Introduction

Although an Incident Response Plan is required only for certifications Level 2 and up, all IT organizations that take security seriously should have an Incident Response Plan whether their systems are undergoing C&A or not. When it comes to C&A, the goal of the Incident Response Plan is to describe the incident response process by which the information system undergoing C&A is required to abide.

Due to its unscheduled nature and its potential for damage, a security incident can predispose an otherwise competent staff into immediate anxiety and frustration. A well thought out Incident Response Plan helps retain order and efficient organizational processes during a stressful situation. Every Incident Response Plan should contain certain key instructional elements and the C&A audit team may fail your Incident Response Plan if any of these elements are missing. Though your plan can include more information than the required key elements, be sure at the very minimum to include a section on each of the following:

• Purpose and applicability

• Policies and guidelines

• Reporting framework

• Roles and responsibilities

• Definitions

• Incident handling

• Incident types

• Incident reporting form

If time permits, you may also want to include information on how to detect incidents and how to proceed with forensic investigations.

Purpose and Applicability

Even though it may seem obvious that your document should include a stated purpose, it is important not to...