Control: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

Supplemental Guidance: Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. The organization incorporates the lessons learned from ongoing incident handling activities into the incident response procedures and implements the procedures accordingly. Related security controls: AU-6, PE-6.

Control Enhancements: (1) The organization employs automated mechanisms to support the incident handling process.

Baseline: LOW IR-4 MOD IR-4 (1) HIGH IR-4 (1)

Family: Incident Response

Class: Operational

ISO 17799 mapping: 6.1.6, 13.2.1, 13.2.2

COBIT 4.1 mapping: PO9.5, PO9.6, DS8.2