IRO-02.1: Automated Incident Handling Processes
Automated mechanisms exist to support the incident handling process.
Control Question: Does the organization use automated mechanisms to support the incident handling process?
General (13)
| Framework | Mapping Values |
|---|---|
| CSA IoT SCF 2 | IAM-08 |
| GovRAMP Core | IR-04(01) |
| GovRAMP Moderate | IR-04(01) |
| GovRAMP High | IR-04(01) |
| NIST 800-53 R4 | IR-4(1) SI-4(7) |
| NIST 800-53 R4 (moderate) | IR-4(1) |
| NIST 800-53 R4 (high) | IR-4(1) |
| NIST 800-53 R5 (source) | IR-4(1) SI-4(7) |
| NIST 800-53B R5 (moderate) (source) | IR-4(1) |
| NIST 800-53B R5 (high) (source) | IR-4(1) |
| NIST 800-53 R5 (NOC) (source) | SI-4(7) |
| NIST 800-82 R3 MODERATE OT Overlay | IR-4(1) |
| NIST 800-82 R3 HIGH OT Overlay | IR-4(1) |
US (11)
| Framework | Mapping Values |
|---|---|
| US CJIS Security Policy 5.9.3 (source) | IR-4(1) |
| US CMS MARS-E 2.0 | IR-4(1) |
| US DHS ZTCF | SEC-02 |
| US FedRAMP R4 | IR-4(1) |
| US FedRAMP R4 (moderate) | IR-4(1) |
| US FedRAMP R4 (high) | IR-4(1) |
| US FedRAMP R5 (source) | IR-4(1) |
| US FedRAMP R5 (moderate) (source) | IR-4(1) |
| US FedRAMP R5 (high) (source) | IR-4(1) |
| US IRS 1075 | IR-4(1) |
| US - TX TX-RAMP Level 2 | IR-4(1) |
EMEA (2)
| Framework | Mapping Values |
|---|---|
| EMEA EU DORA | 9.4(b) |
| EMEA Israel CDMO 1.0 | 24.4 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to support the incident handling process.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to support the incident handling process.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to support the incident handling process.
Level 3 — Well Defined
Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
- The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
- A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
- Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to support the incident handling process.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to support the incident handling process.
Assessment Objectives
- IRO-02.1_A01 anomalous or suspicious behavior is defined.
- IRO-02.1_A02 organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior.
- IRO-02.1_A03 automated mechanisms used to support the incident handling process are defined.
- IRO-02.1_A04 the incident handling process is supported using automated mechanisms.
- IRO-02.1_A05 incident response personnel (identified by name and/or by role) to be notified of detected suspicious events is/are defined.
- IRO-02.1_A06 least-disruptive actions to terminate suspicious events are defined.
- IRO-02.1_A07 incident response personnel are notified of detected suspicious events.
- IRO-02.1_A08 least-disruptive actions are taken upon the detection of suspicious events.
Technology Recommendations
Medium
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)
Large
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)
Enterprise
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)