NIST Respond, Recover – video explainer
The NIST Cyber Security Framework (CSF) has 5 primary functions; Identify, Protect, Detect, Respond and Recover.
Many organisations rely upon log checking and post event review instead of elements detailed in the detect function. Even without such a vital ‘cog’ it is still possible to develop and maintain your respond and recover functions.
Response planning involves having strong linkage with the output of the detect function. There will be a process and roles and responsibilities. Escalation paths and a playbook should be crafted ahead of time and rehearsed.
Involving the persons responsible during these table-top exercises is essential. Beware of deputisation and apathy during the drills as they can cause chaos during a live event.
- Communicationsare critical and require executive involvement. A full communications strategy should be developed and socialised within your organisation.
- Analysisor investigation is a workstream that carefully must uncover the facts as soon as possible without necessarily destroying evidence. The nature and scope of a potential breach needs to be identified and this will allow organisational leadership to predict the impact.
- Containment is a workstream closely aligned with the analysis workstream. Once again, containment should not interfere with the analysis.
Testing of your organisation’s response plan it essential. There should also be several defined scenarios which your preparation has identified as the most likely to occur (Ransomware, DDoS, Data leak etc.)
The testing is typically conducted as a ‘tabletop exercise’ where a scenario is developed and walked through methodically. The enactment of a breach involves the operational team leads and can include the executives should it becomes an incident.
Roles and responsibilities should have been established and agreed as part of the preparation of the tabletop exercises.
Your scenarios should evolve from inception to escalation and on to resolution.
According to NIST CSF the recover function involves the need to “develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.”
The recover function should support a timely recovery and service restoration of your systems and services. Failure to do so could increase the impact to your organisation and further compound any reputational damage.
Recover includes the following categories:
- Recovery Planning: Recovery procedures are tested, executed, and maintained so that your program can mitigate the effects of an event sooner rather than later
- Improvement: Recovery planning and processes are improved when events happen and areas for improvement are identified and solutions put together
- Communication: Coordinate internally and externally for greater organization, thorough planning and execution
The recover function is vital to coordinate your organisation but also to give your customers and stakeholders a level of reassurance.
Precise and swift recovery handling combined with tactful, considered communications can allow you to exit the breach in a much stronger position internally and externally than you would otherwise.
To learn more and speak to our expert team, please complete the below and we’ll be in touch:
-
‘We are really happy with the Juniper Mist solution provided by IP Performance and in fact when you look at the number of daily connections I would say it’s exceeded our expectations, for example in our Coatbridge campus the feedback from all staff and students for a number of years has been really negative regarding the Wifi but right now we currently have 600 users connected. The ability to look at the monitor and see what the trends are in terms of time-to-connect and successful connections also gives us the ability to see a problem before it impacts on a number of users. Therefore this reduces the amount of Wifi issues that are submitted to our helpdesk, so this again shows that the solution works.’
Joe Livingstone ICT Manager (Network),
New College Lanarkshire
