Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • CIS Control 17: Incident Response Management
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

CIS Control 17: Incident Response Management

4 years ago Tyler Reguly
CIS Control 17: Incident Response Management

We all know that it is a question of when you will be compromised and not if you will be compromised. It is unavoidable. The goal of CIS Control 17 is to ensure that you are set up for success when that inevitable breach occurs. If an organization is neither equipped nor prepared for that potential data breach, they are not likely to succeeded in responding to the threat.

Key Takeaways

One takeaway from Control 17 is that it is not a standalone guide. CIS recommends using the control as a high-level overview but digging deeper into the topic using other guides. They specifically reference the Council of Registered Security Testers (CREST) Cyber Security Incident Response Guide. Another takeaway is that a plan is key. Even if that plan is simply to call a third party to perform the investigation, have it documented. More mature organizations with internal teams should engage in Red Team and Blue Team exercises.

The biggest takeaway from CIS Control 17 is that planning and communication are critical when responding to an incident. The longer an intruder has access to your network, the more time they’ve had to embed themselves into your systems. Communicating with everyone involved can help limit the duration between attack and clean-up.

Safeguards for Control 17

1) Designate Personnel to Manage Incident Handling

Description: Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts. They can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this Safeguard is Respond. This is a balancing act that can go either way. In some organizations, there will be hesitancy to dedicate a resource to ensuring your process is robust and complete. In other organizations, there will be a desire to over-allocate resources, preventing a plan of action from being formed and acted upon when needed. Follow this guidance and have that one key individual and a backup (or two) to support them.

2) Establish and Maintain Contact Information for Reporting Security Incidents

Description: Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date.

Notes: The security function associated with this Safeguard is Respond. The last thing you want to do is scramble in the middle of a security incident. Whatever your internal documentation system may be, ensure that it has a clear, easy-to-find page with all of the contact information that could be needed. Use proper keywords and test with internal resources to ensure that whatever search words they think of will return the desired result. There’s nothing worse than getting lost in internal documentation when you need that critical piece of information.

3) Establish and Maintain an Enterprise Process for Reporting Incidents

Description: Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this Safeguard is Respond. It is critical that when an incident occurs, everyone knows the workflow for reporting it. Everyone in the organization should understand that workflow and who will inform who. You don’t want critical executives learning about incidents via the news. Instead, an enterprise-wide process should ensure that everyone knows what they need to know.

4) Establish and Maintain an Incident Response Process

Description: Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this Safeguard is Respond. Just as you need to know who to report to and when to report details, you need to know who is responsible for each step of the process. If everyone thinks that someone else is handling it, you’ll be stuck. The process needs to keep moving forward, and that means that everyone needs to be aware of their role.

5) Assign Key Roles and Responsibilities

Description: Assign key roles and responsibilities for incident response including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this Safeguard is Respond. As mentioned in Safeguard 4, it is critical that everyone knows their role. While the process will outline this, it is important that everyone involved in the process has read it as well as understands their role and responsibilities. Ensure that those who need to know the process understand their involvement.

6) Define Mechanisms for Communicating During Incident Response

Description: Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms such as emails can be affected during a security incident. Review annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this Safeguard is Respond. Just as important as knowing when to communicate and with whom to communicate is knowing how to communicate. If the incident has disrupted email, how will you share data? Do you have a messaging platform and an up-to-date phone number list? As more and more employees transition to working from home, it is critical that companies have a means to communicate regardless of critical system outages.

7) Conduct Routine Incident Response Exercises

Description: Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis at a minimum.

Notes: The security function associated with this Safeguard is Recover. Once you have figured out the roles and responsibilities, communication means, timeline, and other critical information from the previous Safeguards, it is important to practice your response process. Just like a fire drill, it is important to work through the entire process. Don’t let anyone miss out on these exercises.

8) Conduct Post-Incident Reviews

Description: Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action.

Notes: The security function associated with this Safeguard is Recover. Retrospectives are a critical aspect of software development, and they are just as critical in incident response. Ask yourself what went well, what went poorly, and what would you change. If everyone involved in the process comes to a conversation ready to discuss those questions, you’ll have an agile, ever-evolving incident response process that improves with each incident.

9) Establish and Maintain Security Incident Thresholds

Description: Establish and maintain security incident thresholds including differentiating between an incident and an event. Examples can include abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this Safeguard is Recover. Think of this as a rating system. Different incidents will have different impacts, and with each individual impact comes a different level of responsiveness. You don’t want to burn out on every incident by treating minor problems the same as critical ones, but you also don’t want to minimize critical security incidents. Setting thresholds that are well defined and easily understood will make it easier for everyone to respond appropriately.

See how simple and effective security controls can create a framework that helps you to protect your organization and data from known cyber-attack vectors by downloading this guide.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery

CIS Control 12: Network Infrastructure Management

CIS Control 13: Network Monitoring and Defense

CIS Control 14: Security Awareness and Skill Training

CIS Control 15: Service Provider Management

CIS Control 16: Application Software Security

CIS Control 17: Incident Response Management

The post ” CIS Control 17: Incident Response Management” appeared first on TripWire

Source:TripWire – Tyler Reguly

Tags: Critical Severity, High Severity, Privacy, TripWire, Vulnerability

Continue Reading

Previous Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware
Next [eBook] Your First 90 Days as MSSP: 10 Steps to Success

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

5 hours ago [email protected] (The Hacker News)
  • Data Breach

The Buyer’s Guide to AI Usage Control

6 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

7 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

11 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

13 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models

24 hours ago [email protected] (The Hacker News)

Recent Posts

  • ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
  • The Buyer’s Guide to AI Usage Control
  • Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
  • Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows
  • Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT