Principle: D1 Response and Recovery Planning
There are well-defined and tested incident management processes in place, which aim to ensure continuity of essential functions in the event of system or service failure. Mitigation activities designed to contain or limit the impact of compromise are also in place.
This means that organisations should have the mechanisms in place to minimise the impact of incidents on essential functions. These should be determined by the organisation’s overall risk management approach.
Organisations should possess an incident response plan which is continually maintained. All incident response processes should have built in resilience, so that in the case of a major incident teams may be scaled proportionally to effectively implement investigation, management and triage activities. The impacts of incidents are often not confined solely within the cyber security domain, therefore organisations should ensure links and reporting channels with non-cyber security teams are clearly documented and well maintained. Mitigating measures should be assessed and applied at the earliest opportunity, drawing on expert advice where necessary.
Organisations may consider developing example playbooks for incident response to aid exercising and training staff in incident policies and procedures. Playbooks should cover a variety of different scenarios such as Denial of Service, ransomware and data loss.
Policy
The following requirements are placed on government departments:
- Government Organisations shall meet the CAF requirements of the relevant Government Profile under this principle.
- Departments shall have communication plans in the event of an incident which includes notifying the relevant supervisory body, senior accountable individuals, the Departmental press office, the National Cyber Security Centre (NCSC), the Government Security Group (Cabinet Office), the Information Commissioner’s Office (ICO) or law enforcement as applicable (not exhaustive).
- In the event of an incident that involves breach of personal data and the General Data Protection Regulation (GDPR), departments shall comply with any legal obligation to report the breach to the Information Commissioner’s Office.
- Departments shall adhere to the Security Response Standard. Contact gsg.response@cabinetoffice.gov.uk for more information about the standard.
Guidance
- Good incident management can minimise the impact when incidents occur. 10 Steps: Incident Management draws out key principles for good incident response including the development of effective incident response plans, capabilities and the testing of these on a routine basis. It discusses how to appropriately implement effective response and communication strategies during a real incident, as well as the incorporation of lessons learned into your organisational improvements.
- The Incident Management Collection provides in depth guidance on how to effectively plan, build, develop and maintain a cyber incident response capability. The guidance will assist you in defining and developing incident response processes and playbooks, forming a core security incident response team, as well as developing and harnessing technical capabilities to ensure information is readily available for incident triage.
- Emphasising the cost, productivity and reputational damage which incidents can cause, the Board Toolkit ’s section on planning response to cyber incidents should be used to gain senior buy-in for incident planning, management and exercising, as well as maintaining a ‘no blame’ culture to aid post-incident analysis.
- The welfare of staff and their concerns during cyber incidents should not be overlooked. Putting staff welfare at the heart of incident response offers practical guidance on including staff in incident planning, building a positive security culture, planning internal communications and practising an incident response.
Available tools
- Central government organisations and Critical National Infrastructure are advised to consider using Cyber Incident Response (CIR) certified companies. This scheme provides NCSC assurance that specific companies procured for incident response are equipped to handle sophisticated, targeted attacks against high-threat organisations.
- The Exercise in a Box service helps organisations assess how resilient they are to a range of cyber attacks and practise responses in a safe environment. This can be carried out any number of times and includes information on set-up, planning, delivery and post-exercise activity.
Further information
- Some cyber-related regulations (e.g. the NIS Directive) have mandatory reporting requirements. Organisations should make sure that they understand applicable requirements and include these in planning.
Further guidance and information can be found on the NCSC’s CAF Guidance webpage.