queries
CLI Commands
pd oncall list --output json | jq '.[] | {user: .user.summary, schedule: .schedule.summary}'pd incident list --since "30 days ago" --output json | jq '[.[].escalation_policy.summary] | group_by(.) | map({policy: .[0], count: length}) | sort_by(-.count)'>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does response and recovery training cover all required staff — primary responders, backup personnel, on-call rotation members, and leadership with decision-making authority?
- •Are both incident response and disaster recovery scenarios covered, including cloud-specific failures (region outages, provider incidents, credential compromise)?
- •How do you ensure training addresses FedRAMP-specific requirements such as ICP notification timelines and agency communication procedures?
- •When staff rotate into or out of response roles, what process ensures training is completed before they take on-call duties?
Automation & Validation:
- •How do you measure response team performance during drills — do you track metrics like mean time to detect, escalate, and resolve?
- •What happens when a tabletop exercise reveals a gap in team knowledge or procedure effectiveness — is it tracked as a finding with required remediation?
- •How do you automatically track training currency for all response personnel and flag when recertification is due?
- •Do you run unannounced drills or inject simulated incidents to test real-world response readiness, not just scheduled exercises?
Inventory & Integration:
- •How does your on-call management tool (PagerDuty, Opsgenie) integrate with training records to ensure only trained personnel are in the rotation?
- •What tools support tabletop exercises and simulations, and how are exercise results captured and tracked?
- •How are lessons learned from actual incidents fed back into training content through a formal feedback loop?
- •Is the list of staff requiring response and recovery training automatically derived from role assignments in your HR or IAM system?
Continuous Evidence & Schedules:
- •How frequently are tabletop exercises and recovery drills conducted, and what evidence demonstrates the schedule is followed?
- •Is training completion and drill performance data available via API or dashboard for assessor review?
- •How do you demonstrate that training has been updated based on lessons learned from past incidents or exercises?
- •What evidence shows response team performance is improving over time based on drill metrics?
Update History
Ask AI
Configure your API key to use AI features.