CISA Cybersecurity Performance Goals: Response and Recovery Security Controls
Controls that ensure the organization can detect, respond to, and recover from security incidents.
Response and Recovery
An incident response plan is documented and maintained
When an incident happens, the worst time to figure out what to do is during the incident itself. Adr...
Incident response roles and contacts are designated and current
An incident response plan is only useful if the right people can be reached quickly. Outdated contac...
Security incidents are reported to CISA when applicable
CISA provides free incident response support, threat intelligence sharing, and technical assistance ...
Security logs are collected centrally and retained for investigation
Logs are the primary evidence source for detecting, investigating, and reconstructing security incid...
Network and system anomalies are monitored and alerted on
Collecting logs is necessary but not sufficient. Attackers who dwell in environments for weeks or mo...
Incident response exercises are conducted at least annually
A plan that has never been tested is a hypothesis. Tabletop exercises and drills reveal gaps in the ...
Recovery procedures are documented and tested
Backup and recovery are often treated as the same problem, but they are not. A backup is insurance; ...