Incident response policy provides guidance on how to plan for and react to information security incidents.


The organization provides incident response training to information system users consistent with assigned roles and responsibilities:

  1. Within 10 business days of assuming an incident response role or responsibility;
  2. When required by information system changes
  3. Annually thereafter.

An Incident Response Training Certification (IR001) shall be generated after successful completion of incident response training.


The Incident Response Plan defines the procedure for handling incidents.

The Response Plan includes discussion of the following topics:

  1. Preparation for, detection of and analysis of, containment of, eradication of , and recovery from security incidents.
  2. Coordination of incident handling activities with contingency planning activities
  3. Capture of lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises


The organization tracks and documents information system security incidents using the Change Management Process.


The organization:

  1. Requires personnel to report suspected security incidents to the organizational incident response capability within 24 hours of discovery.
  2. Reports security incident information using the Change Management Process. In addition, the Security Team (PL002) must be notified as soon as an incident is logged.


The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. An third party resource has been engaged for this role. Third party resource must have a minimum of 3 years experience managing the following types of incidents:

  • Intellectual property theft
  • Financial crime
  • Personally identifiable information compromise
  • Destructive attacks


The organization develops an incident response plan that:

  1. Provides the organization with a roadmap for implementing its incident response capability
  2. Describes the structure and organization of the incident response capability
  3. Provides a high-level approach for how the incident response capability fits into the overall organization
  4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions
  5. Defines reportable incidents
  6. Provides metrics for measuring the incident response capability within the organization
  7. Defines the resources and management support needed to effectively maintain and mature an incident response capability
    1. Is reviewed and approved by Security Team (PL002)
    2. Distributes copies of the incident response plan to the Security Team
    3. Reviews the incident response plan annually
    4. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing
    5. Communicates incident response plan changes to the Security Team
    6. Protects the incident response plan from unauthorized disclosure and modification.

Reference Incident Response Plan for more details.


  • Quarterly Management Review (MR002) includes review of all IR001s using the Security Team Roster (PL002) as reference.
  • Quarterly Management Review (MR002) includes review of all reported incidents
  • Annual Management Review (MR001) includes review of this policy, the Incident Response Plan and verifies that assistance resource remains available to the organization (Reference IR-7 above).