Reference: CMMC 2.11
Family: IR
Level Introduced: 2
Title: Incident Reporting
Practice:
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
CMMC Clarification:
Incident response is a process an organization executes to manage the consequences and reduce the risk as a result of a security breach or cyberattack. The majority of the process
consists of identification, containment, eradication, and recovery of the incident. During this process it is essential for an organization to track the work processes required in order to effectively respond. During the process the organization should designate a central hub to serve as the point to coordinate, communicate, and track activities. The hub should receive and document information from system administrators, incident handlers, and others involved throughout the process. As the incident process moves toward eradication the organization's executives, affected business units, and any required external stakeholders should be kept aware of the incident in order to make decisions affecting the business. Designated staff members should also be assigned to work with executives to provide communications outside the organization in event it is needed.
Example
As a database administrator you notice unusual activity on a server and determine a potential security incident has occurred. You open a tracking ticket with the Security Operations Center (SOC). The SOC assigns an incident handler to work the ticket. The incident handler investigates, collects artifacts, and documents initial findings. As a result of the investigation the incident handler determines unauthorized access occurred on the database server. The SOC establishes a team to manage the incident. The team consists of security, database, network, and system administrators. The team meets daily to update progress and plan courses of action to contain the incident. At the end of the day the team provides a status report to IT executives. Two days later the team declares the incident contained. The team produces a final report as the database system is rebuilt and placed back into operations.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (2)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.