KSI-INR-RIR—Reviewing Incident Response Procedures
Formerly KSI-INR-01
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express detection and response capability through MTTD/MTTR dashboards — SIEM/SOAR platforms feeding metrics continuously, incident volumes tracked by severity and category, and false positive rates showing tuning effectiveness. Detection and response maturity becomes a visible, measurable property.
Incident Response Metrics
Dashboard expressing detection and response capability — MTTD, MTTR, incident volumes by severity, and resolution trends
Incident Classification Framework
How incidents are classified — severity levels, response requirements, and escalation criteria
IR Capability Certifications
Team certifications and third-party IR retainer agreements — external validation of response capability
>Programmatic Queries
CLI Commands
gh api repos/{owner}/{repo}/contents/docs/incident-response --jq '.[].name'gh api repos/{owner}/{repo}/contents/docs/incident-response/runbook.md --jq '.content' | base64 -d | head -40>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Do your incident response procedures cover all incident types — data breaches, ransomware, insider threats, supply chain compromise, cloud provider incidents, and availability events?
- •Are procedures defined for all phases — preparation, detection/analysis, containment, eradication, recovery, and post-incident activity?
- •How do you ensure procedures address FedRAMP-specific requirements (ICP notification timelines, agency communication, evidence preservation for federal data)?
- •Are there incident scenarios not covered by current procedures, and how are those gaps identified and tracked?
Automation & Validation:
- •What SOAR or automation assists responders during incidents — automated evidence collection, containment playbooks, or enrichment of alerts?
- •How do you measure procedure effectiveness through quantitative metrics (MTTD, MTTR, containment time, recurrence rate)?
- •What happens when a procedure is followed but the incident is not effectively contained — how do you detect procedure failure versus execution failure?
- •Do you run tabletop exercises, purple team engagements, or adversary simulations that test procedure effectiveness under realistic conditions?
Inventory & Integration:
- •What incident response platform (PagerDuty, Jira, ServiceNow, Rootly) orchestrates procedure execution, and how does it integrate with your SIEM and communication tools?
- •How do incident response procedures integrate with your FedRAMP ICP workflow to ensure notification requirements are met automatically?
- •Are incident response runbooks and playbooks version-controlled and linked to specific detection rules and alert types?
- •What tools support forensic investigation and evidence preservation as part of your incident response procedures?
Continuous Evidence & Schedules:
- •How frequently are incident response procedures reviewed for effectiveness, and what evidence shows each review was completed?
- •Is incident response performance data (detection time, response time, resolution time per incident) available via API or dashboard?
- •What evidence demonstrates that procedure reviews result in concrete updates to runbooks, playbooks, and automation?
- •How do you prove that tabletop exercises and drills are conducted on schedule and that findings drive procedure improvements?
Update History
Ask AI
Configure your API key to use AI features.