D1 Response and Recovery Planning

Capabilities to minimise the impact of a cyber security incident on the delivery of essential services including, the restoration of those services, where necessary.

Principle

There are well-defined and tested incident management processes in place, that aim to ensure continuity of essential services in the event of system or service failure. Mitigation activities designed to contain or limit the impact of compromise are also in place.

D1.a Response plan

You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential service and covers a range of incident scenarios.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true All of the following statements are true All of the following statements are true
Your incident response plan is not documented.

Your incident response plan does not include your organisation’s identified essential service.

Your incident response plan is not well understood by relevant staff.

Your response plan covers your essential services.

Your response plan comprehensively covers scenarios that are focused on likely impacts of known and well-understood attacks only.

Your response plan is understood by all staff who are involved with your organisation’s response function

Your response plan is documented and shared with all relevant stakeholders

Your incident response plan is based on a clear understanding of the security risks to the networks and information systems supporting your essential service .

Your incident response plan is comprehensive (i.e. covers the complete lifecycle of an incident, roles and responsibilities, and reporting) and covers likely impacts of both known attack patterns and of possible attacks, previously unseen

Your incident response plan is documented and integrated with wider organisational business and supply chain response plans.

Your incident response plan is communicated and understood by the business areas involved with the supply or maintenance of your essential services.

D1.b Response and recovery capability

You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions.

Not Achieved Achieved
At least one of the following statements is true All of the following statements are true
Inadequate arrangements have been made to make the right resources available to implement your response plan.

Your response team members are not equipped to take good response decisions and put them into effect.

Inadequate back-up mechanisms exist to allow the continued delivery of your essential service during an incident.

You understand the resources that will likely be needed to carry out any required response activities, and arrangements are in place to make these resources available.

You understand the types of information that will likely be needed to inform response decisions and arrangements are in place to make this information available.

Your response team members have the skills and knowledge required to decide on the response actions necessary to limit harm, and the authority to carry them out.

Back-up mechanisms are available that can be readily activated to allow continued delivery of your essential service (although possibly at a reduced level) if primary networks and information systems fail or are unavailable.

Where necessary, arrangements are in place to augment your organisation’s incident response capabilities with external support (eg. specialist providers of cyber incident response capability).

D1.c Testing and exercising

Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.

Not Achieved Achieved
At least one of the following statements is true All of the following statements are true
Exercises test only a discrete part of the process (e.g. that backups are working), but do not consider all areas.

Incident response exercises are not routinely carried out, or are carried out in an ad-hoc way.

Outputs from exercises are not fed into the organisation’s lessons learned process.

Exercises do not test all parts of the response cycle.

Exercise scenarios are based on incidents experienced by your and other organisations, or are composed using experience or threat intelligence.

Exercise scenarios are documented, regularly reviewed, and validated.

Exercises are routinely run, with the findings documented and used to refine incident response plans and protective security, in line with the lessons learned.

Exercises test all parts of your response cycle relating to particular services or scenarios (e.g. restoration of normal service levels).

D2  Lessons Learned

Principle

When an incident occurs, steps are taken to understand its root causes and to ensure appropriate remediating action is taken to protect against future incidents.

D2.a  Incident root cause analysis

Your organisation identifies the root causes of incidents you experience, wherever possible.

Not Achieved Achieved
At least one of the following statements is true All of the following statements are true
You are not usually able to resolve incidents to a root cause.

You do not have a formal process for investigating causes.

Root cause analysis is conducted routinely as a key part of your lessons learned activities following an incident .

Your root cause analysis is comprehensive, covering organisational process issues, as well as vulnerabilities in your networks, systems or software.

The incident data that is necessary to undertake incident root cause analysis is available to the analysis team.

D2.b Using incidents to drive improvements

Your organisation uses lessons learned from incidents to improve your security measures.

Not Achieved Achieved
At least one of the following statements is true All of the following statements are true
Following incidents, lessons learned are not captured or are limited in scope.

Improvements arising from lessons learned following an incident are not implemented or not given sufficient organisational priority.

You have a documented incident review process/policy which ensures that lessons learned from each incident are identified, captured, and acted upon.

Lessons learned cover issues with reporting, roles, governance, skills and organisational processes as well as technical aspects of networks and information systems.

You use lessons learned to improve security measures, including updating and retesting response plans when necessary.

Security improvements identified as a result of lessons learned are prioritised, with the highest priority improvements completed quickly.

< previous                     next >

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!