Threat monitoring and response activities leverage and trigger predefined states of operation (SITUATION-3g)
Context and Guidance: Predefined states of operation are distinct operating modes (which typically include specific IT and OT configurations as well as alternate or modified procedures) that have been designed and implemented for the function and can be invoked by a manual or automated process in response to an event, a changing risk environment, or other sensory and awareness data to provide greater safety, resilience, reliability, and/or cybersecurity. For example, an ISAC publishes a bulletin notifying its members of a successful campaign targeting peer organisations that exploits a previously unknown vulnerability to a technology that is critical to the delivery of the organisation’s function. Based on this information, existing controls, and risk posture, the organisation deems the threat relevant. It invokes a decision process that results in declaration of a high-security operating state that trades off efficiency and ease of use in favor of increased security by blocking remote access and requiring a higher level of authentication and authorisation for certain commands. On-going monitoring of internal systems and the threat environment is employed to determine when to return to the normal state of operation.
Related Practices • Dependency: Implementing this practice depends upon prior implementation of SITUATION-3g. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THREAT-2d, THREAT-2g, THREAT-2j.