5.6 Describe concepts as documented in NIST.SP800-86
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
1. What is Preparation in NIST.SP800-61?
Preparation is the first phase of the NIST Incident Response Life Cycle. Its goal is to make sure an organization is ready to respond to cyber incidents quickly and efficiently.
During preparation, you:
- Identify key stakeholders in the organization.
- Define roles and responsibilities for incident response.
- Ensure policies, tools, and communication methods are ready.
Think of this as setting up a “cyber emergency plan” before anything goes wrong.
2. Understanding Stakeholders
Stakeholders are people or teams in an organization who have a role in handling or supporting an incident.
Key IT Stakeholders:
| Stakeholder | Role in IR Preparation | Example in IT Environment |
|---|---|---|
| CISO (Chief Information Security Officer) | Sets overall security strategy, approves IR plan | Decides which security tools (like SIEM or firewall logs) are used |
| IT Operations Team | Maintains systems and networks | Ensures servers and networks are up and running during incidents |
| Security Analysts / SOC Team | Detect and analyze security incidents | Monitor SIEM dashboards for unusual logins or malware alerts |
| Incident Response Team / IR Manager | Leads incident response | Coordinates actions when malware or ransomware is detected |
| Legal / Compliance Team | Ensures adherence to laws and regulations | Checks if data breach notifications are required under GDPR |
| Management / Executives | Approve resources and decisions | Allocate budget for emergency response or for forensic tools |
| Communications / PR Team | Handles internal and external messaging | Drafts alerts for employees or public statements in case of a breach |
| HR / Employee Relations | Manages insider threats | Assists if a current employee is suspected of data theft |
| Vendors / Third-Party Partners | Support external tools or services | Cloud provider helps recover compromised virtual machines |
3. NIST IR Categories
NIST.SP800-61 defines four main IR categories where stakeholders are involved:
- Preparation – making the organization ready (focus of this section)
- Detection & Analysis – identifying the incident
- Containment, Eradication, and Recovery – stopping and removing threats
- Post-Incident Activity / Lessons Learned – improving processes
In preparation, the focus is mapping the stakeholders to their responsibilities.
4. Mapping Stakeholders to the Preparation Phase
During preparation, each stakeholder’s role is defined. Here’s how it works:
| NIST IR Phase | Stakeholder | Responsibilities |
|---|---|---|
| Preparation | CISO | Approves IR policy, defines priorities |
| Preparation | IR Manager | Develops IR plan, identifies tools and workflows |
| Preparation | Security Analysts / SOC | Prepares monitoring rules, establishes alert thresholds |
| Preparation | IT Ops | Configures backups, ensures patching and updates |
| Preparation | Legal / Compliance | Reviews legal requirements for breach reporting |
| Preparation | PR / Communications | Creates template announcements for incidents |
| Preparation | HR | Develops insider threat reporting procedures |
| Preparation | Vendors | Confirms support SLAs and emergency contacts |
5. Tools and Processes to Prepare
In an IT environment, preparation includes:
- Incident Response Plan (IRP): Documented step-by-step procedures for responding to incidents.
- Playbooks: Pre-defined actions for common scenarios (e.g., malware infection, phishing attack).
- Monitoring Tools: SIEM, IDS/IPS, and antivirus systems to detect incidents.
- Communication Plan: Email, secure chat, or ticketing system to alert stakeholders quickly.
- Training & Drills: Regular exercises for stakeholders to practice incident response.
Example: A phishing email is reported → SOC analysts detect → IR manager coordinates containment → Legal ensures reporting compliance → Communications informs employees.
6. CMMC (Cybersecurity Maturity Model Certification) Alignment
CMMC requires organizations to formalize cybersecurity roles:
- Level 2 or 3 CMMC: Must have defined IR policies and trained personnel.
- Mapping stakeholders to IR categories demonstrates compliance with CMMC requirements.
- This ensures auditors can see who is responsible for each incident response activity.
7. Key Points for the Exam
- Preparation = defining people, processes, and technology before an incident.
- Map stakeholders to IR categories clearly, showing their roles in preparation.
- Focus on IT-related roles: SOC team, IR manager, IT operations, legal, HR, communications.
- Use playbooks, IR plan, monitoring tools, and training as evidence of preparation.
- Know the link to CMMC: defined roles and formalized policies support certification.
Quick Memory Tip:
“Prepare People, Prepare Process, Prepare Tools”
- People → Stakeholders (SOC, IR team, legal, management, etc.)
- Process → IR plan, playbooks, reporting procedures
- Tools → SIEM, IDS/IPS, communication systems, backup systems
This covers everything you need to map organization stakeholders in the preparation phase of NIST IR for the exam.
