Current through November 8, 2024
Section 480.200 - Cybersecurity incident response plan: Contents and requirementsA cybersecurity incident response plan must include:
1. Measures that preemptively build, reinforce and improve the capability to prevent, protect against, detect, respond to and recover from an incident, including, without limitation: (a) A statement of purpose and a statement of objectives that summarize the scope of the cybersecurity incident response plan and associated policies and procedures;(b) A list of common cybersecurity terms and associated definitions;(c) Written metrics for measuring: (1) The impacts of an incident on the political subdivision; and(2) The capability and effectiveness of the political subdivision to engage in an incident response;(d) A list of management and leadership personnel who will support an incident response;(e) A list of internal and external contacts and associated contact information to support an incident response;(f) A written plan for all personnel, including, without limitation, employees and contractors, regarding reporting computer anomalies and incidents to the proper personnel;(g) A written plan for all personnel who will be involved in an incident response, including, without limitation, employees and contractors, that outlines the roles, responsibilities, job titles and contact information of such personnel;(h) Procedures for sharing information, both internally and externally, to ensure appropriate communication and minimize information disclosure to unauthorized parties;(i) Procedures to contact law enforcement or a regulatory body, as applicable, in a manner consistent with legal requirements; and(j) Procedures to contact and inform any external entity that may be impacted by an incident due to a networked connection between the political subdivision and the entity affected by such an incident.2. Documented methodology, procedures and tools to detect, identify, classify and communicate current or potential cybersecurity threats to information systems, including, without limitation: (a) Defined phases of handling an incident;(b) A written method of documenting the attack vector used in an incident;(c) A written method of documenting the indicators that triggered an incident or incident report;(d) Procedures for analyzing and documenting the scope and impact of an incident;(e) Procedures to prioritize and handle concurrent incidents in one or more physical locations; and(f) Procedures outlining which persons will be notified of an incident and the phase during the handling of an incident that such persons will be notified.3. Procedures to prevent the damage to and spread of damage to information systems from a threat, including, without limitation: (a) Recurring cybersecurity training programs for all personnel, including, without limitation, employees and contractors, who use the information systems of a political subdivision;(b) Written standards for the time required for administrators of information systems and other personnel to report anomalous events to the proper personnel, the mechanisms for such reporting and the information that should be included in such a report; and(c) Procedures for isolating information systems and gathering and storing evidence.4. Processes and procedures to eradicate the threat from a compromised information system.5. Processes and procedures to restore information systems impacted by an incident back to a state of production, including, without limitation, verification of data and the integrity of information systems.6. Procedures to document information learned from an incident, including, without limitation, procedures to document: (a) Areas of incident response successes and failures; and(b) Recommendations on the prevention of future incidents.7. A statement of commitment by management to an incident response.Nev. Admin. Code § 480.200
Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12/29/2020