CIS Control 17 Explained: Incident Response Management
CIS Control 17 involves incident response management. That means to establish incident response capability, such as policies, plans, procedures, defined roles, training and communications to prepare, detect and quickly respond to attacks.
In this article
The Importance of Control 17
A comprehensive cybersecurity program includes protection, detection, response and recovery capabilities. However, less mature enterprises often neglect the latter two, typically resorting to simply re-imaging compromised systems and moving on. The primary goal of incident response is to identify threats within the enterprise, address them before they can spread and remediate them before significant harm occurs. Without a solid incident response program, defenders may find themselves scrambling during an attack, hindering their ability to respond effectively and in an organized manner.
Implementation Groups (IGs)
To implement CIS Controls, follow each listed safeguard, which details the required activities. Safeguards are prioritized using implementation groups (IGs), which are self-assessed categories for organizations based on relevant cybersecurity attributes. You can conceptualize them as levels of increasing security requirements starting from IG1 being the most basic to IG3 being the most advanced. The higher level groups are included in the lower ones.
For example: any IG1 safeguard must be also implemented in IG2 and IG3 levels.
The Safeguards of Control 17
Description: There are nine safeguards in CIS Control 17. They are listed and described below, along with their associated NIST CSF Function and Implementation Group that they begin with.
| Safeguard Number | Safeguard Title | NIST Security Function | StartingImplementation Group |
| Safeguard 17.1 | Designate Personnel to Manage Incident Handling | Respond | IG1 |
| Safeguard 17.2 | Establish and Maintain Contact Information for Reporting Security Incidents | Govern | IG1 |
| Safeguard 17.3 | Establish and Maintain an Enterprise Process for Reporting Incidents | Govern | IG1 |
| Safeguard 17.4 | Establish and Maintain an Incident Response Process | Govern | IG2 |
| Safeguard 17.5 | Assign Key Roles and Responsibilities | Govern | IG2 |
| Safeguard 17.6 | Define Mechanisms for Communicating During Incident Response | Respond | IG2 |
| Safeguard 17.7 | Conduct Routine Incident Response Exercises | Recover | IG2 |
| Safeguard 17.8 | Conduct Post-Incident Reviews | Recover | IG2 |
| Safeguard 17.9 | Establish and Maintain Security Incident Thresholds | Recover | IG3 |