Takeout from the NIST recommendations

Posted on 27 October, 2019 by Administrator

NIST organization published a guide whose primary target is to establish procedures for the management of a corporate data breach in document SP 800-184. Breaking the incident management into five stages; identify, protect, detect respond and recover, the guide separates each of its controls into categories to better facilitate implementation, mitigation, and recovery. Also provided within the guide, are two very detailed corporate data breach scenarios that highlight each of the points that the NIST.SP 800-184 lists. For the sake of writing this quick summary aforementioned examples have been omitted, but we urge you to check through the full document to get yourself familiar with the best industry standards. Finally, to allow the categories as well as their detailed controls to be easier to read, they have been summarized here, both more detailed as a numerically ordered list and more generally. The general summary for each category has been provided next to the header for which it is summarizing. 
1. Determines what happened and when as well as who is involved and any recovery steps to be taken.
2. Corporate assets, responsible parties, and shareholders involved are defined.
3. Corporate, shareholder, legal and cyber interests are defined.
4. Legal, corporate and cyber risk regulations are defined.
5. Define the corporate cyber risk profile and risk tolerance
6. Define the nature of and the severity of the breach.
7. Determine the drive behind the breach as well as the number of assets affected.
8. Steps to be taken to remediate the breach are determined.
9. Debrief the necessary employees involved in the data breach as well as the recovery process. This includes any law enforcement that will be involved. 
10. Inform necessary individuals.
11. The goal of this category is to stop the bleeding; determines and implements remediation solutions.
12. Implement recovery measures.
13. Conduct a baseline assessment of corporate hardware.
14. Backup data.
15. Implement recovery and response plans.
16. Minimize system downtime.
17. Document recovery measures taken.
18. Coordinate with necessary individuals.
19. Document any issues that inhibit a full recovery.
20. Harden corporate network security.
21. Ensures no further malicious activity is present.
22. Conduct a baseline for all network activity.
23. Determine the persistence of any malware or intruder activity within the network. 
24. Continue monitoring networks for malicious activity.
25. Determine the scope of the breach as well as the extent of corporate systems effected.
26. Document changes and ensure all parties receive up to date information. 
27. Measures for the restoration of the network are deployed.
28. Ensure all relevant employees, shareholders and law enforcement personnel have the same understanding regarding the steps taken and actions that will be implemented. 
29. Ensure all parties involved are aware of actions that need to be implemented. 
30. Document lessons learned as well as steps that will be implemented to prevent breaches in the future.
31. Implement recovery solutions, and make sure all corporate strategies, goals, and infrastructure is up to date and has been configured to prevent the same breach from occurring. 
32. Implement recovery plans and ensure that all procedures are being implemented as documented. 
33. Incorporate lessons learned into the recovery process to improve the security infrastructure. 
34. Update corporate security strategies and goals.

Do not overlook this opportunity to get yourself a significant help in case of a Data Breach Event and familiarize yourself with the document, otherwise, as it states there:
"Without these root cause determination objectives being met during the investigation, the recovery procedure has a high chance of being ineffective or inefficient and the organization will incur an additional cost."

Source:
“Guide for Cybersecurity Event Recovery - NIST.” [Online].