NIST CSF Overview: Recover

In order to foster trust in our work Pythia Cyber uses the Cybersecurity Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing Cybersecurity Programs. We are guided by the NIST CSF if those programs are the modest first steps of new or small organizations, or if those programs are formal, rigorous programs for mature, mid-sized organizations, or anywhere in between.

The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. There will be one blog post for each "pillar" as NIST calls them. This blog post is about Recover.

Recover is the step you take after Respond; Respond is your immediate reaction to whatever Detect has detected; Detect is monitoring whatever you built in the Protect step; Protect is what you built once you finished the Identify step.

What is the difference between Recover and Respond? The time frame. Respond happens ASAP, immediately, the moment you know there is a problem. Recover happens once the problem is no longer on-going: the password has been changed, the firmware has been upgraded, the vulnerable system has been taken off-line, etc.

Recover is the step you take to undo the damage or restore the service. Recover is a bit more deliberate and thoughtful than Respond. You have time pressure, almost always, but there is rather less of it.

Recover, like Detect, is often nearly completely a System Administration task. The good news is that all the effort you put into planning for data recovery or new system deployment is just as useful after a flood as it is after an attack.

That doesn't make Recover any less important as a part of your cybersecurity program; rather it is a nice illustration of the difference between the CISO's narrow authority (the Sys Admins work for IT) but wide influence (the CISO cannot do their job without the Sys Admins doing theirs).

This is post describes pillar 5 of 5. Here links to the other posts: [1 2 3 4 5]