NIST CSF, CIS Controls, and Incident Response

Click here to listen to this article via the BreachRx Blogcast

Having a well-defined incident response plan is essential for any organization, regardless of its size or industry. By planning ahead and preparing for potential security breaches or incidents, you can minimize the impact of a cyber attack and ensure that your organization is able to quickly and effectively respond to any incident.

One way to ensure that your incident response plan is comprehensive and effective is to align it with industry standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the Center for Internet Security (CIS) Controls. The NIST CSF and CIS Controls both provide voluntary guidelines and best practices for managing and protecting an organization’s cybersecurity. 

Both these standards are well-suited for effectively developing a best-in-class incident reporting and response plan, yet each takes a different approach to incident response that’s worth considering.

What is the NIST Cybersecurity Framework (CSF)?

The NIST CSF is a framework that provides a set of guidelines and best practices for managing and protecting an organization’s cybersecurity. It is designed to help organizations understand their current cybersecurity posture, identify areas for improvement, and implement measures to reduce the risk of cyber attacks.

The NIST CSF is organized into five core functions: Identify, Protect, Detect, Respond, and Recover. Each of these functions represents a specific set of activities that organizations should take to effectively manage their cybersecurity.

For example, the Identify function helps organizations understand their assets, vulnerabilities, and the threats they face. The Protect function focuses on implementing controls and measures to prevent or mitigate potential cyber attacks. The Detect function helps organizations monitor their networks and systems for signs of an attack, while the Respond function outlines the steps organizations should take to respond to an incident. Finally, the Recover function helps organizations restore normal operations after an incident has occurred.

The NIST Cybersecurity Framework’s incident response requirements lay the foundation for an effective program: ensuring response plans are in place, contain the correct foundational elements, are tested, include the appropriate team members and communications with key stakeholders, and are maintained sufficiently over time.

What are the CIS Controls?

The CIS Controls are a set of recommended practices for securing an organization’s information systems. Formerly the SANS Critical Security Controls (more commonly known as the SANS Top 20), the CIS Controls are designed to help organizations prioritize their cybersecurity efforts and focus on the most critical controls first.

Currently at version 8, the CIS Controls contain 18 control categories covering a wide gamut of areas for cybersecurity teams to construct and improve their program. Each control includes an overview of its purpose and utility, an explanation of its criticality for defending against attacks and how attackers exploit their absence, a description of the procedures and tools needed for implementation and automation, and a table of specific actions organizations can take to implement the control.

The CIS Controls contain the critical elements for a successful incident response program: having response plans in place that include the necessary foundational elements, testing and updating them regularly, including the appropriate team members, and maintaining effective communication with both internally and externally.

While we recommend both frameworks as starting points, we like the CIS Controls for companies just starting out or that have a small staff in particular given its clear, concise breakdown of safeguards and being kept current by the Center for Internet Security.

Internal versus External Frameworks

Voluntary internal frameworks like the NIST CSF and CIS Controls are designed to be used by organizations to manage and protect their own cybersecurity. These frameworks provide guidelines and best practices for implementing controls and measures to reduce the risk of cyber attacks and effectively respond to incidents.

In contrast, externally audited frameworks like SOC 2 and ISO 27001 are designed to be evaluated by external auditors or certification bodies. Those frameworks are used to assess the effectiveness of an organization’s controls and measures, and organizations that meet the requirements of these frameworks may be awarded a certification or designation. For example, an organization that meets the requirements of the ISO 27001 standard may be awarded an ISO 27001 certification, which demonstrates that they have implemented a set of internationally recognized controls to protect their information assets. 

Bottom line, should you use internal or external frameworks? We recommend both: aligning your program to NIST CSF or CIS Controls will make it easier to meet the requirements of externally audited compliance frameworks like SOC 2 or ISO 27001, which can then be used to represent your security program to your customers and other external stakeholders. Additionally, implementing internal frameworks like NIST CSF is regarded as a best practice by more and more global cybersecurity regulators that are expecting something like it to be in place.

How can NIST CSF and CIS Controls inform your incident response planning?

By aligning your incident response plan with the NIST CSF and CIS Controls, you can ensure that you are taking a comprehensive and systematic approach to incident response. This can help you better understand your organization’s vulnerabilities and identify the most effective measures for protecting against and responding to potential incidents.

For example, you can use the NIST CSF to identify the specific steps you should take to respond to an incident, based on the stage of the incident (e.g., identification, containment, eradication, recovery). Similarly, you can use the CIS Controls to prioritize your incident response efforts and ensure that you are focusing on the most critical controls first.

One of the main differences between the NIST CSF and the CIS Controls is how the incident response requirements are organized. NIST spread the criteria for incident response across all five functions of their framework. For example, they placed a number of communications-related criteria in both their Respond and Recover functions. This is in contrast to CIS, which consolidated the incident response requirements to the Incident Response Management family. There are pros and cons to each approach, but especially given the overlap across the actual criteria, either framework will help teams build, execute, and maintain a best practice approach to incident reporting and response. 

Having a well-defined incident response plan is crucial for any organization. By aligning your plan with industry standards such as the NIST CSF and CIS Controls, you can ensure that you are accelerating your approach to incident response compliance, which can help you better protect your organization against potential incidents.

The incident notification and response requirements for these two frameworks can be generalized into four areas. Teams can proactively use these areas to develop a customized, efficient process for their incident response:

1. Identify incidents: First, identify the types of incidents that are most likely to occur. This might include cyber attacks, exposed data, or even lost devices. Teams also need to create a process for anyone inside and outside their organization to report them, as security won’t be the only place they originate.
2. Investigate the impact: Second, teams should analyze the potential impact of each incident. This includes evaluating the potential impact on business operations, finances, customers, and other relevant external parties. Assessing the relevance of regulations and directives around the world is now a key part of this step, with even small incidents requiring evaluating the more than 180 laws across 120 countries that may require action, including notification.
3. Create a tailored action plan: Next, organizations should develop a response plan specifically tailored to the incident and its potential impact, and customized to the organization’s industry and structure. This plan needs to contain specific tasks that need to be accomplished in the event of an incident, and when they need to be accomplished based on external deadlines. It should also include plans for communicating with law enforcement and collaborating with key internal stakeholders, like legal, communications, and relevant executives.
4. Exercise and update the plan: Once the plan is in place, it’s important to test and revise it regularly. Conduct fake incidents, run tabletop discussions, and even simulate real attacks to make sure that the incident response plan is effective and each team member knows their role in the process and what will be expected of them when an incident occurs.

A plan can’t be comprehensive without teams taking a proactive approach, gathering the requirements from the organization’s main stakeholders, such as its customers, partners, insurers, and regulators, and developing a set of action plans tailored for each type of incident the business is likely to encounter.

Technology plays a key role in this process, and more companies are relying on automation to handle these tasks to be more efficient and more rapidly fulfill their outside auditors’ higher standards. By aligning to and complying with the full requirements of the NIST CSF and/or CIS Controls, organizations can create a thorough plan for incident response that strengthens their readiness and resilience, helping more effectively deal with disruptive events of all kinds and minimize their impact.