Skip to main content

New NIST Cyber Recovery Guide, What’s Your Plan?

January 17, 2017

The adversaries trying to breach your cyber defenses have a plan, do you? A few weeks ago, the National Institute of Standards and Technology (NIST) released their Guide for Cybersecurity Event Recovery. The guide includes topics contained in a typical recovery plan and really boils down to documentation, communication and practice. Everyone on a recovery team – C-level officers, system administrators, application owners, general counsels, human resources and public relations personnel – need to work as a team when an incident occurs. 


Proper documentation is key to a quick and prioritized recovery. Start with a playbook. Playbooks describe the formal recovery process used by the recovery team. The recovery team needs a solid understanding of the critical assets and the dependencies within the IT infrastructure that keep them available. With current knowledge of functional and security dependency maps, the recovery remains focused on critical systems first. In addition, formally define the circumstances under which the recovery plan is initiated and the recovery team is activated. Everyone has probably heard the fable of the boy who cried wolf. If you do not want to create delays in response and skepticism within the recovery teams, keep the false alarms to a minimum. 

It is very difficult to be an effective team if everyone is working independently or if the opponent knows the plan too. A coordinated and secure response is vital, therefore it is essential that communications between the recovery team members are detailed and private. For example, if the attacker has access to your organization’s email system or network traffic flow, you will have to change the way you communicate; go old school and meet in person or connect via phone until the root cause is remediated. Once the root cause is remediated, communication and documentation of actionable information and recovery insights are key to improving internal responses. 

Practice. Practice. Practice. Nobody likes it, but practice actually does make perfect. Most of us have been there at some point in our careers. Raise your hand if you have experienced high availability systems where failover capability was tested at installation but never again in fear of a network or system outage; or have gone through an exercise where all networks were down yet the recovery team participating in the exercise was still coordinating efforts using email or VoIP phones. Practicing can either expose flaws in the playbook or provide confidence that the playbook is ready for the real game. Of course the practice schedule needs to make sense for the organization, but as a general rule-of-thumb should be performed at least once a year.  

The playbook will constantly be evolving due to personnel changes, technology additions, corporate acquisitions and technology retirements. Yes, technology retirements. In my experience, most waivers from security requirements are requested for hardware and applications that just keep on running (whether it be government organizations still using mainframes from the 1960’s or financial institutions that still have not upgraded their ATMs off of Windows XP). The old adage, if it’s not broke don’t fix it, may help budgets and bottom lines, but also helps your adversary.

Unfortunately we live in a time where it is not a matter of if, but when an incident will occur. Having a solid plan and playbook in place before an incident is critical to lessen the impact on your organization.  

    Kevin Hiltpold

By: Kevin Hiltpold

Client Solutions Architect, Federal

See More

Related Blogs

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

February 26, 2018

The GDPR 90-Day Countdown is on! (No Need to Freak Out)

May 25, 2018 is a day that many organizations have (or should have) marked on their calendars as a game-changing moment for their business. That’s the...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy


February 23, 2016

Security Incident Management Solution Primer

Learn how to increase focus on incident response activities and create an enterprise security incident management program.

See Details

December 07, 2016

Incident Response Readiness

Optiv’s on-site Incident Response and Readiness Assessment (IRRA) Workshop helps ensure that your incident response capability is measured against tod...

See Details

May 30, 2019

Risk Management and Transformation: Third-Party Risk Management

Learn how to plan, develop and manage your third-party risk program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.