CIS Control 17 Explained: Incident Response Management

CIS Control 17 involves incident response management. That means to establish incident response capability, such as policies, plans, procedures, defined roles, training and communications to prepare, detect and quickly respond to attacks.

The Importance of Control 17

A comprehensive cybersecurity program includes protection, detection, response and recovery capabilities. However, less mature enterprises often neglect the latter two, typically resorting to simply re-imaging compromised systems and moving on. The primary goal of incident response is to identify threats within the enterprise, address them before they can spread and remediate them before significant harm occurs. Without a solid incident response program, defenders may find themselves scrambling during an attack, hindering their ability to respond effectively and in an organized manner.

Implementation Groups (IGs)

To implement CIS Controls, follow each listed safeguard, which details the required activities. Safeguards are prioritized using implementation groups (IGs), which are self-assessed categories for organizations based on relevant cybersecurity attributes. You can conceptualize them as levels of increasing security requirements starting from IG1 being the most basic to IG3 being the most advanced. The higher level groups are included in the lower ones.

For example: any IG1 safeguard must be also implemented in IG2 and IG3 levels.

any IG1 safeguard must be also implemented in IG2 and IG3 levels.

The Safeguards of Control 17

Description: There are nine safeguards in CIS Control 17. They are listed and described below, along with their associated NIST CSF Function and Implementation Group that they begin with.

Safeguard NumberSafeguard TitleNIST Security FunctionStartingImplementation Group
Safeguard 17.1Designate Personnel to Manage Incident HandlingRespondIG1
Safeguard 17.2Establish and Maintain Contact Information for Reporting Security IncidentsGovernIG1
Safeguard 17.3Establish and Maintain an Enterprise Process for Reporting IncidentsGovernIG1
Safeguard 17.4Establish and Maintain an Incident Response ProcessGovernIG2
Safeguard 17.5Assign Key Roles and ResponsibilitiesGovernIG2
Safeguard 17.6Define Mechanisms for Communicating During Incident ResponseRespondIG2
Safeguard 17.7Conduct Routine Incident Response ExercisesRecoverIG2
Safeguard 17.8Conduct Post-Incident ReviewsRecoverIG2
Safeguard 17.9Establish and Maintain Security Incident ThresholdsRecoverIG3