Like the other Functions described in the CSF, the framework is not an exhaustive list of “to dos.” Recovering from an incident can be a long, tedious process that may involve assistance from outside vendors that specialize in data backup and recovery, IT and security operations, forensics, and more. With this in mind, recovering from a cyber incident in a timely fashion demands careful advance planning to understand:
- What systems and data the company have
- How to identify which systems have been affected
- Who is responsible for day-to-day management of systems/data
- How communication will be handled during and after an incident
- What outside resources will be necessary following an incident
And much more. The ability to recover from a cyber incident relies on having an already-established, up-to-date incident response plan that has been tested for various scenarios. During and after an incident is not the time to pull together network diagrams, lists of critical assets, where log files and disk images have been stored, or who holds the public encryption keys. If the organization has not regularly backed up critical data, data cannot be restored, and that will impact the company’s ability to recover. If the company isn’t certain of all assets used for normal daily operations, it can’t expect to bring them all back online.
It is important to note that recovery planning relies heavily on work completed during the protection planning phase, which answers questions such as: What thresholds are in place? What are our resilience requirements. How and what do we prioritize? These questions and more—determined thoughtfully when an incident isn’t midstream—set the foundation for an adept recovery.
Further, the communications aspect of a recovery is just as important as technological requirements. Many times, a company’s brand and reputation are on the line after a breach has been disclosed. Organizations need a tested process led by experienced personnel to handle both internal and external breach communications. A misspoken statement read to the press, stakeholders, or regulators could result in additional and unnecessary trouble during an already high-stress, high-stakes period.
The wrap up
While the “Recover” Function of the NIST CSF is just as important as every other stage of cybersecurity preparedness and incident response handling, everything accomplished in this phase depends on organizations anticipating a cyber attack. To do so (and before an incident occurs), they must maintain a thorough, always-current plan which details everything from team selection to IT systems in use to data to communications policies. It’s only with a relevant, reliable plan that recovery strategies can be executed well and the impacted organization(s) can resume regular business operations as quickly as possible.