3.6.3—Incident response - Derived
Derived Requirement
>Control Description
Test the organizational incident response capability.
>Discussion
Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. [SP 800-84] provides guidance on testing programs for information technology capabilities.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern testing incident response capability?
- •What is the frequency of incident response testing?
- •Who participates in incident response exercises?
- •How are test results used to improve response capability?
- •What governance ensures regular incident response testing?
Technical Implementation:
- •What testing methodologies do you use (tabletop, simulation)?
- •How do you technically simulate incidents for testing?
- •What tools support incident response exercises?
- •How do you measure response times and effectiveness?
- •What technical improvements result from testing?
Evidence & Documentation:
- •Can you provide incident response test documentation?
- •What evidence shows annual or regular testing?
- •Can you demonstrate lessons learned from exercises?
- •What after-action reports exist from response tests?
- •What audit findings verify incident response testing?
Ask AI
Configure your API key to use AI features.