NIST Cybersecurity Framework – Respond and Recover

The NIST Cybersecurity Framework identifies five cybersecurity functions. Two of the functions are Respond and Recover.

Separating Recovery from Incident Response

Working with our clients, we see Recovery as separate from Incident Response. The National Institute for Standards and Technology (NIST) Cybersecurity Framework confirms that view: Respond and Recover are separate functions.

Recovery might involve a wide range of activities from restoring a data set or a system to pursuing legal action to recover damages. These activities are the province of specific organizational elements well beyond the scope of incident response. Recovering a data set or a system is likely the responsibility of an operational unit in the information systems organization. This unit recovers components impacted for many reasons, not just cyber incidents.

The Incident Response team might initiate the recovery process, but the incident is often closed before recovery is complete.

Earlier NIST Guidance

In SP 800-61 Rev 2 Computer Security Incident Handling Guide, 2012, NIST identified 4 phases for incident response. The third phase includes Contain, Eradicate, and Recover. Thus, treating Recover as an integral part of the response effort.

For a copy of the incident handling guide use the following link:

Incident Response Plan

Whether or not your organization includes Recovery as part of Incident Response the relationship between Respond and Recover needs to be defined in the Incident Response Plan.