The NIST Cybersecurity Framework Functions – Respond

This is part 4 of our ongoing blog series on the NIST Cybersecurity Framework. To view our previous posts in this series, please see the links below:

NIST Cybersecurity Framework - Overview and Identify

NIST Cybersecurity Framework - Protect

NIST Cybersecurity Framework - Detect

After the countless hours and days that were put into identifying assets within the organization, researching and implementing ways to protect these assets and even going the extra mile by implementing detection mechanisms to alert us in the event of an incident, the stressful day has arrived, and now the fourth function will have to be initiated, which is Respond. The NIST Cybersecurity framework defines the Respond category as; "Develop and implement the appropriate activities to take action regarding a detected cybersecurity event." The Respond function is further broken down into five categories (outlined below) which identify specific areas that organizations should consider in their risk management analysis. Of the 98 subcategories within the NIST Cybersecurity framework, 15 are addressed within the Respond function.

• Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
• Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
• Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities.
• Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
• Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

Being able to efficiently and effectively respond to all cybersecurity events is important to all organizations, regardless of the information they are trying to protect. Having a well thought out Incident Response Plan (IRP), Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) will assist greatly in being able to analyze and mitigate the incident.

Some key components that should be identified in all the plans are:

• IRP Team Members – IRP Team Members are critical in the response to an incident. This will outline, in the Incident Response Plan, who is responsible for what and when they are responsible for it. This ensures that everyone is on the same page and precious time is not wasted by trying to figure out who will do what, when they will do it, and how they will do it.
• Return Time Objectives (RTOs) - RTOs are target times that you set for the recovery of your IT and business activities after an incident has occurred. The goal is to calculate how quickly you need to recover, which can then dictate the type or preparations you need to implement and the overall budget you should assign to your business continuity. For example, if your RTO is four hours, then a higher budget and additional preparation will be needed to ensure that systems can be recovered within the RTO timeframe. If the RTO is two weeks, then you can probably budget less and invest in less advanced solutions.  

• Recovery Point Objectives (RPOs) - RPOs are focused on data and your business/organization’s loss tolerance in relation to your data. RPO are determined by looking at the time between data backups and the amount of data that could be lost in between backups. The major difference between RTOs and RPOs is their purpose. The RTO is usually large scale, and looks at the entire business/organization and systems involved. RPO focuses just on data and your business/organization’s overall resilience to the loss of it.

If this blog piqued your interest and you can’t wait until the next installment, feel free to download a copy of the framework at the official NIST website. In addition, you can watch a recording of our webinar from just last month on the recent updates to the NIST Cybersecurity Framework that were released in April of 2018. Click on the button below to watch the recording!