How to plan for after the hack

How to plan for after the hack

The National Institute of Standards and Technology has released draft guidance for recovering from a cyber incident in response to shifting beliefs that some events can’t be prevented.

Although it is not an operational playbook, the draft “Guide for Cybersecurity Event Recovery,” which NIST released earlier this month, provides guidance on how organizations can recover from a cyber breach by providing steps for creating a response plan.

“Much of the planning and documentation for recovering from a cybersecurity event needs to be in place before the cyber event occurs,” according to the document.

First, the draft recommends planning for events by taking stock of assets and then prioritizing them based on risk. Agencies need to look not only at their IT, but also the data and people involved.

To effectively plan, the draft guide recommends:

  • Threat modeling.
  • Understanding the identities that exist in the agency’s environment.
  • Using access controls.
  • Ensuring data integrity.

Ways to create planning documents include setting service-level agreements, appointing staff members who can carry out recovery plans, making a communication plan and establishing operational workarounds, the document adds.

Additionally, agencies should set up their own recovery plans, turning to organizations such as NIST and the Department of Homeland Security as needed.

Once a problem occurs, the draft states, agencies should meet two goals before executing recovery efforts. One is to have basic knowledge of the adversary’s objective, and the other is to have high confidence in either understanding the technical mechanisms the hacker is using or confirming non-persistent intent.

“Cyber event recovery planning is not a one-time activity,” the document continues. To that end, agencies must plan for continuous monitoring and improvement. They need to make sure that the technologies, processes and people involved in recovery are ready to work together, for example. To do this, agencies can test their knowledge of risk scenarios and train employees on recovery processes.

Finally, the draft recommends measuring outcomes using recovery metrics, such as legal, equipment and labor costs; frequency of recovery exercises and tests; and number of business disruptions because of IT service incidents. 

A focus on recovery is not totally new. But recovery is gaining attention as beliefs move away from preventing every attack and toward proper responses when breaches happen.

“Organizations used to focus their information security efforts on cybersecurity (cyber) event defense, but adversaries have modified their attack techniques to make protection much more difficult,” according to the document. “Over the last few years, there has been widespread recognition that some cyber events cannot be stopped.”

About the Author

Stephanie Kanowitz is a freelance writer based in northern Virginia.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected