NIST SP 800-171 Framework Series: Incident Response

Article Incident Response
Incident response plan


Part 6 of CampusGuard’s series covering each of the critical controls from NIST SP 800-171 rev.1

In today’s world, it is commonly accepted that at some point your organization will be targeted by a cyberattack. The more important point is that you are proactively planning how to respond when that time comes.

Do you have plans in place to successfully respond to all types of incidents? For example, does your team know what steps to take if your systems experience a Denial of Service (DoS) attack? How does this differ from the steps that are taken if a laptop is stolen or lost? Having a comprehensive Incident Response Plan (IRP) in place to quickly identify incidents and respond effectively is critical in order to limit the potential damage.

Incident Response is one of the 14 requirements outlined in the NIST SP 800-171 and this article covers Requirement 3.6 in more detail. The Basic Security Requirements from 3.6 include:

  • 3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
  • 3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

Requirement 3.6.1 defines the key components for an Incident Response Plan that can be quickly put into operation in the event of a breach. Without a comprehensive plan that is properly disseminated, read, and understood by all parties involved, confusion and the lack of a unified response could create further downtime for the organization and unnecessary damage. What condition is your incident response plan in? Has one been defined and, if yes, has it been documented and shared across the organization? Does it include each of these identified components?

Once a potential compromise is detected, you will need to determine if the situation should be classified as an incident. In the NIST guidance, a cyber incident is defined as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

If a situation is identified and classified as an incident, this is where your incident response plan kicks in, and the analysis phase begins. An investigation must be conducted so that the scope of the compromise can be understood. At a minimum, this must cover:

  • Identification of affected systems
  • Review of affected users accounts
  • Review of affected data
  • Other systems that might have been compromised

The Incident Response team and IT will work together to isolate the compromised system or systems in order to contain the incident. Depending on the situation, systems may need to be disconnected or segmented from the network. Shutting off systems or disconnecting them from the Internet can potentially compromise evidence therefore, within your incident response plan, you should include checklists that can easily be followed (e.g. what steps should be taken, in which order they need to be completed, etc.). Once the breach has been contained, the necessary data recovery efforts will begin.

Designate a central location for documenting all information that is discovered and actions taken. Details should include an overview of the incident, including the date, time, and location of the incident, the incident type (e.g. denial of service, phishing, etc.), intrusion method, overview of the affected data, persons involved, how the compromise was discovered, any and all actions taken, and the impact the breach has on daily activities. As the team conducts research into the event, screenshots and other data captured by various tools should be retained in the same central location. Consider identifying the document repository, staff members with access, and any other structural requirements for folders and/or documents in the IRP. Defining how the vast amounts of documentation are to be named and saved will assist with the review process down the road. (Isn’t it easier to decide if you want to open a document titled “Screenshot of computer with error message.JPG” than to have to open “Scan13.JPG”?)

Requirement 3.6.2 is referring to the necessary reporting requirements. Who should be contacted immediately in the event of a breach? Do you have an incident response team? When should the executive and legal teams be brought in? Is Public Relations necessary? How to notify affected employees or customers? Knowing who, when, and how to contact key personnel must be documented before an incident so that you are not scrambling for phone numbers during an already hectic time.

Ensure all contact information is up to date, and you have an emergency and escalation call list in the event something happens when critical personnel are out of the office. You may also want to proactively draft messages with well-thought out bullet points or placeholders for information to make sure you are including all necessary details in any notifications.

The Derived Security Requirement from the NIST SP 800-171 is:

  • 3.6.3 Test the organizational incident response capability.

The incident response plan should be reviewed and tested at least annually through mock data breaches, tabletop exercises, and incident response drills. Ensure all employees are properly trained on and aware of their individual roles and responsibilities in the event of a breach. By training and preparing your staff, they will be much less likely to make critical mistakes during a high pressure event.

Following an incident, it is also always important to analyze the response efforts to see what weaknesses can be improved upon in the future. Review the gap between when the breach was detected versus when the system was initially compromised, and how it was identified; look for opportunities to reduce that time. Review the scope of the incident and what systems and data were affected. Are there other tools that can be utilized to ensure a similar attack will not recur? Discuss how the team was able to contain the breach and what changes were made to systems during the recovery process. Through this exercise, you will identify potential areas for improvement and outline what parts of the response plan worked and what didn’t.

The period immediately following a breach or compromise is not an easy one. Significant time and resources are dedicated to effectively manage the potential crisis, with even more time and money spent in the aftermath of the incident. These expenses include members of the IT and security teams upgrading necessary security solutions; management conducting additional security awareness training for employees; and the public relations/crisis communications team talking to customers and the general public to earn back their trust. The way a company manages an incident directly impacts the reputational damage that follows and the total cost of a breach.

The average cost per lost or stolen record is $148, but the average cost savings for organizations with an incident response team is $14 per record. The Ponemon Institute’s 2018 Cost of a Data Breach Study shows that organizations that contained a breach in less than 30 days saved more than $1 million compared to those that took more than 30 days.

The last thing you want to waste time on during a potential data breach is trying to track down lists or determine who is responsible for what. Having a team and a clearly defined plan in place will provide your organization with the ability to act quickly to determine the impact of the incident, backup and recovery any compromised data, and return to business as soon as possible.

Some additional guidance from the CampusGuard Customer Relationship Management team:

[Johnson]: All institutions experience unexpected and unwanted disruptions to their day-to-day operations. Although it is not always possible to predict when and what sort of incident will occur, it is possible to prepare in advance. By regularly practicing your response to a simulated incident or compromise, your team can feel confident that when a real event does occur, you will be prepared to respond.

Data breaches and security incidents should not only be viewed as problems handled by the IT department. When scheduling a tabletop exercise, be sure to involve necessary members from the executive team, security analysts, help desk personnel, operational staff leadership, department or merchant representatives, PR or communications staff, legal representatives, etc., as well as any individuals from campus safety or facilities if physical security is involved. Having each area represented during the exercise will help ensure all individuals understand their roles and allow you to clearly define relationships and a communications plan moving forward.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.