Function: Respond (RS)
Category: Mitigation (MI)
“Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.”
RS.MI-1: Incidents are contained
After an incident has been identified, preventing it from expanding beyond the affected systems is important. Identifying the scope of the incident and containing it to prevent further movement by an attacker or further exfiltration of data should provided for in the incident response plan. Procedures should identify major known categories of incidents and how best to contain them in the event of a compromise.
Auditors may look at the incident response plan to determine if appropriate steps are in place to contain an incident. Strategies to contain different types of incidents should be listed in the plan.
RS.MI-2: Incidents are mitigated
The intent of this control is to identify preventive controls that could limit the potential impact of an incident. This could include segregated networks, both ingress and egress firewall rules, patch management and DDoS protection tools. This should be documented in procedures and updated on a regular basis.
Auditors will review the incident response plan and/or other documentation to make sure appropriate controls are in place to mitigate the impact of an incident and to limit the ability to further harm the organization. Review of documented incidents may be used to determine whether mitigation efforts were implemented and effective.
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks
Scanning for new vulnerabilities throughout your environment and documenting a process to remediate those vulnerabilities should be included as part of a continuous monitoring program. Accepted risks should be signed-off by someone with the authority to accept risk on behalf of the organization and should be reviewed on a regular basis to verify the risk is still present or has been remediated.
Auditors will determine of the organization’s continuous monitoring programs facilitates ongoing awareness of threats, vulnerabilities, and information security to support risk management decisions. They will assure that any scanning is done at a frequency sufficient to provide relevant information and that the risk response (remediation or acceptance) is documented appropriately.
Applicable CIS Critical Controls:
CIS Control 4 – Continuous Vulnerability Assessment and Remediation
Running automated vulnerability scanning tools against all systems on a frequent basis and providing lists of the most critical vulnerabilities to responsible system administrators is a crucial task for a vulnerability management program. It is recommended to perform scans in authenticated mode to identify vulnerabilities that could be exploited if an attacker gains access to the device via user credentials.