On April 3, NIST published practical incident response guidance aligned with its CSF 2.0 framework. The guidance outlines best practices in security incident preparation and response for organizations mapped across each of NIST’s Functions, Categories, and Subcategories. The guidance focuses on risk management strategies and tools, incident detection, incident response, and incident remediation and communication.
On April 3, NIST published finalized incident response guidance to align with the February 2024 updates to its CSF 2.0 framework. The guidance marries prior guidance with the CSF 2.0 Functions, Categories, and Subcategories to organize its recommendations, considerations, and other information regarding incident response.
NIST recommends that organizations involve a variety of internal and external parties in incident response, such as technology professionals, legal, incident handlers, media relations professionals, and human resources. If using a third-party service provider in incident response, NIST recommends clearly delineating responsibilities in a contract and communicating each team’s responsibilities clearly.
The guidance also recommends that organizations have incident response policies that organizations can align their incident response processes and procedures to. According to NIST, most incident response policies include the following elements:
- A statement of management commitment;
- The purpose and objectives of the policy;
- The scope of the policy (i.e., to whom and what it applies and under what circumstances);
- Definitions of events, cybersecurity incidents, investigations, and related terms;
- Roles, responsibilities, and authorities, such as which roles have the authority to confiscate, disconnect, or shut down technology assets;
- Guidelines for prioritizing incidents, estimating their severity, initiating recovery processes, maintaining or restoring operations, and other key actions; and
- Performance measures.
The guidance also contains detailed CSF Community Profiles for incident risk management and response. Each CSF 2.0 Function, Category, and Subcategory has its own row in one of the two tables and is given a corresponding priority level. The last column of these tables contains recommendations (something NIST believes an organization should do), considerations (something NIST believes an organization should consider doing), and notes (additional information). Organizations are encouraged to map the Community Profiles to their preferred language and documented policies and procedures.
Community Profile: Preparation and Lessons Learned
In preparing for a security incident, NIST recommends that organizations establish a cybersecurity risk management strategy that incorporates risk from across the organization (e.g, operational or reputational risk) and document a formal risk management policy. Specifically, NIST recommends that cybersecurity requirements include all requirements related to incident notifications, data breach reporting, and other aspects of incident response. NIST recommends that roles and responsibilities at the organization factor in incident response duties. NIST also recommends that organizations take lessons learned from any previous security incidents and incorporate them into the organization’s cybersecurity risk management framework.
NIST also recommends that organizations take time to identify and understand current cybersecurity risks. This can be done by tracking hardware, software, services, and systems used by the organization and monitoring, logging, and addressing any vulnerabilities therein. NIST also recommends that organizations maintain data inventories that include data classifications, owners, and logical and physical locations. The guidance says that risk management tools and processes should be leveraged as part of a cybersecurity incident management and response program and evaluated frequently to address deficiencies. NIST also recommends that organizations implement safeguards to manage the organization’s cybersecurity risks as part of security incident response preparation.
Community Profile: Incident Response
The guidance outlines steps that it recommends organizations take to identify and analyze security incidents, including continuous monitoring for unauthorized activity on systems and networks and analyzing any indicators of compromise that arise from such monitoring. Once an incident has been detected, NIST recommends triaging incidents based on risk and prioritizing the escalation or elevation of high-risk incidents. Organizations should, according to the guidance, investigate and document the events that occurred during an incident by performing a root cause analysis. While responding to incidents, NIST recommends that organizations coordinate with and notify internal and external stakeholders as required by law, regulation, or policy. Organizations should take steps to mitigate the effects of an incident (or, where possible, contain or even eradicate the incident) during the response process, according to the guidance. When organizations are recovering from the effects of an incident, organizations should make efforts to restore any affected systems during or after incident response processes, NIST says. NIST further recommends that these efforts are coordinated and shared with internal and external stakeholders, including the public where necessary.
[View source.]
