In last week’s email, we talked about the third NIST Cybersecurity Framework category – Detect. This week we will be discussing the fourth category – Respond.
As with Protect, the general idea of Respond seems pretty clear-cut. You have an incursion event, and you respond accordingly. According to NIST, the Respond Category includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.
Here are the specifics according to NIST:
Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity incidents.
Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities.
Mitigation (RS.MI): Activities are performed to prevent the expansion of an event, mitigate its effects, and resolve the incident.
Here are some specific examples from NIST:
- Ensuring Response Planning processes are executed during and after an incident
- Managing Communications during and after an event with stakeholders, law enforcement, and external stakeholders as appropriate
- Analysis is conducted to ensure effective response and support recovery activities including forensic analysis, and determining the impact of incidents
- Mitigation activities are performed to prevent the expansion of an event and to resolve the incident
- The organization implements Improvements by incorporating lessons learned from current and previous detection/response activities
Now this all sounds pretty straightforward on paper, but in the heat of the moment of discovery, things can get pretty confusing. Going through the steps outlined here and creating an Incident Response plan that outlines exactly what will happen, who will be notified, and what order containment and remediation steps will occur can bring much-needed clarity and focus to what is sure to be a stressful situation. Working on this plan before anything happens will help you respond quickly and effectively should the worst happen.
Next week’s bulletin will discuss category 5 - RECOVER.
Find out what your Incident Response Plan looks like if you don’t know already. If you have a plan, review it if it was last reviewed more than one year ago.
If you would like some help navigating the NIST CSF journey, CSI offers a service that walks you through the process and provides tools for documentation. If you and your Director of IT would like to hear more about this or schedule a time for a more in-depth discussion on NIST CSF with one of CSI’s knowledgeable engineers, please contact Lisa MacDougall at firstname.lastname@example.org or call 845.897.9480.