Current through February 27, 2024
A cybersecurity incident response plan must include:
1. Measures that preemptively build,
reinforce and improve the capability to prevent, protect against, detect,
respond to and recover from an incident, including, without limitation:
(a) A statement of purpose and a statement of
objectives that summarize the scope of the cybersecurity incident response plan
and associated policies and procedures;
(b) A list of common cybersecurity terms and
associated definitions;
(c) Written
metrics for measuring:
(1) The impacts of an
incident on the political subdivision; and
(2) The capability and effectiveness of the
political subdivision to engage in an incident response;
(d) A list of management and leadership
personnel who will support an incident response;
(e) A list of internal and external contacts
and associated contact information to support an incident response;
(f) A written plan for all personnel,
including, without limitation, employees and contractors, regarding reporting
computer anomalies and incidents to the proper personnel;
(g) A written plan for all personnel who will
be involved in an incident response, including, without limitation, employees
and contractors, that outlines the roles, responsibilities, job titles and
contact information of such personnel;
(h) Procedures for sharing information, both
internally and externally, to ensure appropriate communication and minimize
information disclosure to unauthorized parties;
(i) Procedures to contact law enforcement or
a regulatory body, as applicable, in a manner consistent with legal
requirements; and
(j) Procedures to
contact and inform any external entity that may be impacted by an incident due
to a networked connection between the political subdivision and the entity
affected by such an incident.
2. Documented methodology, procedures and
tools to detect, identify, classify and communicate current or potential
cybersecurity threats to information systems, including, without limitation:
(a) Defined phases of handling an
incident;
(b) A written method of
documenting the attack vector used in an incident;
(c) A written method of documenting the
indicators that triggered an incident or incident report;
(d) Procedures for analyzing and documenting
the scope and impact of an incident;
(e) Procedures to prioritize and handle
concurrent incidents in one or more physical locations; and
(f) Procedures outlining which persons will
be notified of an incident and the phase during the handling of an incident
that such persons will be notified.
3. Procedures to prevent the damage to and
spread of damage to information systems from a threat, including, without
limitation:
(a) Recurring cybersecurity
training programs for all personnel, including, without limitation, employees
and contractors, who use the information systems of a political
subdivision;
(b) Written standards
for the time required for administrators of information systems and other
personnel to report anomalous events to the proper personnel, the mechanisms
for such reporting and the information that should be included in such a
report; and
(c) Procedures for
isolating information systems and gathering and storing
evidence.
4. Processes
and procedures to eradicate the threat from a compromised information
system.
5. Processes and procedures
to restore information systems impacted by an incident back to a state of
production, including, without limitation, verification of data and the
integrity of information systems.
6. Procedures to document information learned
from an incident, including, without limitation, procedures to document:
(a) Areas of incident response successes and
failures; and
(b) Recommendations
on the prevention of future incidents.
7. A statement of commitment by management to
an incident response.
Added to NAC by Office of
Cyber Defense Coord. by R088-19, eff. 12/29/2020
NRS
480.935,
480.950
