NIST CSF Overview: Recover

This blog post is about Recover, one of five "pillars" of the NIST CSF. This blog post is one of a series of posts, one per pillar.

Here links to the other posts in this series: Identify Protect Detect Respond (Recover).

What is the NIST CSF and why does Pythia Cyber use it? The NIST CSF is the cybersecurity Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing a custom Cybersecurity Program (CSP). Pythia Cyber is guided by the NIST CSF for programs that are the modest first steps of new or small organizations, for programs that are formal, rigorous programs for mature, mid-sized organizations, and for programs anywhere in between.

The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete.

As we covered in the first post in this series (follow the "Identify" link above), the Identify pillar gives us a list of assets (what we are protecting) and for each asset, a risk (what we are trying to avoid). In the second post in this series we saw that the Protect pillar assigns a control to each risk and defines evidence that validates each control. In the third post in this series, we learned that the Detect pillar defines the process and the personnel who collect evidence about how well (or how poorly) the controls are working. In the fourth post in this series, we covered what the Respond pillar is there for: to handle the immediate consequences of the incident.

Both the Respond pillar the Recover pillar are unlike the other three, they are triggered by an incident and different from the other steps because the other steps are part of normal operations. Respond and Recover also always happen in tandem, which is why we group them together as part of the Incident Response Plan (IRP).

The IRP formalizes incident handling, so that everyone knows what their role is in advance. The IRP covers both the Respond step (halting the problem and trying to restore normal operations) and the Recover step (undoing as much of the damage as possible, preventing a recurrence). The IRP gives us a Respond checklist, a Recover checklist, a review process which looks backward at what happened (the Incident Report) and which looks forward to improvements (the Recommendations). What is the difference between Recover and Respond? The time frame. Respond happens ASAP, immediately, the moment you know there is a problem. Recover happens once the problem is no longer on-going: the password has been changed, the firmware has been upgraded, the vulnerable system has been taken off-line, etc.

Recover is the step you take to undo the damage or restore the service. Recover is a bit more deliberate and thoughtful than Respond. You have time pressure, almost always, but there is rather less of it. The cybersecurity crisis is over, but if you need to keep your systems down for the recovery, then the operations crisis has just begun: how long can the downtime continue, in the name of preventing future problems and gathering evidence? The answer depends on your situation. Your ability to arrive at that answer often depends on how well thought-out your IRP is.

Recover should always end with a review that considers how to be better in the future. This is a crucial step to making you safer than you were before. It is very common to just want to put all this behind you and get back to normal, but the review is worth doing.

This lower level of urgency does not make Recover any less important as a part of your cybersecurity program; rather it is a nice illustration of the difference between the CISO's narrow authority but wide influence: the final review requires input from many people who do not work for the CISO, but whose input is required for the CISO to do their job. Getting attention from other departments after a crisis requires a culture of commitment, not just compliance. Creating such a culture is not easy, but Pythia Cyber can help.