1 Discussion Draft of the Preliminary Cybersecurity Framework

2 Illustrative Examples
3 The Cybersecurity Framework emphasizes processes/capabilities and supports a broad range of
4 technical solutions. While organizations and sectors may develop overall Profiles, these Threat
5 Mitigation Profile examples that illustrate how organizations may apply the Framework to
6 mitigate specific threats. These scenarios include cybersecurity intrusion, malware, and insider
7 threat.
8
9 Threat Mitigation Examples
10 A threat is characterized as any circumstance or event with the potential to have an adverse
11 impact on an information system through unauthorized access, destruction, disclosure,
12 modification of data, and/or denial of service (DoS). Threats continue to evolve in sophistication,
13 moving from exploitation (collection and interception of information) to disruption (denial of
14 service attacks) to destruction, with physical damage to a main operating component, whether it
15 is destruction of information or incorrect commands causing damage to computer-controlled
16 systems. The following examples describe Profiles crafted to address specific known threats.
17 Example 1: Mitigating Cybersecurity Intrusions
18 This example Profile is intended to describe key activities that address the cybersecurity risk
19 associated with a Cybersecurity Intrusion event. The Profile was crafted based on the activities
20 performed by adversaries during the life cycle of a cybersecurity intrusion. The cybersecurity
21 intrusion life cycle consists of three general phases: Gain Access, Maintain Access, and Act.
22 Gain Access: The goal of this phase is to achieve limited access to a device on a target
23 network. Adversaries often gain initial access to networks by exploiting a single
24 vulnerability in a product or by prompting user action. Techniques used include: spear
25 phishing, malicious e-mail content, Web browser attacks, exploitation of well-known
26 software flaws, and distribution of malware on removable media.
27 Maintain Access: During this phase the adversary takes steps to ensure continued access
28 to the targeted network. This is often accomplished by the installation of tools and/or
29 malware to allow the adversary to maintain a presence on the network. Malware
30 components establish command and control capabilities for the adversary and enable
31 additional attacks to be performed, such as capturing keystrokes and credentials. Example
32 actions taken during this phase include the installation of rootkits/backdoor programs and
33 execution of BIOS exploits.
34 Act: In the final phase the adversary focuses on gaining access privileges that enable
35 them to move, compromise, disrupt, exploit, or destroy data. Using the previously
36 established command and control capabilities and compromised accounts, adversaries
37 take steps to access and control additional data and resources. This includes establishing
38 communications channels to the adversary’s servers that facilitate remote access.
39 Privilege escalation and lateral movement enable an enterprise-wide compromise by an
40 adversary. The adversary is able to use the access gained to internal networks, where
41 security protections may not be as robust, to gain access to critical resources.
42
43 Threat Mitigation Profile: Cybersecurity Intrusion
44
Function Category Subcategories
Identify Risk  Identify threats to
Assessment organizational assets (both
internal and external)
 Identify providers of threat
information
Protect Awareness and  Provide awareness and training
Training that ensures that general users
understand roles &
responsibilities and act
accordingly
 Provide awareness and training
that ensures that privileged
users (e.g. system, network,
industrial control system,
database administrators)
understand roles &
responsibilities and act
accordingly
 Provide awareness and training
that ensures that third-party
stakeholders (suppliers,
customers, partners) understand
roles & responsibilities and act
accordingly
 Provide awareness and training
that ensures that senior
executives understand roles &
responsibilities and act
accordingly
 Provide awareness and training
that ensures that physical and
information security personnel
understand roles &
responsibilities and act
accordingly
Protect Information  Develop, document, and
Protection maintain under configuration
Processes and control a current baseline
Procedures configuration of information
technology / operations
technology systems
IR Comment
NIST SP 800-53 Allows the organization
Rev. 4 to identify current
PM-16 known IP addresses for
adversary servers and
ISO/IEC 27001 block inbound and
A.13.1.2 outbound connections to
this source.
CCS CSC9 Training that is shaped
by the existing threat
landscape provides
employees with an
awareness of active
threats and the basic
cybersecurity knowledge
needed to identify
suspicious applications
and not to open unknown
email attachments. The
benefit of awareness and
training can be
extremely high and has a
relatively low cost.
NIST SP 800-53 An effective patch
Rev. 4 management process
CM-2 provides another
potential defense against
malware. Many exploits
use well-known software
flaws for which patches
are available. A mature
patch management
process makes it harder
Function Category Subcategories
Protect Protective  Implement and maintain
Technology technology that enforces
policies to employ a deny-all,
permit-by-exception policy to
allow the execution of
authorized software programs
on organizational systems (i.e.,
Whitelisting of applications and
network traffic)
 Determine, document, and
implement physical and logical
system audit and log records in
accordance with organizational
auditing policy
Detect Security  Perform network monitoring
Continuous for cybersecurity events flagged
Monitoring by the detection system or
process
 Perform physical monitoring
for cybersecurity events flagged
by the detection system or
process
 Perform personnel monitoring
for cybersecurity events flagged
by the detection system or
process
 Employ malicious code
detection mechanisms on
network devices and systems to
detect and eradicate malicious
code
 Detect the use of mobile code
and implement corrective
actions when unacceptable
mobile code is detected
 Perform personnel and system
monitoring activities over
external service providers
IR Comment
for an adversary to craft
an initial exploit. It is
important that critical
infrastructure install
updated patches; test
patches for potential
operational impacts; and
ensure that the patches
do not introduce new
vulnerabilities.
CCS CSC 6 Application whitelisting
ensures that only
approved applications
may run. This mitigation
approach can also
prevent the installation
of known malicious
code.
Auditing and logging
operates in direct support
COBIT of other Detect,
APO11.04 Respond, and Recover
Framework Functions.
NIST SP 800-53 Monitoring can detect
Rev. 4 and quarantine email that
CM-1, CA-7, contains malware prior
AC-2, SC-5, SI-4 to delivery. Malware can
be identified using
NIST SP 800-53 signatures that uniquely
Rev. 4 identify specific malware
CM-1, CA-7, PE-3, components. Malware
PE-6, PE-20 signatures must be
frequently updated to
NIST SP 800-53 ensure that emerging
Rev. 4 malware threats can be
CM-1, CA-7 identified and eradicated
before users within the
organization can launch
ISO/IEC 27001 them.
A.10.4.2 Monitoring also allows
the organization to detect
unusual or anomalous
system behaviors that
ISO/IEC 27001 may indicate that a
10.2.2 system has been infected
with malware.
Automated malware
NIST SP 800-53 detection solutions can
Rev. 4 be configured to block
CM-1, CA-7, PE-3, connections to servers
PE-6, PE-20 that are known to host
malware or that malware
 Function Category Subcategories IR Comment
NIST SP 800-53 software is known to
 Perform periodic checks for Rev. 4 communicate with.
unauthorized personnel, CM-1, CA-7
network connections, devices,
software

 Perform periodic assessments

to identify vulnerabilities that
could be exploited by
adversaries (aka Penetration
testing)
Respond Planning  Execute the organization’s CCS CSC 18 After an attack is
incident response plan recognized, the security
NIST SP 800-53 team should use the
Rev. 4 organization’s response
IR-1, IR-2 plan to determine the
appropriate, coordinated
response to the type of
attack.
Respond Analysis  Investigate anomalies, ISO/IEC 27001 It is important to
including cybersecurity events A.06.02.01 understand the scope of
(from network, physical, or the incident, the extent
personnel monitoring) flagged of damage, the level of
by the detection system or sophistication
process demonstrated by the
adversary, and the stage
 Conduct an impact assessment ISO/IEC 27001 the attack is in. This
(damage/scope) A.06.02.01 knowledge helps to
determine if an attack is
 Perform forensics localized on an
ISO/IEC 27001 organization's machine
A.13.02.02 or if the adversary has a
A.13.02.03 persistent presence on
the network and the
 Classify the incident
ISO/IEC 27001 scope is enterprise-wide.
A.13.0 Organization should
A.13.02 compare attack data
A.03.06 against current and
A.07.4.2.1 predicted attack models
to gain meaningful
insight into the attack.
Respond Improvements  Incorporate lessons learned into ISO/IEC 27001 Document the lessons
plans A.13.02.02 learned from the
intrusion and use them to
NIST SP 800-53 enhance organizational
 Update response strategies Rev. 4 cybersecurity processes.
PM-9
45
46
47 Example 2: Malware
48 It has been shown that critical infrastructure can be susceptible to low-level threats that cause
49 ancillary disruption. Recent attacks suggest that malware infections pose a significant threat to
50 organizational assets. Key features of malware attacks include the exploitation of outdated
51 patches, ingress through back channels, denial of service based on exploited systems and failing
52 network hardware, escalation of presence, and the prevalence of a ‘fortress mentality.’
53
54 Threat Mitigation Profile: Malware
Function Category Subcategories IR Comment
Identify Asset  Inventory and track physical ISO/IEC 27001 Understanding of the
Management devices and systems within the A.7.1.1, A.7.1.2 network architecture
organization must update with
changes. Potential
 Inventory software platforms COBIT backdoors must be
and applications within the BAI03.04, identified and mitigated.
organization BAI09.01, BAI09,
BAI09.05

 Identify organizational network ISO/IEC 27001

components and connections A.7.1.1

 Identify external information NIST SP 500-291

systems including processing, 3, 4
storage, and service location

 Identify classification/
criticality/business value of
hardware, devices, and software
Protect Access  Perform identity and credential NIST SP 800-53 Access control should be
Control management (including account Rev. 4 risk informed, should be
management, separation of AC Family updated, and should
duties, etc.) for devices and anticipate threats.
users

 Enforce physical access control ISO/IEC 27001

for buildings, stations, A.9.1, A.9.2,
substations, data centers, and A.11.4, A.11.6,
other locations that house
logical and virtual information
technology and operations
technology

 Protect remote access to COBIT

organizational networks to APO13.01,
include telework guidance, DSS01.04,
mobile devices access DSS05.03
restrictions, and cloud
computing policies/procedures
Function Category Subcategories IR Comment
 Enforce access restrictions CCS CSC 12, 15
including implementation of
Attribute-/Role-based access
control, permission revocation,
network access control
technology

 Protect network integrity by ISO/IEC 27001

segregating A.10.1.4, A.11.4.5
networks/implementing
enclaves
Protect Awareness and  Provide awareness and training COBIT Partners must be
Training that ensures that general users APO07.03, educated as to the impact
understand roles & BAI05.07 they or their systems
responsibilities and act may have on critical
accordingly infrastructure.
Employees must have
 Provide awareness and training ISO/IEC 27001 ongoing understanding
that ensures that privileged A.8.2.2 of malware that reflects
users (e.g. system, network, the current threat
industrial control system, landscape.
database administrators)
understand roles &
responsibilities and act
accordingly

 Provide awareness and training NIST SP 800-53

that ensures that third-party Rev. 4
stakeholders (suppliers, AT-3
customers, partners) understand
roles & responsibilities and act
accordingly

 Provide awareness and training CCS CSC 9

that ensures that senior
executives understand roles &
responsibilities and act
accordingly

 Provide awareness and training

that ensures that physical and
information security personnel
understand roles &
responsibilities and act
accordingly
Protect Information  Develop, document, and
Protection maintain under configuration
Processes and control a current baseline
Procedures configuration of information
technology / operations
technology systems
ISO/IEC 27001
A.8.2.2
CCS CSC 3, 10 Aggressive patch
management is
particularly important in
the critical infrastructure
setting. Patches should
be thoroughly tested
prior to deployment to
ensure that the patch
does not negatively
Function Category Subcategories
Protect Protective  Implement and maintain
Technology technology that enforces
policies to employ a deny-all,
permit-by-exception policy to
allow the execution of
authorized software programs
on organizational systems (i.e.,
Whitelisting of applications and
network traffic)
 Restrict the use of removable NIST SP 800-53
media (including writable
portable storage devices),
personally/externally owned
devices, and network accessible
media locations
 Determine, document, and
implement physical and logical
system audit and log records in
accordance with organizational
auditing policy
 Protect wireless network ISO/IEC 27001
security including monitoring
for unauthorized
devices/networks, processes for
authorization and
authentication for wireless
networks, adequate encryption
to protect information
transmitted wirelessly
 Protect operational technology
(to include ICS, SCADA, DCS)
Detect Anomalies and  Identify and determine normal NIST SP 800-53
Events organizational behaviors and
expected data flow of
personnel, operations
technology, and information
systems
IR Comment
affect critical systems.
Rapid testing and
installation of new
patches is critical to
hardening the network
from malicious code
should it penetrate
existing barriers.
CCS CSC 6 Protection of operational
technology is critically
important. These devices
should be separated from
all non-necessary
devices. Architecture
and security measures
must be updated with
changes to the network
and the cybersecurity
landscape.
Rev. 4
AC-19
CCS CSC 14
10.10.2
COBIT
APO13.01,
BAI03.02
The organization should
Rev. 4 have solid understanding
SI-4 of the events that occur
AT-3 on their operational
CM-2 networks.
Function Category Subcategories IR Comment
 Characterize detected events NIST SP 800-53
(including through the use of Rev. 4
traffic analysis) to understand SI-4
attack targets and how a
detected event is taking place

 Perform data correlation among NIST SP 800-53

to improve detection and Rev. 4
awareness by bringing together SI-4
information from different
information sources or sensors.

 Assess the impact of detected NIST SP 800-53

cybersecurity events to inform Rev. 4
response & recovery activity SI-4
Detect Security  Perform network monitoring ISO/IEC 27001 Monitoring should be
Continuous for cybersecurity events flagged A.10.10.2, adjusted to detect not
Monitoring by the detection system or A.10.10.4 only presently
process A.10.10.5 understood threats but
also predicted threats.
 Perform physical monitoring NIST SP 800-53 Organizations should test
for cybersecurity events flagged Rev. 4 systems for
by the detection system or CM-1, CA-7, PE-3, vulnerabilities that may
process PE-6, PE-20 expose them to current
or predicted threats.
 Perform personnel monitoring NIST SP 800-53
for cybersecurity events flagged Rev. 4
by the detection system or CM-1, CA-7
process

 Employ malicious code COBIT

detection mechanisms on DSS05.01
network devices and systems to
detect and eradicate malicious
code

 Detect the use of mobile code ISO/IEC 27001

and implement corrective A.10.4.2
actions when unacceptable
mobile code is detected

 Perform personnel and system

monitoring activities over ISO/IEC 27001
external service providers 10.2.2

 Perform periodic checks for

unauthorized personnel, NIST SP 800-53
Rev. 4
network connections, devices,
CM-1, CA-7, PE-3,
software
PE-6, PE-20
 Function Category Subcategories IR Comment
 Perform periodic assessments NIST SP 800-53
to identify vulnerabilities that Rev. 4
could be exploited by CM-1, CA-7
adversaries (aka Penetration
testing)
Respond Mitigation  Contain the incident ISO/IEC 27001 It is crucial that incidents
A.03.06 be contained and
 Eradicate the incident (includes A.13.02.03 eradicated.
strengthening controls to Organizations should be
prevent incident recurrence) prepared for both
existing threats and
anticipated threats.
Recover Recovery  Execute recover plan ISO/IEC 27001 Organizations should
Planning A.14.1.3 have viable recovery
A.14.1.4 options for both
A.14.1.5 currently understood
threats and predicted
threats.
55
56 Example 3: Mitigating Insider Threats
57 Insider threats present a significant danger to organizations. In many cases personnel may act as
58 a conduit for a cybersecurity attack. This may occur through the inadvertent installation of
59 malware, installation of unauthorized software, the loss of organizational assets, accidental data
60 exposure or loss, and other unintentional actions. Occasionally, organizational insiders may
61 actively seek to subvert an organization through corporate espionage or corporate sabotage. In
62 these cases an insider may pose a significant threat, particularly within critical infrastructure.
63
64 Threat Mitigation Profile: Insider Threat
Function Category Subcategories IR Comment
Identify Asset  Identify business value of NIST SP 800-53 Organizations should
Management workforce functions by role Rev. 4 have understanding of
PM-11 current workforce, their
positions, and the assets
to which they have
access.
Identify Governance  Identify organizational COBIT Organizations should
information security policy APO01.03, have understanding of
EA01.01 policies, procedures, and
requirements employees
 Identify information security ISO/IEC 27001 must adhere to.
roles & responsibility, A.15.1.1 Organizations should
coordination understand the lines of
communication
 Identify legal/regulatory employees currently use
requirements and may use in the
future, to include social
media, email, and mobile
networks.
Protect Access  Perform identity and credential NIST SP 800-53 Organizations should
Control management (including account Rev. 4 monitor and maintain
management, separation of AC Family constant control of
duties, etc.) for devices and credentials, access to
users facilities and assets, as
well as remote access to
 Enforce physical access control COBIT assets. Furthermore,
for buildings, stations, DSS01.04, organizations should
substations, data centers, and DSS05.05 continue to search for
other locations that house and mitigate the damage
logical and virtual information caused by unknown
technology and operations possible points of entry.
technology

 Protect remote access to ISO/IEC 27001

organizational networks to A.11.4, A.11.7
include telework guidance,
mobile devices access
restrictions, and cloud
computing policies/procedures
Function Category Subcategories IR Comment
 Enforce access restrictions ISO/IEC 27001
including implementation of A.11.1.1
Attribute-/Role-based access
control, permission revocation,
network access control
technology

 Protect network integrity by ISO/IEC 27001

segregating A.10.1.4, A.11.4.5
networks/implementing
enclaves
Protect Awareness and  Provide awareness and training COBIT Organizations should
Training that ensures that general users APO07.03, have ongoing security
understand roles & BAI05.07 training that mirrors
responsibilities and act current and potential
accordingly threats. Employees
should be trained to
 Provide awareness and training ISO/IEC 27001 identify misuse of assets.
that ensures that privileged A.8.2.2
users (e.g. system, network,
industrial control system,
database administrators)
understand roles &
responsibilities and act
accordingly

 Provide awareness and training NIST SP 800-53

that ensures that third-party Rev. 4
stakeholders (suppliers, AT-3
customers, partners) understand
roles & responsibilities and act
accordingly

 Provide awareness and training

that ensures that senior CCS CSC 9
executives understand roles &
responsibilities and act
accordingly

 Provide awareness and training

that ensures that physical and ISO/IEC 27001
information security personnel A.8.2.2
understand roles &
responsibilities and act
accordingly
Protect Data Security  Protect data (including physical ISO/IEC 27001 Organizations should
records) during storage (aka A.15.1.3, A.15.1.4 seek to protect
"data at rest") to achieve organizational data at
confidentiality, integrity, and rest from both outside
availability goals threats and inside threats
in a manner that reflects
 Protect data (including physical NIST SP 800-53 current understanding of
records) during transportation/ Rev. 4 the value of the
transmission (aka "data in SC-8 information.
Function Category Subcategories IR Comment
motion") to achieve
confidentiality, integrity, and
availability goals

 Protect organizational property ISO/IEC 27001

and information through the A.9.2.7
formal management of asset
removal, transfers, and
disposition

 Protect availability of ISO/IEC 27001

organizational facilities and A.10.3.1
systems by ensuring adequate
capacity availability (physical
space, logical storage/memory
capacity)

 Protect confidentiality and CCS CSC 17

integrity of organizational
information and records by
preventing intentional or
unintentional release of
information to an unauthorized
and/or untrusted environment
(information/data leakage)

 Protect intellectual property in

accordance with organizational ISO/IEC 27001
requirements A.15.1.2

 Reduce potential for abuse of

authorized privileges by NIST SP 800-53
eliminating unnecessary assets, Rev. 4
separation of duties procedures, AC-5, AC-6
and least privilege requirements

 Establish separate development,

testing, and operational COBIT
environments to protect BAI07.04
systems from
unplanned/unexpected events
related to development and
testing activities

 Protect the privacy of

individuals and personally ISO/IEC 27001
A.15.1.3
identifiable information (PII)
that is collected, used,
maintained, shared, and
disposed of by organizational
programs and systems
Function Category Subcategories
Protect Information  Develop, document, and
Protection maintain under configuration
Processes and control a current baseline
Procedures configuration of information
technology / operations
technology systems
 Develop, document, and
maintain a System
Development Life Cycle
(including secure software
development and system
engineering and outsourced
software development
requirements)
 Protect organizational
information by conducting
backups that ensure appropriate
confidentiality, integrity, and
availability of backup
information, storing the
backed-up information
properly, and testing
periodically to ensure
recoverability of the
information
IR Comment
NIST SP 800-53 Organizations should
Rev. 4 have well-established
CM-2 processes that address
the potential damage to
operations and business
that an insider threat may
cause. Processes must
CCS CSC 6 also exist to protect data
from insiders such as
limiting attack surfaces
and properly disposing
of assets. Processes
should also integrate
with human resources to
ensure that employees
are properly screened
NIST SP 800-53 and adhere to
Rev. 4 organizational security
CP-9 requirements.

 Ensure appropriate COBIT

environmental requirements are DSS01.04,
met for personnel and DSS05.05
technology

 Destroy/dispose of assets (to

include data destruction) in a ISO/IEC 27001
manner that prevents disclosure 9.2.6
of information to unauthorized
entities

 Achieve continued COBIT

improvement (lessons learned, APO11.06,
best practices, feedback, etc.) DSS04.05

 Develop, document, and

communicate response plans ISO/IEC 27001
A.14.1
(Business Continuity Plan(s),
Disaster Recovery Plan(s),
Incident Handling Plan(s) that
address purpose, scope, roles,
responsibilities, management
commitment, coordination
among organizational entities,
and compliance
Function Category Subcategories IR Comment

 Plan for what it takes to deliver ISO/IEC 27001

critical infrastructure services 9.2.2
for which the organization is
responsible, including the
identification of dependencies
that might prevent delivery of
those services

 Integrate cybersecurity COBIT

practices / procedures with APO07.01,
human resources management APO07.02,
(personnel screenings, APO07.03,
departures, transfers, etc.) APO07.04,
APO07.05,
Protect Protective  Implement and maintain CCS CSC 6 Organizations should
Technology technology that enforces ensure continuous
policies to employ a deny-all, security of applications,
permit-by-exception policy to networks, and devices
allow the execution of from insider threats.
authorized software programs
on organizational systems (i.e.,
Whitelisting of applications and
network traffic)

 Restrict the use of removable NIST SP 800-53

media (including writable Rev. 4
portable storage devices), AC-19
personally/externally owned
devices, and network accessible
media locations

 Determine, document, and CCS CSC 14

implement physical and logical
system audit and log records in
accordance with organizational
auditing policy

 Protect wireless network

security including monitoring ISO/IEC 27001
for unauthorized 10.10.2
devices/networks, processes for
authorization and
authentication for wireless
networks, adequate encryption
to protect information
transmitted wirelessly

 Protect operational technology COBIT

(to include ICS, SCADA, DCS) APO13.01,
BAI03.02
Function Category Subcategories IR Comment
Detect Anomalies and  Identify and determine normal NIST SP 800-53 Organizations should
Events organizational behaviors and Rev. 4 assess anomalies within
expected data flow of SI-4 the organizational
personnel, operations AT-3 network.
technology, and information CM-2
systems

 Characterize detected events NIST SP 800-53

(including through the use of Rev. 4
traffic analysis) to understand SI-4
attack targets and how a
detected event is taking place

 Perform data correlation among NIST SP 800-53

to improve detection and Rev. 4
awareness by bringing together SI-4
information from different
information sources or sensors.

 Assess the impact of detected NIST SP 800-53

cybersecurity events to inform Rev. 4
response & recovery activity SI -4
Detect Security  Perform network monitoring ISO/IEC 27001 Organizations should
Continuous for cybersecurity events flagged A.10.10.2, have ongoing monitoring
Monitoring by the detection system or A.10.10.4, of assets to include
process A.10.10.5 employee interactions
with assets.
 Perform physical monitoring NIST SP 800-53
for cybersecurity events flagged Rev. 4
by the detection system or CM-1, CA-7, PE-3,
process PE-6, PE-20

 Perform personnel monitoring NIST SP 800-53

for cybersecurity events flagged Rev. 4
by the detection system or CM-1, CA-7
process

 Employ malicious code COBIT

detection mechanisms on DSS05.01
network devices and systems to
detect and eradicate malicious
code

 Detect the use of mobile code ISO/IEC 27001

and implement corrective A.10.4.2
actions when unacceptable
mobile code is detected

 Perform personnel and system ISO/IEC 27001

monitoring activities over 10.2.2
external service providers
Function Category Subcategories IR Comment
 Perform periodic checks for NIST SP 800-53
unauthorized personnel, Rev. 4
network connections, devices, CM-1, CA-7, PE-3,
software PE-6, PE-20

 Perform periodic assessments NIST SP 800-53

to identify vulnerabilities that
could be exploited by
adversaries (aka Penetration
testing)
Detect Detection  Ensure accountability by
Processes establishing organizational
roles, responsibilities for event
detection and response
 Perform policy compliance and
enforcement for detect
activities (internal, external
constraints)
 Conduct exercises (e.g.,
tabletop exercises) to ensure
that staff understand
roles/responsibilities and to
help provide quality assurance
of planned processes
Rev. 4
CM-1, CA-7
ISO/IEC 27001 Organizations should
A.10.4.2 establish roles,
responsibilities, and
privileges for employees.
They should also ensure
ISO/IEC 27001 employees adhere to
A.10.2.2 organizational policies.
Organizations should
conduct testing to ensure
NIST SP 800-53 employees are adhering
Rev. 4 to policies and
CM-1, CA-7, PE-3, procedures, and that new
PE-6, PE-20 methods of accessing
and communicating
organizational data are
found and controlled.

 Communicate and coordinate

cybersecurity event information
among appropriate parties
Respond Analyze  Conduct an impact assessment ISO/IEC 27001 Organizations should
(damage/scope) A.06.02.01 conduct a thorough
analysis to better
 Perform forensics ISO/IEC 27001 understand the impact of
A.13.02.02 insider threat incidents,
A.13.02.03 to help prepare for
recovery efforts, and to
ISO/IEC 27001 craft an effective
 Classify the incident
A.13.0 containment and
A.13.02 eradication strategy.
A.03.06
A.07.4.2.1
Respond Mitigation  Contain the incident ISO/IEC 27001 Organizations should
 Eradicate the incident (includes A.03.06 implement the steps
strengthening controls to A.13.02.03 necessary to manage the
prevent incident recurrence) insider threat incident
and engage law
enforcement, as needed,
to ensure that the threat
is contained and
eradicated.
Respond Improvements  Incorporate lessons learned into ISO/IEC 27001 Organizations should
plans A.13.02.02 document the lessons
learned from insider
 Function Category Subcategories IR Comment
 Update response strategies NIST SP 800-53 threat incidents and
Rev. 4 incorporate them into
PM-9 response plans and
strategy.
Recover Recovery  Execute recover plan CCS CSC 8 Organizations should
Planning have recovery plans that
account for current and
predicted insider threats.
65