Hello, and welcome to the NIST 800-171 learning path. My name is Dave Hatter, I'm your instructor for this class and this is Course 2, Understanding and Implementing the 110 NIST 800-171 Requirements. As you know, there are 14 requirements families. In this video, we'll take a look at requirements family 3.6, Incident Response. Think of it as a defined plan that reviewed and practiced regularly will ensure that an organization can recover data and systems, and resume operations in a timely fashion. In this particular requirements family, there are only three requirements. It's one of the smaller ones. You can see the first requirement here, 3.6.1: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. This is a basic requirement. Incident handling should be designed into your processes and systems, incident handling often requires coordination across entities, so you'll want to have a team that understands your incident response plan, training should be provided to individuals based on their role, and you can take a look at NIST Special Publication 800-61 for guidance on incident handling. I would encourage you to check that out. There's some great information there that will help you build an incident response plan and program in your organization. 3.6.2: Track document and report incidents to designated officials and authorities both internal and external to the organization. Another basic requirement. You need to document incidents and track their status, you need to report events internally based on defined reporting requirements, which again is something you would define as part of your plan, and you need to report events externally based on applicable laws, directives, regulations, executive orders and policies. Again, check out NIST Special Publication 800-61 for guidance on incident handling. Then finally, we have 3.6.3 : Test the organizational incident response capability. This is a drive requirement you need to regularly test incident response programs to determine the effectiveness and find and correct deficiencies. Obviously, any plan that's never tested may not hold up when you actually have to implement it in the real world, or executed in the real world is probably a better way to say it. Obviously, security needs change, business needs change over time, and also in response to lessons learned is what I'm trying to say, sorry. In response to the lessons learned from incidents that occur in previous responses, you may find better ways to improve your plan, better ways to approach in the future. It's really important that you regularly test it, and that testing can include the use of things like checklists, you can do walk-throughs, tabletop exercises, simulations, and then other types of comprehensive exercises. There's a variety of different ways. Again, NIST is not prescriptive. They give you a lot of information on different ways you can approach this. Then finally, they point you in this Special Publication 800-84 for guidance on information technology testing. That gets us through 3.6, Incident Response. I will see you in the next video, where we'll take a look at requirements family 3.7. Thanks.
