Co-authored by Ken Durbin, CISSP and Kevin McPeak, CISSP, ITILv3
(Continued from part seven in our series on Canada's Digital Privacy Act, where we were discussing how NIST CSF can be tailored to assess against a specific requirement like the DPA.)
Last, but certainly not least, we come to the Recover Function of the CSF. As with the other Functions, Recover is divided into Categories, Subcategories, and Informative References.
Recover consists of 3 Categories and 6 Subcategories. The Recover Function has the least amount of Subcategories but that certainly doesn’t mean it’s less important than the other functions. In fact, it could be argued that Recover is the most important Function. What good are the other Functions if you can’t return to business after a cyber event? The other Functions are absolutely critical, but you have to be able to recover from the cyber events that make it through. We won’t be covering the Subcategories in this blog but a detailed listing of all Functions, Categories and Subcategories can be found in Appendix A of the NIST CSF Document (https://www.nist.gov/document-3766).
What is the purpose of the Recover Function? According to NIST, Recover “supports timely recovery to normal operations to reduce the impact from a cybersecurity event.” In other words, what people, processes, and technology are in place to allow me to get my business back up and running as soon as possible? This goes well beyond DPA. You can suffer a breach, comply with DPA, but still have to close shop because of poor Recovery planning. Following are the 3 Categories of Recover and their purpose:
- Recovery Planning: Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
- Improvements: Recovery planning and processes are improved by incorporating lessons learned into future activities.
- Communications: Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.
Recovery and the Digital Privacy Act:
The Digital Privacy Act (DPA) is designed to properly safeguard private data in Canada. Canadian organizations will be required to report data breaches, notify all affected individuals in a timely manner and maintain relevant records of the breach.
The Recovery Function has several potential ways it can help assess against the DPA. As with the other CSF Functions each organization has to decide which Categories and Subcategories are important to their business needs. Following are some examples:
- Recovery Planning: A malicious file made it through your defenses and caused an incident. You removed the malicious file but do you have an IT Management Suite (ITMS) to patch the vulnerability used by the malicious file? If not, you could suffer another breach as other unpatched systems across your enterprise are contaminated.
- Improvements: Do you have the resources necessary to figure out what went wrong so you can fix them? Employing and Incident Response (IR) vendor can give you insights into what happened and how to adjust your recovery plan for the next event.
Putting it to use:
Taking the time to review each Recover subcategory to determine if it will help you comply with DPA will create a “DPA Current Profile.” A Risk Assessment against those subcategories will create a “DPA Target Profile,” which can be used to guide your efforts to comply with the Recover components of DPA.
Symantec has solutions that align with both the CSF and DPA. We would be happy to discuss how we would be able to help you reach your Recover Target Profile.
In the last six parts of this blog series, we provided a basic overview of the NIST Cybersecurity Framework (CSF), a deeper dive into the five Core Functions, and how each could be used to prepare for the Canadian Digital Privacy Act (DPA). We recently hosted a webcast on this topic: Using the NIST CSF to prepare for Canada Digital Privacy Act. Although we limited the discussion to the DPA, the CSF is designed to help any size organization assess their overarching cyber readiness and make improvements. We encourage you to take a deeper look at the CSF to see how it might help your cybersecurity efforts. Symantec has a deep understanding of the CSF and have mapped our solutions to the Functions, Categories and Subcategories and are ready to assist with your CSF efforts.
Up next in this series..."I got breached, now what?"
For more information on how to prepare for DPA, please visit: go.symantec.com/ca/dpa