Co-authored by Ken Durbin, CISSP and Kevin McPeak, CISSP, ITILv3
(Continued from part six in our series on Canada's Digital Privacy Act, where we were discussing how NIST CSF can be tailored to assess against a specific requirement like the DPA.)
Now it’s time for the Respond Function of the CSF. As with the other Functions, Respond is divided into Categories, Subcategories, and Informative References.
Respond consists of 5 Categories and 15 Subcategories, allowing an organization to get as detailed as they need to in their assessment against Respond. As with the other Functions, we will not be able to cover the Subcategories in this series but a detailed listing of all Functions, Categories and Subcategories can be found in Appendix A of the NIST CSF Document (https://www.nist.gov/document-3766).
What is the purpose of the Respond Function? According to NIST, Respond “supports the ability to contain the impact of a potential cybersecurity event.” This is why in my previous post I said a strong Detect implementation makes the Respond Function more effective. Why? You can only Respond to what you Detect. Following are the 5 Categories of Respond and their purpose:
- Response Planning: Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
- Communications: Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
- Analysis: Analysis is conducted to ensure adequate response and support recovery activities.
- Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
- Improvements: Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
Respond and the Digital Privacy Act:
The Digital Privacy Act (DPA) is designed to properly safeguard private data in Canada. Canadian organizations will be required to report data breaches, notify all affected individuals in a timely manner, and maintain relevant records of the breach.
The Respond Function has several potential ways it can help assess against the DPA. (Note: I use “potential” because it is up to each organization to determine which Categories and Subcategories are important to their business needs). It’s important to remember that one cyber event can lead to multiple breaches (and trigger DPA multiple times.) A quick response is essential to reduce exposure. Following are some examples:
- Response Planning: To comply with DPA, you need to report breaches. Is this part of your Response Plan? Are you using a Policy Manager to align with DPA Requirements?
- Analysis: A second set of eyes on your Response Plan could be an effective way to catch something you may have missed. Do you have access to an outside resource like Business Critical Services (BDS) or an Incident Response (IR) provider?
- Mitigation: One breach can quickly turn into multiple breaches if you don’t mitigate the underlying threat. Do you have a relationship with an Incident Response (IR) Vendor who can help you quickly mitigate an event? Setting up a Retainer ahead of time avoids the potential delay of acquiring IR service during an event.
Putting it to use:
Taking the time to review each Respond subcategory to determine if it will help you comply with DPA will create a “DPA Current Profile.” A Risk Assessment against those subcategories will create a “DPA Target Profile” which can be used to guide your efforts to comply with the Respond components of DPA.
Symantec has solutions that align with both the CSF and DPA. We would be happy to discuss how we would be able to help you reach your Respond Target Profile.
Up next…the Recover Core Function of the CSF.
For more information on how to prepare for DPA, please visit: go.symantec.com/ca/dpa