Does your incident response process allow responders to manually select and execute containment actions during security incidents?
Explanation
Effective incident response requires the ability for responders to make real-time decisions about how to contain threats based on the specific nature of each incident.
Manual containment options might include isolating affected systems from the network, suspending compromised accounts, blocking specific IP addresses, or shutting down vulnerable services.
These capabilities are essential because automated responses may not be appropriate for all scenarios and could potentially cause business disruption if not carefully managed.
Evidence could include incident response playbooks that outline available containment options, screenshots of security tools that provide manual containment capabilities, documentation of access controls showing that incident responders have appropriate permissions to execute containment actions, or post-incident reports demonstrating where manual containment was performed.
Implementation Example
Allow incident responders to manually select and perform containment actions
ID: RS.MI-01.340
Context
- Function
- RS: RESPOND
- Category
- RS.MI: Incident Mitigation
- Sub-Category
- Incidents are contained
Related questions
- Do your cybersecurity technologies and security features in other systems automatically perform containment actions when threats are detected?
- Does your organization have formal agreements with third parties (e.g., ISPs, MSSPs) authorizing them to perform containment actions during security incidents?
- Does your organization automatically transfer compromised endpoints to a remediation VLAN for isolation and remediation?
- Does your organization implement automated eradication capabilities within cybersecurity technologies and security features of other technologies?
- Does your incident response system allow authorized responders to manually select and execute eradication actions during security incidents?
- Does your organization have formal agreements in place with third-party security providers to perform incident eradication actions on your behalf?

