NIST Respond, Recover – video explainer

Thursday 27th May 2021

The NIST Cyber Security Framework (CSF) has 5 primary functions; Identify, Protect, Detect, Respond and Recover.

Many organisations rely upon log checking and post event review instead of elements detailed in the detect function. Even without such a vital ‘cog’ it is still possible to develop and maintain your respond and recover functions.

Response planning involves having strong linkage with the output of the detect function. There will be a process and roles and responsibilities. Escalation paths and a playbook should be crafted ahead of time and rehearsed.

Involving the persons responsible during these table-top exercises is essential. Beware of deputisation and apathy during the drills as they can cause chaos during a live event.

  • Communicationsare critical and require executive involvement. A full communications strategy should be developed and socialised within your organisation.
  • Analysisor investigation is a workstream that carefully must uncover the facts as soon as possible without necessarily destroying evidence. The nature and scope of a potential breach needs to be identified and this will allow organisational leadership to predict the impact.
  • Containment is a workstream closely aligned with the analysis workstream. Once again, containment should not interfere with the analysis.

Testing of your organisation’s response plan it essential. There should also be several defined scenarios which your preparation has identified as the most likely to occur (Ransomware, DDoS, Data leak etc.)  

The testing is typically conducted as a ‘tabletop exercise’ where a scenario is developed and walked through methodically. The enactment of a breach involves the operational team leads and can include the executives should it becomes an incident.

Roles and responsibilities should have been established and agreed as part of the preparation of the tabletop exercises.

Your scenarios should evolve from inception to escalation and on to resolution.

According to NIST CSF the recover function involves the need to “develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.”

The recover function should support a timely recovery and service restoration of your systems and services. Failure to do so could increase the impact to your organisation and further compound any reputational damage.

Recover includes the following categories:

  • Recovery Planning: Recovery procedures are tested, executed, and maintained so that your program can mitigate the effects of an event sooner rather than later
  • Improvement: Recovery planning and processes are improved when events happen and areas for improvement are identified and solutions put together
  • Communication: Coordinate internally and externally for greater organization, thorough planning and execution

The recover function is vital to coordinate your organisation but also to give your customers and stakeholders a level of reassurance.

Precise and swift recovery handling combined with tactful, considered communications can allow you to exit the breach in a much stronger position internally and externally than you would otherwise.

To learn more and speak to our expert team, please complete the below and we’ll be in touch:

  • Throughout our business dealings with IP Performance, their expertise, professionalism and “can do” attitude continue to ensure we have the systems we need, when we need them.

    Matt Williams - IT Business Delivery Manager,
    UK Bus, FirstGroup PLC