Integrating NIST CSF 2.0 Core Functions in Your Incident Response Plan

Date: 17 May 2024

Featured Image

Running a business in a digital environment without a plan for dealing with cyber attacks is plain myopic. Cyber Incident Response Plans and capabilities are what will come to your rescue when you’ve experienced a cybersecurity incident and there’s chaos all around. 

Interestingly, though, what most people tend to forget is that a Cybersecurity Incident Response Plan doesn’t only tell you what to do after you’ve been attacked. It also helps you cover your basis in the preparation stage. It lays down the standards for cybersecurity protocols and security controls that the organisation must have in place. This not only helps to prevent attacks and data breaches as far as possible, it also helps mitigate the impact of a security event. 

But how do you create a Cyber Security Incident Response Plan that helps you cover all the bases? You can use FREE resources created by cybersecurity experts such as our Cyber Incident Response Plan Template. You can customise this template with your organisational context and use global cybersecurity standards and guidelines such as those provided by the NIST Cybersecurity Framework 2.0 to really elevate your cyber resilience.

Topics covered in the blog: 

1. Updated NIST CSF 2.0 Guidelines on Incident Response 
2. How to Integrate NIST CSF 2.0 Functions into Your IR Plan

New call-to-action

What are the updated NIST CSF Guidelines for Incident Response Planning in 2024? 

The National Institute of Standards and Technology NIST Cybersecurity Framework is one of those seminal documents that has been guiding organisations across the globe about how to prepare and plan for a cybersecurity event. It has recently received a major update in the form of NIST Cybersecurity Framework 2.0. While many of the guiding principles remain the same as in the original version, there are indeed some changes and updates that must be taken cognizance of. 

In this article, we discuss these changes and how to build/edit your Cyber Incident Response Plan in tandem with these updated guidelines. It’s important to note here that the NIST CSF 2.0 is a recommendation and provides guidance on information security outcomes to be achieved. It doesn’t prescribe how to achieve those outcomes because how every organisation functions and what its critical assets, risks and threats are will always be different. 

The 6 core functions (the earlier version had 5) act as suggestions around which a NIST compliant Cyber Incident Response Plan should be built. Below, we discuss these in detail and what each of the functions means for your cyber response plan. 
 New call-to-action

NIST CSF 2.0 Functions & How to Integrate them in your Incident Response Plan 

#1. Govern: The new "Govern" function represents an essential addition in the NIST Cybersecurity Framework (CSF). It is aimed at strengthening the overall cybersecurity posture of the organisation. Firstly, the governance function emphasises the need for integrating cybersecurity in the high level Enterprise Risk Management Strategy. This makes it a critical starting point for any effective incident response planning endeavour. 

The ‘Govern’ function basically lays down a strong foundation for the organisation to build a cohesive cybersecurity strategy with clearly defined roles and responsibilities. It recommends risk assessments, policy establishment, policy communication and policy monitoring. It also emphasises on the need for assessing third-party security on a continuous basis. The new addition to the NIST CSF 2.0 is aimed at helping organisations build stronger overall defences and this makes it the first and foremost step in any sound cyber response plan.

#2. Identify: This function asks organisations to identify and understand their biggest risks. It also requires identification and prioritisation of assets such as hardware, software, IP, people etc. It enables you to ensure that your efforts and executive order align with what’s priority for the organisation - which are the crown jewels and what must be protected first in case of an attack. NIST CSF 2.0’s Identify Function also calls for identification of opportunities to continuously improve the cybersecurity plans, policies and procedures in synchrony with the ‘Govern’ function. 

Protect: This function is all about protecting the assets that have been identified and mitigating the impact of threats that may turn into real incidents. To achieve this outcome, NIST recommends security measures such as identity management, access control, authentication, and data security. 

Awareness and training is a key component of this function. Our NCSC Assured training in Cyber Incident Planning & Response perfectly caters to this need. It helps build awareness in staff about their roles and responsibilities in protecting critical assets. It shows them how to respond in case of a cybersecurity event and also helps build overall resilience of the organisation to cybersecurity incidents. 

What’s more? The training is the ideal way to understand how to create and/or refresh your cyber incident response plan so it actually holds water in an attack situation.  In addition to this, Cyber Crisis Tabletop Exercises prove to be a vital tool to achieve the outcomes specified by NIST. These exercises place your key staff members in simulated attack scenarios. They evaluate how the staff will respond to control damage and protect the crown jewels in case an incident occurs. It’s not just good decision-making practice but also a great way to strengthen familiarity with the cybersecurity incident response plan.

Back to Top

New call-to-action

#4. Detect: As the name suggests, this function recommends establishing clear processes to identify anomalies and events that indicate a compromise. Continuous monitoring and automated tools for event detection play a critical role here.

Your incident response plan must have a clear process for timely detection and alerts and notifications. It must be pre-defined who are the key personnel to be notified in case of a detected anomaly. This can play a significant role in mitigating damage before the anomaly or suspicious activity turns into a full-blown attack. As the NIST CSF 2.0 puts it, “This Function supports successful incident response and recovery activities.” 

Continuous monitoring and detection of cybersecurity threats also help achieve compliance with regulatory and compliance requirements.

#5. Respond: Perhaps the most critical function when it comes to bolstering your incident response plan, it is all about your ability to contain the effects of malicious activity in your system. Your cyber incident response plan must have clear, to-the-point and concise instructions on what responders are supposed to do when an incident is detected. This can make or break the impact an event has on your business.

Appendix A. CSF Core describes the ‘Respond’ Function and its subcategories in greater detail. Understanding and implementing these response activities can go a long way in ensuring your incident response plan does what it’s supposed to do: 

  • Incident Management: This calls for the incident response plan being put into action with relevant third-parties. It includes all the elements that make up a robust cyber incident response plan including triage, categorising the incident, prioritising it and escalating it as needed.  

  • Incident Analysis: Your incident response plan must have guidelines on how an incident has to be investigated to ensure effective response and recovery. All the actions performed during the investigation must be recorded and their integrity must be preserved. 

  • Incident Response Reporting and Communication: Your cyber response plan must have clear provisions for crisis communications. Internal and external stakeholders must be notified promptly as required by laws and regulations applicable to your industry/geography. 

  • Incident Mitigation: How to prevent an incident from snowballing? Your incident response plan should contain clear guidance on what technical, Incident Response and executive teams are expected to do once an anomaly has been detected. What actions must they take in the Golden Hour of an incident to contain it as much as possible.

Back to Top

New call-to-action

#6. Recover: The "Recover" function, of course, focuses on restoring the systems and services that were disrupted during the incident. By having a plan in place to restore operations back to normal, you can greatly reduce the financial and reputational damage that an incident will cost you.

Recovery activities must be included in your NIST CSF 2.0 compliant Cyber Response Plan. There must be provisions for verifying the integrity of backups and restored assets before confirming that they’re fit for operational use again. 

How to communicate about recovery activities must also be pr-defined. This includes how to make public announcements on recovery updates. Recording lessons learned is also an important aspect of the incident response process which this function covers.  

Sound and quick recovery can make a big difference to how your organisation is viewed after it’s been compromised. It can build stakeholder confidence and keep you on the right side of regulatory authorities. It is, therefore, essential to invest adequate attention to this function of NIST CSF 2.0 

Final Word

Essentially, your cyber incident response plan can be significantly strengthened by integrating the six functions of the NIST CSF 2.0: Identify, Protect, Detect, Respond, Recover, and Govern.

Incorporate these proactive steps to create a robust foundation for your cyber resilience posture - one that allows you to mitigate risks and prepare for effective incident management.

By leveraging the guidance of the 6 functions, you can create a comprehensive and dynamic approach to incident response and dramatically improve the outcomes you achieve with your incident response plan. 

New call-to-action

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • Or call us on:
  • +44 (0) 203 189 1422