Description
The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.\n
Supplemental Guidance
Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. The organization incorporates the lessons learned from ongoing incident handling activities into the incident response procedures and implements the procedures accordingly. Related security controls: AU-6, PE-6.\n
Changes from Rev 4
Modifies text from ‘security incidents’ to more general ‘incidents’ Adds text to ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization Discussion expanded to explain that for federal agencies, an incident that involves PII is considered a breach
Enhancements
(1) The organization employs automated mechanisms to support the incident handling process.\n