The New Incident Response Framework

About the Author – Jeremy Smillie

Earlier this year, NIST announced significant updates to its Cybersecurity Framework (CSF) 2.0, including new recommendations and considerations for incident response. This marks a pivotal shift in how organizations are advised to prepare for and respond to security incidents. NIST has also introduced the SP 800-61 Revision 3 draft, which offers updated guidelines and best practices for incident response.

The key takeaways can be effectively captured in two simple visuals for those seeking a quick summary.

The old approach to incident response is no longer sufficient in today’s environment. Cyber incidents are happening more frequently, causing more significant damage, and taking longer to recover from due to their complexity and ever-changing nature. Incident response is a crucial part of overall cybersecurity risk management and needs to be integrated into every part of the organization. It’s essential to share lessons learned during an incident as they emerge rather than waiting until the recovery is complete. To stay ahead of modern threats, continuous improvement in all aspects of cybersecurity risk management is necessary.

• Govern (GV): The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
• Identify (ID): The organization’s current cybersecurity risks are understood.
• Protect (PR): Safeguards to manage the organization’s cybersecurity risks are used.
• Detect (DE): Possible cybersecurity attacks and compromises are found and analyzed.
• Respond (RS): Actions regarding a detected cybersecurity incident are taken.
• Recover (RC): Assets and operations affected by a cybersecurity incident are restored.

In the updated framework, the top half (Govern, Identify, Protect) focuses on overall cybersecurity risk management, which supports incident response but is not part of the incident response life cycle. The bottom half (Detect, Respond, Recover) outlines the specific steps to take during an incident.

Continuous improvement is essential. Lessons learned from all activities should be regularly fed back into the improvement process. This ensures the organization is always learning, adapting to new threats, and updating its cybersecurity practices.

In the past, incident response was primarily handled by an organization’s internal incident response team. However, today’s complex and interconnected world requires a much broader approach. The success of incident response efforts now depends on the collaboration of a wide range of internal and external parties, each with specific roles and responsibilities. These participants can be spread globally, including incident handlers, leadership teams, technology professionals, legal experts, public affairs, human resources, physical security, and asset owners.

• Incident Handlers: These are the first responders who verify incidents, analyze data, prioritize response activities, and take action to limit damage and restore operations. Incident handlers can be internal staff, contractors, or external partners.
• Leadership: The leadership team oversees the incident response process, allocates resources, and makes critical decisions during high-impact incidents, such as whether to shut down services.
• Technology Professionals: Cybersecurity experts, system administrators, developers, and other tech professionals play vital roles in responding to and recovering from incidents.
• Legal Experts: Legal teams ensure that incident response activities comply with laws and regulations, review contracts, and guide legal matters that arise during an incident.
• Public Affairs: In certain situations, incidents may need to be communicated to the public. A well-prepared media strategy is crucial for managing public perception and maintaining trust.
• Human Resources: HR may be involved in incidents related to employee actions, such as intentional security breaches or violations of cybersecurity policies.
• Physical Security and Facilities Management: Some incidents involve physical security breaches, requiring coordination between incident response teams and facilities management.
• Asset Owners: These individuals provide insights on the priorities for recovering affected assets and must stay informed about the response status.

Many organizations now rely on third parties, such as Managed Security Service Providers (MSSPs) and Cloud Service Providers (CSPs), to assist with incident response activities. This shared responsibility model requires clear contracts that define each party’s roles and responsibilities, including what actions service providers can take on behalf of the organization. Since service providers often have privileged access to systems and data, addressing risks related to insider threats or provider compromises through agreements like non-disclosure agreements (NDAs) and specific contractual clauses is critical.

Overall, these changes highlight the need for a coordinated, multi-disciplinary approach to incident response involving a wide range of stakeholders inside and outside the organization. This collaborative effort is essential for managing and mitigating the complex threats organizations face today.

Although the new incident response framework doesn’t explicitly address how to manage accountability, there are established frameworks that can help. One of the most popular is the RACI framework.

What is a RACI Framework?

The RACI framework is a simple yet powerful tool used to define and clarify organizational roles and responsibilities. RACI stands for:

• Responsible (R): The person(s) who actually complete the task or activity. They are responsible for getting the work done.
• Accountable (A): The person who is ultimately accountable for the task’s completion. They have the authority to make decisions and ensure that the task is completed satisfactorily. Only one person should be accountable for each task.
• Consulted (C): The people who provide input or expertise. They are typically subject matter experts who are consulted before decisions or actions are taken.
• Informed (I): The people who need to be kept informed of the progress or outcomes of the task. They are not directly involved but are kept in the loop.

1. Identify the Key Activities or Tasks:
   • Start by listing all the key activities, tasks, or decisions that need to be made within your incident response process.
2. Determine the Roles:
   • Identify the roles involved in these tasks. These could include incident handlers, leadership, technology professionals, legal experts, and others as relevant to your organization.
3. Assign RACI Responsibilities:
   • For each task, assign who is Responsible, who is Accountable, who needs to be Consulted, and who needs to be Informed. Ensure that each task has one person Accountable and that the Responsible parties know who they are working with.
4. Communicate and Review:
   • Once the RACI chart is filled out, communicate it across the organization. Make sure everyone understands their roles and responsibilities. Regularly review and update the chart as processes evolve or as team members change.
5. Integrate into Your Incident Response Plan:
   • Embed the RACI framework into your incident response plan so that it’s clear who is responsible for what during an incident. This ensures accountability and streamlines communication and decision-making during critical times.

Using the RACI framework, your organization can clearly define and document who is accountable for each aspect of incident response, reducing confusion and enhancing the efficiency of your incident response efforts.

The introduction of the new NIST Incident Response Framework marks a pivotal moment for organizations looking to strengthen their cybersecurity posture. With cyber threats becoming more sophisticated and pervasive, staying ahead of the curve and ensuring that your incident response strategies are up-to-date and fully integrated into your broader cybersecurity risk management practices is essential.

Now is the time to take action. Start by consulting your Security Officer or cybersecurity team to assess your current incident response capabilities against the new NIST guidelines. This is an opportunity to identify gaps, re-evaluate your processes, and implement the necessary improvements to ensure your organization is prepared to respond swiftly and effectively to any cyber incident.

If your organization lacks the internal expertise or resources to navigate these changes, consider engaging a third-party consultant specializing in incident response and cybersecurity frameworks. An experienced consultant can provide valuable insights, help you interpret the new standards, and guide you in implementing best practices tailored to your needs.

—it’s about building resilience. The new NIST standards emphasize the importance of continuous improvement, learning from every incident, and adapting to the evolving threat landscape. By taking proactive steps, you can build a more robust, more secure environment that protects your organization and instills confidence in your stakeholders.

To get started, download the PDF of the updated NIST standard and begin reviewing the new recommendations. This document will serve as your roadmap for enhancing your incident response strategies and ensuring your organization is fully equipped to handle the challenges of today’s cybersecurity landscape.

Take the first step now—click the button below to download the new NIST standard and start preparing your organization for a more secure future. Your next move could be between a swift recovery and a prolonged, costly incident. Don’t wait until it’s too late—act now to safeguard your organization.