Cross-Sector Cyber Security Readiness Goals Toolkit

From: Canadian Centre for Cyber Security

Alternate format: Cross-Sector Cyber Security Readiness Goals Toolkit (PDF, 433 KB)

Related link:

The Cross-Sector Cyber Security Readiness Goals Toolkit outlines 36 CRGs to support Canadian CI owners and operators, from any sector, in prioritizing investments in cyber security and to elevate their cyber security posture.

The list below matches each goal with the

  • intended outcome
  • associated risk, such as tactics, techniques, and procedures (TTPs) from MITRE ATT&CK, addressed by the goal
  • recommended action
  • relevant references, such as related National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 subcategories and associated Cyber Centre guidance

Govern (0)

Privacy leadership (0.0)

Outcome

A single leader or team is responsible and accountable for managing cyber-related privacy risk.

TTPs or risk addressed

  • Lack of accountability, investment, or effectiveness.

Recommended action

Identify a named role/title as responsible and accountable for the organization’s privacy risk management program. The responsible person/team establishes policies and procedures that require the organization to:

  1. consider the full spectrum of cyber-related privacy risks and obligations, including applicable privacy legislation
  2. apply that analysis to support operational decisions
  3. The privacy risk management program could include maintaining a personal information inventory, as well as policies to limit collection and retention of personal information.

References

Supply chain incident reporting process/policies (0.1)

Outcome

Organizations more rapidly learn about and respond to known incidents or breaches across vendors and service providers.

TTPs or risk addressed

  • Supply chain compromise (T1195, ICS T0862)

Recommended action

Ensure the organization's cyber security supply chain risk management program stipulates that vendors and/or service providers must notify the procuring customer of security incidents. This should be done within a risk-informed time frame, as determined by the organization, and be documented in procurement documents and contracts, such as service level agreements (SLAs).

References

Vendor/supplier cyber security requirements (0.2)

Outcome

Reduce risk by buying more secure products and services from more secure suppliers.

TTPs or risk addressed

  • Supply chain compromise (T1195, ICS T0862)

Recommended action

Include cyber security requirements and questions in organizations’ procurement documents. Ensure those responses are evaluated in vendor selection such that, given two offerings of roughly similar cost and function, the more secure offering and/or supplier is preferred or, when possible, the more secure option is preferred even at higher cost.

References

Organizational and operational technology (OT) cyber security leadership (0.3)

Outcome

A single leader is responsible and accountable for cyber security within an organization. If applicable to the organization, a single leader is responsible and accountable for OT -specific cyber security within an organization with OT assets. In some organizations, one individual may be responsible for both leaderships.

TTPs or risk addressed

  • Lack of accountability, investment, or effectiveness in cyber security or OT cyber security programs.

Recommended action

Identify a named role/title as responsible and accountable for planning, resourcing and executing cyber security activities. This role may undertake activities, such as managing cyber security operations at the senior level, requesting and securing budget resources, or leading strategy to inform future positioning. Additionally, identify a named role/title as responsible for resourcing and executing OT -specific cyber security activities. In some organizations, both cyber security leadership and OT leadership can be the same position.

References

Improving information technology ( IT ) and OT cyber security relationships (0.4)

Outcome

Improve OT  cyber security and more rapidly and effectively respond to OT cyber incidents.

TTPs or risk addressed

Recommended action

Increased risk for OT cyber security resulting from poor working relationships and a lack of mutual understanding between IT and OT cyber security.

At least once per year, sponsor a relationship-building activity that is focused on strengthening working relationships between IT and OT security personnel and that is not a working event (such as providing meals during an incident response). This can provide opportunities for IT and OT personnel to open lines of communication, achieve common understanding of the evolved threat surface, establish common priorities, and create a security plan to protect both the OT and the surrounding IT .

References

Top of page 

Identify (1)

Asset inventory and network topology (1.0)

Outcome

Better identify known, unknown, and unmanaged assets, including web-facing assets for the cloud and data assets. The organization can then more rapidly detect and respond to new vulnerabilities and maintain service continuity.

TTPs or risk addressed

  • Hardware additions (T1200)
  • Exploit public-facing applications (T1190, ICS T0819)
  • Internet accessible device (ICS T0883)

Recommended action

Maintain a regularly updated inventory of all assets within the organization's IT (including IPv6) and OT networks (if applicable). Include in the inventory accurate documentation of network topology and identified data assets, in particular sensitive or classified information. Update this inventory on a regular basis for both IT and OT , and immediately log in the existing inventory any new asset that is integrated into the organization’s infrastructure.

References

Mitigating known vulnerabilities (1.1)

Outcome

Reduce the likelihood that threat actors will exploit known vulnerabilities to breach organizational networks.

TTPs or risk addressed

  • Active scanning – Vulnerability scanning (T1595.002)
  • Exploit public-facing application (T1190, ICS T0819)
  • Exploitation of remote service (T1210, ICS T0866)
  • Supply chain compromise (T1195, ICS T0862)
  • External remote services (T1133, ICS T0822)

Recommended action

Patch all known exploited vulnerabilities (listed in CISA ’s Known Exploited Vulnerabilities Catalog) in Internet-facing systems within a risk-informed timespan, prioritizing more critical assets first. Identify security vulnerabilities in your systems by conducting penetration tests and using automated vulnerability scanning tools, activities which are part of a comprehensive vulnerability management strategy.

Note about OT : For assets where patching is not possible or may substantially compromise availability or safety, apply and record compensating controls (e.g., segmentation, monitoring). Sufficient controls either make the asset inaccessible from the public Internet or reduce the ability of threat actors to exploit the vulnerabilities in these assets.

Carefully select automated vulnerability detection tools as they can scan systems aggressively. These tools may cause devices to behave erratically, stop working/crash, or restart, or need manual intervention to revert to an operational state.

References

Third-party validation of cyber security control effectiveness (1.2)

Outcome

Identify TTPs that lack proper defences and establish confidence in organizational cyber defences.

TTPs or risk addressed

  • Gaps in cyber defences or a false sense of security in existing protections.

Recommended action

Third parties with demonstrated expertise in IT and/or OT cyber security regularly validate the effectiveness and coverage of an organization’s cyber security defences. Conduct these exercises annually to include activities such as penetration tests, bug bounties, incident simulations, or table-top exercises, and include both unannounced and announced tests.

Exercises consider both the ability and impact of a potential adversary to infiltrate the network from the outside, as well as the ability of an adversary within the network (e.g., “assume breach”) to pivot laterally to demonstrate potential impact on critical systems, including operational technology and industrial control systems.

Mitigate in a timely manner high-impact findings from previous tests so these are not re-observed in future tests.

References

Incident response (IR) plans (1.3)

Outcome

Organizations maintain, practice, and update cyber security incident response plans for relevant threat scenarios.

TTPs or risk addressed

  • Inability to quickly and effectively contain, mitigate, and communicate about cyber security incidents.

Recommended action

Develop, maintain, update, and regularly drill IT and OT cyber security incident response plans for both common and organization-specific (e.g., by sector or locality) threat scenarios and TTPs . Consider engaging with appropriate stakeholders to conduct tabletop exercises focused on AI-enhanced attacks. When tests or drills are conducted, ensure they are as realistic as feasible and conform to the organization’s acceptable levels of downtime. Drill IR plans at least annually and update within a risk-informed time frame following the lessons learned portion of any exercise or drill.

References

Deploy security.txt files (1.4)

Outcome

Allow security researchers to submit discovered weaknesses or vulnerabilities more quickly.

TTPs or risk addressed

  • Active scanning – Vulnerability scanning (T1595.002)
  • Exploit public-facing application (T1190, ICS T0819)
  • Exploitation of remote services (T1210, ICS T0866)
  • Supply chain compromise (T1195, ICS T0862)

Recommended action

Ensure all public-facing web domains have a security.txt file that conforms to the recommendations in RFC 9116.

References

Select a trusted cloud service provider (1.5)

Outcome

If cloud is leveraged and a trusted relationship established with a mature and technically capable cloud service provider (CSP), organizations can confidently adopt cloud services, harnessing the benefits of scalability, flexibility, and cost-effectiveness while safeguarding their sensitive assets.

TTPs or risk addressed

  • Attacks and/or compromise due to immature CSP
  • Supply chain compromise (T1195, ICS T0862)

Recommended action

Ensure that your selected CSP offers secure data storage, encryption, and access controls, and validate that the CSP ’s cyber security capability and practices are compliant with relevant security standards and regulations. This can be accomplished by confirming a CSP ’s adherence to existing compliance regimes, which can vary depending on the organization’s business requirements.

References

Top of page 

Protect (2)

Changing default passwords (2.0)

Outcome

Prevent threat actors from using default passwords to achieve initial access to or move laterally in a network.

TTPs or risk addressed

  • Valid accounts – Default accounts (T1078.001)
  • Valid accounts (ICS T0859)

Recommended action

Enforce an organization-wide policy and/or process that requires changing default manufacturer passwords for any/all hardware, software and firmware before putting them on any internal or external networks. This includes IT assets for OT , such as OT administration web pages.

In instances where changing default passwords is not feasible (e.g., a control system with a hard-coded password), implement and document appropriate compensating security controls, and monitor logs for network traffic and login attempts on those devices.

Note about OT : While changing default passwords on an organization’s existing OT requires significantly more work, enforce a policy to change default credentials for all new or future devices. This is not only easier to achieve, but also reduces potential risk in the future if adversary TTPs change.

References

Minimum password strength (2.1)

Outcome

Organizational passwords are harder for threat actors to guess or crack.

TTPs or risk addressed

  • Brute force – Password guessing (T1110.001)
  • Brute force – Password cracking (T1110.002)
  • Brute force – Password spraying (T1110.003)
  • Brute force – Credential stuffing (T1110.004)

Recommended action

Organizations have a system-enforced policy that requires a minimum password length of 15Footnote * or more characters for all password-protected IT assets and for all OT assets where technically feasibleFootnote **. Consider leveraging passphrases of at least 4 words and 15 characters in length. Where suitable, use passphrases, as they are longer but easier to remember than a password of random, mixed characters. In instances where minimum password lengths are not technically feasible, apply and record compensating controls, and log all login attempts to those assets. Prioritize for upgrade or replacement any assets that cannot support passwords of sufficient strength length.

This goal is particularly important for organizations that lack widespread implementation of multi-factor authentication (MFA) and capabilities to protect against brute-force attacks (such as web application firewalls and third-party content delivery networks) or are unable to adopt passwordless authentication methods.

References

Unique credentials (2.2)

Outcome

Attackers are unable to reuse compromised credentials to move laterally across the organization, particularly between IT and OT networks.

TTPs or risk addressed

  • Valid accounts (T1078, ICS T0859)
  • Brute force – Password guessing (T1110.001)

Recommended action

Provision unique and separate credentials for similar services and asset access on IT and OT networks. Ensure users do not (or cannot) reuse passwords for accounts, applications, services, etc. Require that service accounts/machine accounts have unique passwords from all member user accounts.

References

Revoking credentials for departing employees (2.3)

Outcome

Prevent unauthorized access to organizational accounts or resources by former employees.

TTPs or risk addressed

  • Valid accounts (T1078, ICS T0859)

Recommended action

Apply a defined and enforced administrative process to all departing employees by the day of their departure that:

  • revokes and securely returns all physical badges, key cards, tokens, etc.
  • disables all user accounts and access to organizational resources

References

Separating user and privileged accounts (2.4)

Outcome

Make it more difficult for threat actors to gain access to administrator or privileged accounts, even if common user accounts are compromised.

TTPs or risk addressed

  • Valid accounts (T1078, ICS T0859)

Recommended action

User accounts do not always have administrator or super-user privileges. Administrators maintain separate user accounts for all actions and activities not associated with the administrator role (e.g., for business email, web browsing). Reevaluate privileges on a recurring basis to validate continued need for a given set of permissions.

References

Network segmentation (2.5)

Outcome

Reduce the likelihood that threat actors will access the OT network after compromising the IT network.

TTPs or risk addressed

  • Network service discovery (T1046)
  • Trusted relationship (T1199)
  • Network connection enumeration (ICS T0840)
  • Network sniffing (T1040, ICS T0842)

Recommended action

All connections to the OT network are denied by default unless explicitly allowed (e.g., by IP address and port) for specific system functionality. Necessary communications paths between the IT and OT networks must pass through an intermediary, such as a properly configured firewall, bastion host, “jump box,” or a demilitarized zone (DMZ), which is closely monitored, captures network logs, and only allows connections from approved assets.

References

Detection of unsuccessful (automated) login attempts (2.6)

Outcome

Protect organizations from automated, credential-based attacks.

TTPs or risk addressed

  • Brute force – Password guessing (T1110.001)
  • Brute force – Password cracking (T1110.002)
  • Brute force – Password spraying (T1110.003)
  • Brute force – Credential stuffing (T1110.004)

Recommended action

Log all unsuccessful logins and send to an organization’s security team or relevant logging system. Ensure security teams are notified (e.g., by an alert) after a specific number of consecutive, unsuccessful login attempts in a short period (e.g., 5 failed attempts over 2 minutes). These alerts are logged and stored in the relevant security or ticketing system for retroactive analysis. For IT assets, there is a system-enforced policy that prevents future logins for the suspicious account. For example, this could be for some minimum time or until the account is re-enabled by a privileged user. Enable this configuration when available on an asset. For example, Windows 11 can automatically lock out accounts for 10 minutes after 10 incorrect logins in a 10-minute period.

References

Phishing-resistant MFA (2.7)

Outcome

Add a critical, additional layer of security to protect asset accounts whose credentials have been compromised.

TTPs or risk addressed

  • Brute force (T1110)
  • Remote services – Remote desktop protocol (T1021.001)
  • Remote services SSH (T1021.004)
  • Valid accounts (T1078, ICS T0859)
  • External remote services (ICS T0822)

Recommended action

Implement MFA for access to assets using the strongest available method for that asset (see below for scope). MFA options sorted by strength, from high to low, are as follows:

  1. Hardware-based, phishing-resistant MFA (e.g., FIDO/WebAuthn or public key infrastructure (PKI) based)
  2. Mobile app-based soft tokens (preferably push notification with number matching) or emerging technology such as FIDO passkeys if such hardware-based MFA is not available
  3. MFA via short message service (SMS) or voice when no other options are possible

Note about IT : All IT accounts leverage MFA to access organizational resources. Prioritize accounts with highest risk, such as privileged administrative accounts for key IT systems.

Note about OT : Within OT environments, enable MFA on all accounts and systems that can be accessed remotely, including vendors/maintenance accounts, remotely accessible user and engineering workstations, and remotely accessible human-machine interfaces (HMIs).

References

Basic and OT cyber security training (2.8)

Outcome

Organizational users learn and perform more secure behaviours. If applicable, personnel responsible for securing OT assets receive specialized OT -focused cyber security training.

TTPs or risk addressed

  • User training (M1017, ICS M0917)

Recommended action

Provide training that covers basic security and privacy concepts, such as phishing, business email compromise, basic operational security (OPSEC), password security, privacy breaches and foster an internal culture of security and cyber awareness. Provide training for all employees and contractors, at a minimum annually. Require that new employees receive initial cyber security training during onboarding and recurring training at least annually, and when required by system changes or following certain events.

Ensure security and privacy programs collaborate on developing awareness and training policy and procedures.

Note about OT : In addition to basic cyber security training, ensure that personnel who maintain or secure OT as part of their regular duties receive OT -specific cyber security training at least annually.

References

Strong and agile encryption – data in transit (2.9)

Outcome

Effective encryption deployed to maintain confidentiality of sensitive data and integrity of network traffic passing through IT , OT  and cloud environments.

TTPs or risk addressed

  • Adversary-in-the-middle (T1557)
  • Automated collection (T1119)
  • Network sniffing (T1040, ICS T0842)
  • Wireless compromise (ICS T0860)
  • Wireless sniffing (ICS T0887)

Recommended action

Use a properly configured and up-to-date secure socket layer (SSL) to protect data in transit, when technically feasible. Identify any use of outdated or weak encryption, update these to sufficiently strong algorithms, and consider managing implications of post-quantum cryptography. Encrypt data in transit with appropriate and approved strength of encryption in accordance with the sensitivity of the data.

Note about OT : To minimize the impact to latency and availability, use encryption where feasible, usually for OT communications connecting with remote/external assets.

References

Secure sensitive data – data at rest (2.10)

Outcome

Protect sensitive information from unauthorized access.

TTPs or risk addressed

  • Unsecured credentials (T1552)
  • Steal or forge Kerberos tickets (T1558)
  • OS credential dumping (T1003)
  • Data from information repositories (T1213, ICS T0811)
  • Theft of operational information (T0882)

Recommended action

Ensure sensitive data, including credentials, is not stored in plain text anywhere in the organization and can only be accessed by authenticated and authorized users. Store credentials in a secure manner, such as with a credential/password manager or vault or other privileged account management solution. Encrypt sensitive data at rest with appropriate and approved strength of encryption in accordance with the sensitivity of the data.

References

Email security (2.11)

Outcome

Reduce risk from common email-based threats, such as spoofing, phishing, and interception.

TTPs or risk addressed

  • Phishing (T1566)
  • Business email compromise

Recommended action

On all corporate email infrastructure:

  • enable STARTTLS;
  • enable sender policy framework (SPF) and DomainKeys identified mail (DKIM)
  • ensure Domain-based Message Authentication, Reporting and Conformance (DMARC) is enabled and set to “reject”

Additionally, set encryption for email to an appropriate and approved level in accordance with the sensitivity of the email contents.

References

Disable macros by default (2.12)

Outcome

Reduce the risk from embedded macros and similar executive code, a common and highly effective threat actor TTPs .

TTPs or risk addressed

  • Phishing – Spearphishing attachment (T1566.001)
  • User execution – Malicious file (T1204.002)

Recommended action

Establish a system-enforced policy that disables Microsoft Office macros or similar embedded code by default on all devices. If macros must be enabled in specific circumstances, set a policy for authorized users to request that macros are enabled on specific assets.

References

Hardware and software approval process (2.13)

Outcome

Increase visibility into deployed technology assets and reduce the likelihood of breach by users installing unapproved hardware, firmware, or software.

TTPs or risk addressed

  • Supply chain compromise (T1195, ICS T0862)
  • Hardware additions (T1200)
  • Browser extensions (T1176)
  • Transient cyber asset (ICS T0864)

Recommended action

Implement an administrative policy or automated process that requires approval before new hardware, firmware, or software/software version is installed or deployed. Maintain a risk-informed allow list of approved hardware, firmware and software that includes specification of approved versions, when technically feasible. For OT assets specifically, align these actions with defined change control and testing activities.

References

System backups and redundancy (2.14)

Outcome

Organizations reduce the likelihood and duration of data loss of service delivery or operations.

TTPs or risk addressed

  • Data destruction (T1485, ICS T0809)
  • Data encrypted for impact (T1486)
  • Disk wipe (T1561)
  • Inhibit system recovery (T11490)
  • Denial of control (ICS T0813)
  • Denial/loss of view (ICS T0815, T0829)
  • Loss of availability (T0826)
  • Loss/manipulation of control (T0828, T0831)

Recommended action

Back up on a regular cadence all systems that are necessary for operations. Determine on a case-by-case basis what systems to back up and the exact frequency since every system will have different backup and recovery requirements. Store backups separately from the source systems and test on a recurring basis, no less than once per year. Ensure stored information for OT assets includes at a minimum:

  • configurations
  • roles
  • programmable controller (PLC) logic
  • engineering drawings
  • tools

Implement adequate redundancies (as determined by the organization) such as network components and data storage. Ensure that the redundant secondary system is not collocated with the primary system and can be activated without loss of information or disruption to operations.

References

Log collection (2.15)

Outcome

Achieve better visibility to detect and effectively respond to cyberattacks.

TTPs or risk addressed

  • Delayed, insufficient, or incomplete ability to detect and respond to potential cyber incidents.
  • Impair defences (T1562)

Recommended action

Collect and store logs for use in both detection and incident response activities (e.g., forensics), including the following logs:

  • access- and security-focused (e.g., intrusion detection systems / intrusion prevention systems (IDS/IDPS)
  • firewalls
  • data loss prevention (DLP)
  • virtual private networks (VPN)

Security teams are notified when a critical log source is disabled, such as Windows event logging.

Note about OT : For OT assets where logs are non-standard or not available, collect network traffic and communications between those assets and other assets.

References

Secure and central log storage (2.16)

Outcome

Organizations’ security logs are protected from unauthorized access and tampering.

TTPs or risk addressed

  • Indicator removal on host – Clear Windows events logs (T1070.001)
  • Indicator removal on host – Clear Linux or Mac system logs (T1070.002)
  • Indicator removal on host – File detection (T1070.004)
  • Indicator removal on host (ICS T0872)

Recommended action

Ensure logs are stored in a central system, such as a security information and event management (SIEM) tool or central database and can only be accessed or modified by authorized and authenticated users. Store logs for a duration informed by risk or pertinent regulatory guideline.

References

Prohibit connection of unauthorized devices (2.17)

Outcome

Prevent malicious actors from achieving initial access or data exfiltration via unauthorized portable media devices.

TTPs or risk addressed

  • Hardware additions (T1200)
  • Replication through removable media (T1091, ICS T0847)

Recommended action

Maintain policies and processes to ensure that unauthorized media and hardware are not connected to IT and OT assets, such as by limiting use of USB devices and removable media or disabling AutoRun.

Note about OT : Establish procedures to remove, disable, or otherwise secure physical ports to prevent the connection of unauthorized devices, or establish procedures for granting access through approved exceptions.

References

Limit OT connections to public internet (2.18)

Outcome

Reduce the risk of threat actors exploiting or interrupting OT assets connected to the public internet.

TTPs or risk addressed

  • Active scanning – Vulnerability scanning (T1595.002)
  • Exploit public-facing application (T1190, ICS T0819)
  • Exploitation of remote service (T1210, ICS T0866)
  • External remote Services (T1133, ICS T0822)

Recommended action

Ensure no OT assets are on the public Internet, unless explicitly required for operation. Require that exceptions be justified and documented and that excepted assets have additional protections in place to prevent and detect exploitation attempts (e.g., logging, MFA , mandatory access via proxy or other intermediary).

References

Document device configurations (2.19)

Outcome

More efficiently and effectively manage, respond to, and recover from cyber attacks against the organization and maintain service continuity.

TTPs or risk addressed

  • Delayed, insufficient or incomplete ability to maintain or restore functionality of critical devices and service operations.

Recommended action

Maintain accurate documentation describing the baseline and current configuration details of all critical IT and OT assets to facilitate more effective vulnerability management and response and recovery activities. Perform and track periodic reviews and updates.

References

No exploitable services on the Internet (2.20)

Outcome

Unauthorized users cannot gain an initial system foothold by exploiting known weaknesses in public-facing assets.

TTPs or risk addressed

  • Active scanning – Vulnerability scanning (T1595.002)
  • Exploitable public-facing application (T1190, ICS T0819)
  • Exploitation of remote services (T1210, ICS T0866)
  • External remote services (T1113, ICS T0822)
  • Remote services – Remote desktop protocol (T1021.001)

Recommended action

Ensure assets on the public Internet do not expose any exploitable services, such as remote desktop protocol. Where these services must be exposed, implement appropriate compensating controls to prevent common forms of abuse and exploitation. Disable all unnecessary OS applications and network protocols on Internet-facing assets.

References

Secure administrator workstation (SAW) (2.21)

Outcome

Limited-use dedicated SAWs reduce cyber security risks from malware, phishing and pass-the-hash (PtH) attacks. This allows administrators (i.e., users with privileged access) to securely connect to the organization's network.

TTPs or risk addressed

  • Credential dumping (T1003)
  • Use alternate authentication method (T1550)
  • Exploitation for privilege escalation (T1068)
  • (ICS) Exploitation for privilege escalation (T0890)
  • Valid accounts (T1078)
  • Remote services (T1021)
  • Command and scripting interpreter (T1059)
  • Data from local system (T1005)
  • Exploitation for defense evasion (T1211)
  • Account discovery (T1087)
  • Network sniffing (T1040)

Recommended action

Organizations provide administrators with SAWs to perform their administrative tasks. Create secure and hardened SAWs by implementing the following:

  1. Isolate SAWs from the public IT network, and when present, from the data plane.
  2. Deactivate capability to install other software.
  3. Restrict access to the Internet or email services.
  4. For cloud administration from this dedicated workstation, ensure it requires a VPN or allow lists to access the cloud tenancy.

References

Detect (3)

Detect relevant threat and TTPs (3.0)

Outcome

Organizations are aware of and able to detect relevant threats and TTPs in a timely manner.

TTPs or risk addressed

  • Without knowledge of relevant threats and the ability to detect them, organizations risk that threat actors may exist undetected in their networks for long periods.

Recommended action

Document a list of threats and cyber threat actor TTPs relevant to the organization (for example, based on industry, sectors, etc.), and ensure the ability to detect instances of those key threats (for example, through rules, alerting, or commercial prevention and detection systems).

References

Respond (4)

Incident reporting (4.0)

Outcome

The Cyber Centre and other organizations are better able to aid or understand the broader scope of a cyber attack.

TTPs or risk addressed

  • Without timely incident reporting, the Cyber Centre and other groups are less able to assist affected organizations and lack critical insight into the broader threat landscape (such as whether a broader attack is occurring against a specific sector).

Recommended action

Maintain codified policy and procedures on to whom and how to report all confirmed cyber security incidents to appropriate external entities.

Report known incidents to the Cyber Centre and other parties within time frames directed by applicable regulatory guidance or, in the absence of guidance, as soon as capable of doing so safely.

References

Recover (5)

Incident planning and preparedness (5.0)

Outcome

Organizations are capable of safely and effectively recovering from a cyber security incident.

TTPs or risk addressed

  • Disruption to availability of an asset, service, or system.

Recommended action

Develop, maintain and execute plans to recover and restore to service business or mission-critical assets or systems that might be impacted by a cyber security incident.

If a cyber incident does occur, perform a hotwash post-recovery to determine lessons learned and prevent future incidents. Integrate any lessons learned into improvements in governance processes and/or the incident response plan.

References

Top of page 
Date modified: