NIST CSF – Part 5 – Recover

In this final post on the National Institute of Standards and Technology Cyber Security Framework (NIST CSF), we will look at the final section, “Recover”.

In our earlier blog posts, we learned how to identify our assets, and then we did our best to protect them. Then since nothing is 100% secure, we detected the bad thing happening. We need to respond to the detection.

Recover is defined by NIST as the need to “develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event. The Recover function support s timely return to normal operations to reduce the impact from a cybersecurity event. Examples of outcomes for this function include: Recovery Planning, Improvements, and Communications.”

What does it mean to recover? Here are 3 areas to focus on:

1. Recovery Planning: Recovery procedures are tested, executed, and maintained so that your program can mitigate the effects of an event sooner rather than later.
2. Improvement: Recovery planning and processes are improved when events happen and areas for improvement are identified and solutions are put together after a thorough debriefing of the event and lessons learned.
3. Communication: Coordinate internally and externally for greater organization, thorough planning, and execution.  Have all resources that will be needed been identified for the future?  Is there a clear process for who will pull in resources and how to communicate with them, especially if the incident occurs outside of regular business hours?

 Questions to ask internally:

• Has my organization performed a tabletop exercise (TTE) that includes executive decision-making and communications to all stakeholders?
• Who are the stakeholders? Could be customers, business partners, employees, or shareholders.
• Do we know who the stakeholders are and how to contact them?
• Have we done an exercise to produce a basic notification press release and had legal review it?

The recover function is important not only to your organization in recovering from an attack, but also in the eyes of your customers or market. Swift and appropriate recovery can even improve your cybersecurity posture from the lessons learned. Prioritizing the focus areas within recover will ensure that your organization has a recovery plan that is up-to-date and aligns with your organization’s goals and objectives.

Yes, recover could mean just bringing operations back online, but also as the NIST Framework highlights, reputation recovery is also critical.