Incident mitigation (RS.MI)
In this control family, we discuss how to mitigate or contain and eradicate the adverse event from the environment. We will need to work with third parties or trusted vendors in our environment possibly to perform techniques to understand our attack surface and how the event happened to begin with.
RS.MI-01
We need to contain the event and prevent it from spreading across the network. This can include the use of firewalls, closing off ports between network segments, and applying patches. If we know which vulnerability was taken advantage of, we can look at our vulnerability management system to report whether other systems are affected. Once this is determined, we can move forward with patching or putting in compensating controls. We can also determine whether we can live without the service being offered and turn off the system.
We also need to engage with third-party vendors for their assistance. By reaching out to...
