IR-03 Incident Response Testing
Introduction
This document describes how Private Mendix Platform fulfills the IR-03 control.
| Control ID | IR-03 |
|---|---|
| Control category | IR - Incident Response |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Mendix - Operator, Customer - Infra |
Control
The organization tests the incident response capability for the information system at an organization-defined frequency using organization-defined tests to determine the incident response effectiveness and documents the results.
Supplemental Guidance
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (for example, reduction in mission capabilities), organizational assets, and individuals due to incident response.
The following controls are related to this control:
- CP-4
- IR-8
For more information, refer to the NIST Special Publications 800-84, and 800-115.
Responsibility
Customer Responsibility
The customer is responsible for planning, executing, evaluating, and documenting incident response testing to ensure effectiveness and continuous improvement.
Guidance
Customer Responsibility
Mendix is willing to collaborate on incident response tests in alignment with our support organization. Please contact Mendix Support to coordinate an incident response test.
Certain incident responses, such as penetration tests against Mendix public capabilities, require additional signed documentation as per the Mendix Terms of Service and other agreements. It is the customer's responsibility to review these documents and comply with their requirements before executing the covered incident testing.