03.06.04
Control Familly: Incident Response
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-86 [36]
SP 800-137 [49]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.06.04
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
IR-02
a. Provide incident response training to system users consistent with assigned roles and responsibilities:
1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access,
2. When required by system changes, and
3. [Assignment: organization-defined frequency] thereafter.
b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:
Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know how to recognize an incident or whom to call; system administrators may require additional training on how to handle incidents; and incident responders may receive specific training on data collection techniques, forensics, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of 03.02.02. Events that may cause an update to incident response training content include incident response plan testing, response to an actual incident, audit or assessment findings, or changes in applicable laws, Executive Orders, policies, directives, regulations, standards, and guidelines.
Assessment Methods and Objectives
Examine [SELECT FROM: incident response policy and procedures; procedures for incident response training; incident response training curriculum; incident response training materials; incident response plan; incident response training records; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with incident response training and operational responsibilities; personnel with information security responsibilities]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.06.04.ODP[01]: the time period within which incident response training is to be provided to system users is defined.
A.03.06.04.ODP[02]: the frequency at which to provide incident response training to users after initial training is defined.
A.03.06.04.ODP[03]: the frequency at which to review and update incident response training content is defined.
A.03.06.04.ODP[04]: events that initiate a review of the incident response training content are defined. A.03.06.04.a.01: incident response training for system users consistent with assigned roles and responsibilities is provided within <A.03.06.04.ODP[01]: time period> of assuming an incident response role or responsibility or acquiring system access.
A.03.06.04.a.02: incident response training for system users consistent with assigned roles and responsibilities is provided when required by system changes.
A.03.06.04.a.03: incident response training for system users consistent with assigned roles and responsibilities is provided <A.03.06.04.ODP[02]: frequency> thereafter.
A.03.06.04.b[01]: incident response training content is reviewed <A.03.06.04.ODP[03]: frequency>.
A.03.06.04.b[02]: incident response training content is updated <A.03.06.04.ODP[03]: frequency>.
A.03.06.04.b[03]: incident response training content is reviewed following <A.03.06.04.ODP[04]: events>.
A.03.06.04.b[04]: incident response training content is updated following <A.03.06.04.ODP[04]: events>.