CSF Core Function Five: Recover
In this sixth and last part of the series, we will introduce the “Recover” function of the NIST-CSF.
With three categories and six sub-categories, this is by far the shortest and least-detailed function of the Framework. And even the three categories are really only two distinctive ones, planning and communications, since the improvements category relates entirely to the planning process. In other functions, improvement is in fact only a subcategory, not a category.
It is a rather puzzling that so little attention was paid to this function. Size doesn’t always matter; but in this case, the brevity is a major flaw and ignores two facts: One, the very real possibility that even smaller-scale disruptions can threaten the very survival of a business if not handled properly. The common example in the physical realm are fire and other disasters – over 25% of businesses that experience such damage don’t survive. Two, the increasing frequency of failures or breaches (see part five) that make cyber incident response, and thus recovery, an almost routine event. Paying only cursory attention to recovery programs that go beyond “putting out the fire” creates new risks to the organization.
For our clients, novaturient suggests using enhanced recovery categories that are more in line with the rest of the framework, and, more importantly, enable them to continuously operate in the face of cyber and other disruptions. Specifically, we add a Business Continuity and Resilience category and three subcategories to the lineup, and modify several other subcategories: