Framework Category
Incident Mitigation
Incident Mitigation focuses on minimizing damage by containing and eradicating incidents.
It also addresses newly discovered vulnerabilities through mitigation or formal risk acceptance.
Implementation Questions
RS.MI-01
Incidents are contained
Do your cybersecurity technologies and security features in other systems automatically perform containment actions when threats are detected?
Automatic containment actions are security measures that isolate or restrict potentially malicious activities without requiring manual intervention. Examples include antivirus software automatically quarantining infected files, firewalls blocking suspicious network traffic, intrusion prevention systems terminating suspicious connections, and endpoint protection platforms isolating compromised devices from the network.
Does your incident response process allow responders to manually select and execute containment actions during security incidents?
Effective incident response requires the ability for responders to make real-time decisions about how to contain threats based on the specific nature of each incident. Manual containment options might include isolating affected systems from the network, suspending compromised accounts, blocking specific IP addresses, or shutting down vulnerable services. These capabilities are essential because automated responses may not be appropriate for all scenarios and could potentially cause business disruption if not carefully managed.
Does your organization have formal agreements with third parties (e.g., ISPs, MSSPs) authorizing them to perform containment actions during security incidents?
This question assesses whether your organization has established formal relationships with trusted third parties who can act quickly to contain security incidents on your behalf. Such arrangements can be crucial during critical incidents when internal resources may be overwhelmed or when specialized expertise is required for effective containment.
Does your organization automatically transfer compromised endpoints to a remediation VLAN for isolation and remediation?
Automatically moving compromised endpoints to a separate remediation VLAN helps contain potential security incidents by isolating the affected device from the rest of the network. This prevents lateral movement by attackers and limits the spread of malware while allowing security teams to safely investigate and remediate the issue without disrupting normal network operations. The system should be able to identify compromised endpoints through security monitoring tools and automatically trigger the VLAN transfer without manual intervention.
RS.MI-02
Incidents are eradicated
Does your organization implement automated eradication capabilities within cybersecurity technologies and security features of other technologies?
Automated eradication capabilities allow systems to automatically remove or neutralize identified threats without requiring manual intervention. Examples include anti-malware solutions that automatically quarantine or delete malicious files, intrusion prevention systems that block malicious traffic, and operating systems that automatically remove unauthorized applications or revert to secure configurations.
Does your incident response system allow authorized responders to manually select and execute eradication actions during security incidents?
This question assesses whether incident responders have the necessary control to manually choose and implement specific actions to eliminate threats from your environment. Manual eradication capabilities are crucial when automated responses are insufficient or when incidents require human judgment to determine the most appropriate remediation approach without causing operational disruptions.
Does your organization have formal agreements in place with third-party security providers to perform incident eradication actions on your behalf?
Third-party security providers (such as Managed Security Service Providers) can offer specialized expertise and resources for eradicating security incidents that may exceed internal capabilities. These arrangements should clearly define the scope of authority, procedures, and communication protocols for when and how third parties can take eradication actions within your environment.
RS.MI-03
Newly identified vulnerabilities are mitigated or documented as accepted risks
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
