Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization tracks and documents information system security incidents.
NIST 800-53 (r4) Supplemental Guidance:
Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Related controls: AU-6, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7.
References: None.
NIST 800-53 (r5) Discussion:
Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.
38North Guidance:
Meets Minimum Requirement:
Security incident information is documented, which may include but is not limited to:
the status of the incident
the date/time of the incident
contact information for the incident reporter and incident handler
source/cause of the incident
description of the incident
description of the affected resources
incident handling actions performed
Security incidents are tracked through completion/resolution
Best Practice:
Using a ticketing system and document repository to report, document, manage, and retain incident response tickets.
Utilizing an incident response database to easily query previous security incident information and evaluating trends.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Evidence showing that security incidents are documented and tracked, such as incident reports, email trails, incident tickets, etc.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse