Function: Recover (RC)
Category: Communications (CO)
“Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.”
RC.CO-1: Public relations are managed
Incidents may quickly become a public relations issue resulting in inquiries from the media and other interested parties. Communications should be controlled to ensure accurate information is provided. The use of templates may be advised for particular types of incidents so that the information is in a prepared format and avoiding having to come up with press releases and other public notifications on the fly.
Auditors may examine recovery plans for points of contact, communication plans, and training components. Additionally, is there timely and responsible notification plans in place for customers, partners, regulators, and law enforcement for cybersecurity incidents.
RC.CO-2: Reputation after an event is repaired
Excellent communication with customers and the community goes a long way to maintaining trust and repairing reputational harm that may stem from a cybersecurity incident.
Auditors may look at documentation related to a recent cybersecurity event to determine if communication to affected parties and the community were timely and appropriate.
RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and management teams.
Recovery plans must include communication procedures to appropriate internal personnel. Notification should be timely and accurate.
Auditors may look at communication documentation from recent events and minutes from governance meetings to determine if communication and notification were provided in a timely and accurate manner.