NIST Special Publication 800-53 (Rev. 4)

Security and Privacy Controls for Federal Information Systems and Organizations

IR-3 INCIDENT RESPONSE TESTING

Family:
Incident Response
Class:
Priority:
P2 - Implement P2 security controls after implementation of P1 controls.
Baseline Allocation:
Low Moderate High
IR-3 (2)
IR-3 (2)

Control Description

The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.

Supplemental Guidance

Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.

Related to: CP-4IR-8

Control Enhancements

IR-3 (1) INCIDENT RESPONSE TESTING | AUTOMATED TESTING
The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.
Supplemental Guidance: Organizations use automated mechanisms to more thoroughly and effectively test incident response capabilities, for example: (i) by providing more complete coverage of incident response issues; (ii) by selecting more realistic test scenarios and test environments; and (iii) by stressing the response capability.
Related to: AT-2
IR-3 (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS
The organization coordinates incident response testing with organizational elements responsible for related plans.
Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans.