This Control applies to the university Chief Information Security Officer.

The Incident Response Plan shall be tested, at least annually, with tabletop exercises or other means to review and refine incident response procedures.

Annual testing shall identify lessons learned for continuous improvement of incident response procedures.