Back

Test the incident response procedures.


CONTROL ID
01216
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579

This Control has the following implementation support Control(s):
  • Document the results of incident response tests and provide them to senior management., CC ID: 14857


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should formulate, and regularly undertake practice drills to test their incident response and management procedures to ensure sufficient management oversight, adequate capacity and effective incident management capability (§ 8.2.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should also formulate, and regularly undertake assessment and practice drills on their incident response and management procedures to ensure sufficient management oversight, adequate capacity and effective incident management capability. (§ 8.2.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Periodically testing and refining information security incident response plans (Critical components of information security 10) (ii) h., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks can also consider incorporating DoS attack considerations in their ISP selection process. An incident response framework should be devised and validated periodically to facilitate fast response to a DDoS onslaught or an imminent attack. Banks may also need to be familiar with the ISPs' inciden… (Critical components of information security 26) c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once … (Technology Risk Management ¶ 6, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02)
  • The predetermined escalation and response plan for security incidents should be tested on a regular basis. (§ 7.3.5, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The DC's physical security and environmental controls should be monitored on a 24 by 7 basis. Appropriate escalation, response plans and procedures for physical and environmental incidents at DCs should be established and tested. (§ 8.5.5, Technology Risk Management Guidelines, January 2021)
  • The FI should carry out regular scenario-based cyber exercises to validate its response and recovery, as well as communication plans against cyber threats. These exercises could include social engineering, table-top, or cyber range exercises. (§ 13.3.1, Technology Risk Management Guidelines, January 2021)
  • Under CPS 234, an APRA-regulated entity must annually review and test its information security response plans to ensure they remain effective and fit-for-purpose. It is important that the success criteria for such tests are clearly defined, including the circumstances under which re-testing would be… (74., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Incident management and system recovery testing is performed on a periodic basis to make sure the entity continues to be able to identify, evaluate and respond to critical incidents. Testing includes: 1) the development and use of test scenarios based on the likelihood and magnitude of potential thr… (S7.5 Implements incident management and recovery testing, Privacy Management Framework, Updated March 1, 2020)
  • Verify that the incident response plan is tested at least annually. (§ 12.9.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify the incident response plan is tested at least annually. (Testing Procedures § 12.10.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure the incident response plan is tested on at least an annual basis. (§ 12.9.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that the plan is tested at least annually. (§ 12.9.2 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The incident response plan must be tested at least annually. (PCI DSS Requirements § 12.10.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Test the plan at least annually. (12.10.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Review and test the plan, including all elements listed in Requirement 12.10.1, at least annually. (12.10.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Review and test the plan, including all elements listed in Requirement 12.10.1, at least annually. (12.10.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is the plan tested at least annually? (12.10.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is the plan reviewed and tested at least annually, including all elements listed in Requirement 12.10.1? (12.10.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is the plan tested at least annually? (12.10.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is the plan reviewed and tested at least annually, including all elements listed in Requirement 12.10.1? (12.10.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Interview personnel and review documentation from testing to verify that the plan is tested at least annually, and that testing includes all elements listed in Requirement 12.10.1. (12.10.2, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Tested, including all elements listed in Requirement 12.10.1. (12.10.2 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Tested, including all elements listed in Requirement 12.10.1. (12.10.2 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Is the incident response plan tested at least annually? (PCI DSS Question 12.10.2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is the incident response plan tested at least annually? (PCI DSS Question 12.10.2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Tested, including all elements listed in Requirement 12.10.1. (12.10.2 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Tested, including all elements listed in Requirement 12.10.1. (12.10.2 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A person responsible for reviewing, amending, and updating the business continuity plan should be identified and documented. The incident management plan should be tested to ensure it works correctly and contains an appropriate level of detail and instructions. (§ 8.3.5, § 9.3.4, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The incident procedures should be updated frequently based on actual and test activations. (§ 8.4.6 ¶ 1, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Joint testing of the crisis management and business continuity programs in order to symbiotically build on each other's strengths and so that the overall effort can mature cohesively is an aspect of an effective crisis management program in addition to escalation protocols and command and control of… (§ 7 ¶ 5, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Testing must be conducted regularly on the organizational resilience communication systems. The organization should include required periodic testing of the incident and emergency management and response procedures when it develops its incident prevention, preparedness, and response procedures. The … (§ 4.4.3 ¶ 3, § 4.4.7 ¶ 3(n), § 4.6.3 ¶ 1(b), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The emergency management plan should be kept updated. (Revised Volume 4 Pg 1-I-12, Protection of Assets Manual, ASIS International)
  • The incident response plan should be updated if any issues arise during a live training session. (Action 1.6.4, SANS Computer Security Incident Handling, Version 2.3.1)
  • The organization should conduct periodic incident scenario sessions for the incident handling team. (Critical Control 18.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Business continuity and security incident response plans shall be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supp… (BCR-02, Cloud Controls Matrix, v3.0)
  • Test and update as necessary incident response plans at planned intervals or upon significant organizational or environmental changes for effectiveness. (SEF-04, Cloud Controls Matrix, v4.0)
  • Evaluate the risk and readiness of the organisation based on plausible cyber attack scenarios. (7.4A Control Objective, SWIFT Customer Security Controls Framework, Customer Security Programme, v2019)
  • Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real world threats. Exercises should test communication channels, decision making, and incident responder's technical capabilities… (CIS Control 19: Sub-Control 19.7 Conduct Periodic Incident Scenario Sessions for Personnel, CIS Controls, 7.1)
  • Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real world threats. Exercises should test communication channels, decision making, and incident responder's technical capabilities… (CIS Control 19: Sub-Control 19.7 Conduct Periodic Incident Scenario Sessions for Personnel, CIS Controls, V7)
  • Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a mi… (CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises, CIS Controls, V8)
  • periodic testing of emergency response procedure(s); (8.2 ¶ 4 Bullet 15, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization promotes, designs, organizes and manages testing exercises designed to test its response, resumption and recovery plans and processes. (PR.IP-10.4, CRI Profile, v1.2)
  • Response and recovery plans are tested. (PR.IP-10, CRI Profile, v1.2)
  • The organization promotes, designs, organizes and manages testing exercises designed to test its response, resumption and recovery plans and processes. (PR.IP-10.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. (IR-3 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. (IR-3 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • § V.B.10 Develop, review, and assess the information security management program, policies, and procedures to ensure they are current and effectively communicated throughout the firm. § VI.B This Program will be periodically reviewed and updated to reflect changes in risks to individuals and the s… (§ V.B.10, § VI.B, AICPA Red Flag Rule Identity Theft Prevention Program, November 1, 2009)
  • The privacy incident and breach management program includes periodically, at least annually, performing tests or walkthroughs of the incident and breach notification procedures and updating the procedures, as necessary. (Generally Accepted Privacy Principles and Criteria § 1.2.7 Bullet 7, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should periodically (at least annually) perform tests or walkthroughs of the incident and breach notification procedures and update as necessary. (Table Ref 1.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should test the privacy incident and breach management program at least every 6 months and as soon as possible after a change. (Table Ref 1.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Program plans, procedures, and capabilities must be evaluated by the organization using periodic reviews, testing, and exercises. Additional reviews must be based upon the post-incident analyses and reports, the performance evaluations, and the lessons learned. The exercises must test individual ess… (§ 5.14, Annex A.5.14.3, Annex A.5.14.4, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Test each Cyber Security Incident response plan(s) at least once every 15 calendar months: (CIP-008-5 Table R2 Part 2.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • By responding to an actual Reportable Cyber Security Incident; (CIP-008-5 Table R2 Part 2.1 Requirements ¶ 1 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • With a paper drill or tabletop exercise of a Reportable Cyber Security Incident; or (CIP-008-5 Table R2 Part 2.1 Requirements ¶ 1 Bullet 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • With an operational exercise of a Reportable Cyber Security Incident. (CIP-008-5 Table R2 Part 2.1 Requirements ¶ 1 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • With an operational exercise of a Reportable Cyber Security Incident. (CIP-008-6 Table R2 Part 2.1 Requirements ¶ 1 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • With a paper drill or tabletop exercise of a Reportable Cyber Security Incident; or (CIP-008-6 Table R2 Part 2.1 Requirements ¶ 1 Bullet 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • By responding to an actual Reportable Cyber Security Incident; (CIP-008-6 Table R2 Part 2.1 Requirements ¶ 1 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Test each Cyber Security Incident response plan(s) at least once every 15 calendar months: (CIP-008-6 Table R2 Part 2.1 Requirements ¶ 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber S… (Section 4. 4.5, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber S… (Attachment 1 Section 4. 4.5, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Does the incident identification process include annual testing of the procedures? (§ J.1.2.11.17, Shared Assessments Standardized Information Gathering Questionnaire - J. Incident Event and Communications Management, 7.0)
  • The organization must test and document the incident response capability annually. The organization must use automated mechanisms to test the incident response plan. (CSR 1.6.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. (§ 248.201 (d)(2)(iv), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • Incident response procedures must be reviewed by airport operator at least once every 12 calendar months. (§ 1542.307(d), 49 CFR Part 1542, Airport Security)
  • Test the organizational incident response capability. (IR.3.099, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Test the organizational incident response capability. (IR.3.099, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Test the organizational incident response capability. (IR.3.099, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Test the organizational incident response capability. (IR.L2-3.6.3 Incident Response Testing, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The incident response plan must be exercised at least annually. (VIIR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The incident response plan must be exercised at least every 6 months. (VIIR-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Reports must be maintained for all drills and exercises. The reports must contain the date the event was held; a description; a list of equipment tested or used; and lessons learned to improve the plan. The drill and exercise reports must be kept for at least 3 years. (§ 27.255(a)(2), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • The incident management plan must be tested and evaluated; appropriate action must be taken to correct any deficiencies. Incident management personnel and organizations must participate in realistic exercises to ensure organizations can function effectively across jurisdictions. (Chap III.A.1, Chap III.B.2.b, National Incident Management System (NIMS), Department of Homeland Security, December 2008)
  • Determine whether the incident response program includes a cyber component and assess whether it is appropriate for the size and complexity of the financial institution or service provider. Review the incident response plan to ensure that it addresses the following: (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • A requirement for periodic testing of the incident response plan in the real-world threat landscape; and (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • An incident response plan; (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:5 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Validating that the crisis/emergency management process is operating as designed. (App A Objective 10:16b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Engaging personnel from all business units to participate and interact with internal and external management response teams. (App A Objective 10:16a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Incident response plans. (App A Objective 10:23c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • A plan that is comprehensive, coordinated, integrated, and periodically tested with appropriate internal and external parties. (App A Objective 8.6.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Assignment of responsibilities, training, and testing. (App A Objective 8.6.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Develop procedures to test the incident escalation, response, and reporting processes. (App A Objective 8.5.h, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Develops and tests a response plan in conjunction with the institution's ISPs and third-party service providers to mitigate the interruption of mobile or remote financial services. (App A Objective 6.25.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should do the following: - Develop and maintain policies and procedures to securely offer and strengthen the resilience of remote financial services, if the institution offers such services. - Plan for actions that adversely affect the availability of remote banking services to customer… (II.C.16 Customer Remote Access to Financial Services, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Developing, implementing, and periodically testing incident response procedures. (App A Objective 12:8 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The organization should test the incident guidelines to ensure the procedures are in line with the continuity strategies. (Pg 31, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The Identity Theft Prevention Program must include reasonable policies and procedures to ensure the Program and Red Flags are updated periodically, reflecting any changes to the safety and soundness of the financial institution or creditor and any changes in risks to customers from identity theft. T… (§ 41.90(d)(2)(iv), § 222.90(d)(2)(iv), § 334.90(d)(2)(iv), § 571.90(d)(2)(iv), § 681.2(d)(2)(iv), § 717.90(d)(2)(iv), App J to Part 41.V, App J to Part 222.V, App J to Part 334.V, App J to Part 571.V, App A to Part 681.V, App J to Part 717.V, Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007)
  • The service provider must define the Incident Response tests and/or exercises in accordance with National Institute of Standards and Technology Special Publication 800-61. (Column F: IR-3, FedRAMP Baseline Security Controls)
  • The service provider must provide a copy of the incident response test plans to the federal risk and authorization management program annually. (Column F: IR-3, FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the Incident Response test plans before the testing is commenced. (Column F: IR-3, FedRAMP Baseline Security Controls)
  • The organization tests the incident response capability for the information system [FedRAMP Assignment: at least every six (6) months] using [FedRAMP Assignment: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization… (IR-3 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization tests the incident response capability for the information system [FedRAMP Assignment: at least annually] using [FedRAMP Assignment: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the servic… (IR-3 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization must test its incident response plan and document the results of the test at least annually. (§ 5.6.8, Exhibit 4 IR-3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Measure effectiveness of each incident response procedure and update as appropriate to reflect lessons learned. (§ 4.6.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The incident response procedures and policies should be updated after the lessons learned process. Post-mortem analysis often reveals missing steps or inaccuracies in the procedures, thereby resulting in changes to procedures. The incident response team should review, at designated intervals, all re… (§ 3.4.1 ¶ 4, App B, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. (IR-3 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. (IR-3 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. (IR-3 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. (IR-3 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. (IR-3 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Incident Response (IR): Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Response and recovery plans are tested (PR.IP-10, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Response and recovery plans are tested. (PR.IP-10, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records and documents should be examined to ensure the incident response plan is tested on a defined frequency; the results are documented and used to take any necessary corrective actions; the tests confirm the plan works correctly; automated mechanisms are used to improve the testin… (IR-3, IR-3(1), IR-3.9, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. (IR-3 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. (IR-3 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Response and recovery plans are tested. (PR.PO-P8, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must exercise and/or test the incident response capability on a defined frequency and document the results. (SG.IR-4 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms to test and/or exercise the incident response capability more thoroughly and effectively. (SG.IR-4 Additional Considerations, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should test or exercise the intrusion monitoring system on a defined frequency. (SG.SI-4 Additional Considerations A3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Test the organizational incident response capability. (3.6.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Test the organizational incident response capability. (3.6.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Test the organizational incident response capability. (3.6.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should test or exercise the intrusion monitoring tools on a predefined frequency. (App F § SI-4(9), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization tests intrusion-monitoring tools {organizationally documented frequency}. (SI-4(9), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. (IR-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. (IR-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. (IR-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability. (IR-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan. (SA-15(10) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. (IR-3 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Test the incident response capability using [Assignment: organization-defined automated mechanisms]. (IR-3(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop and implement a written post-event report assessing security drills or exercises and documenting corrective actions. (Table 1: Drills and Exercises Enhanced Security Measures Cell 2, Pipeline Security Guidelines)
  • Conduct cybersecurity incident response exercises periodically. (Table 2: Response Planning Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
  • Review your incident response plan at least annually or whenever there is a material change in your business practices. (Part II ¶ 12, California OPP Recommended Practices on Notification of Security Breach, May 2008)
  • The organization tests the incident response capability for the information system [TX-RAMP Assignment: at least annually] using [TX-RAMP Assignment: Requirement 1: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Requirement 2: Tes… (IR-3 Control, TX-RAMP Security Controls Baseline Level 2)