CIS Control 19: Incident Response and Management

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

Why is this CIS Control Critical?

Cyber incidents are now just part of our way of life. Even large, well-funded, and technically sophisticated enterprises struggle to keep up with the frequency and complexity of attacks. The question of a successful cyber-attack against an enterprise is not “if” but “when.”

When an incident occurs, it is too late to develop the right procedures, reporting, data collection, management responsibility, legal protocols, and communications strategy that will allow the enterprise to successfully understand, manage, and recover. Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow good procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion. Thus, the attacker may have a far greater impact, causing more damage, infecting more systems, and potentially exfiltrating more sensitive data than would otherwise be possible were an effective incident response plan in place.

• 19.1: Document Incident Response Procedures
• 19.2: Assign Job Titles and Duties for Incident Response
• 19.3: Designate Management Personnel to Support Incident Handling
• 19.4: Devise Organization-wide Standards For Reporting Incidents
• 19.5: Maintain Contact Information For Reporting Security Incidents
• 19.6: Publish Information Regarding Reporting Computer Anomalies and Incidents
• 19.7: Conduct Periodic Incident Scenario Sessions for Personnel
• 19.8: Create Incident Scoring and Prioritization Schema