NIST 800-53 REV 5 • INCIDENT RESPONSE
IR-3 — Incident Response Testing
Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}.
Supplemental Guidance
Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.
Practitioner Notes
You cannot just write an incident response plan and shelve it. You need to test it regularly to make sure it actually works. Testing can range from simple tabletop exercises to full-blown simulations.
Example 1: Conduct an annual tabletop exercise with your IR team, management, and legal. Use a realistic scenario like a ransomware attack that encrypts a file server. Walk through detection, containment, eradication, recovery, and communication steps. Document gaps and update the plan.
Example 2: Hire a penetration testing firm to conduct a red team engagement and measure how quickly your team detects and responds. Compare response times against your plan's targets. Alternatively, use tools like AttackIQ or SafeBreach to simulate attack scenarios and test detection capabilities.