Professional Documents
Culture Documents
PREPARATION
Domain 4
1
Domain 4
Domain 4 (cont’d)
2
Domain Objectives
Domain 1:
Domain 4:
Information Security
Information Security
Governance, 24%
Incident
Management, 19%
Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%
3
Domain 4 Overview
4
Section One
Task Statements
10
5
Task to Knowledge Statements
11
12
6
Key Terms
Incident Any event that is not part of the standard operation of a service and
that causes, or may cause, an interruption to, or a reduction in, the
quality of that service.
Incident management A specific group of people who determines how to manage incidents.
team
Incident response team A group of people who prepare for and respond to any emergency
incident
13
Key Terms
Maximum tolerable Maximum time that an enterprise can support processing in alternate
outage mode.
Recovery point objective Determined based on the acceptable data loss in case of a disruption
of operations. It indicates the earliest point in time that is acceptable
to recover the data. The RPO effectively quantifies the permissible
amount of data loss in case of interruption.
Recovery time objective The amount of time allowed for the recovery of a business function or
resource after a disaster occurs.
Service delivery Directly related to the business needs, SDO is the level of services to
objective be reached during the alternate process mode until the normal
situation is restored.
14
7
Management and Response
15
Incident Classification
▪ Classifying incidents:
– Enables an appropriate
response for each incident
– Improves cost effectiveness
– Makes it easier to design
detective controls
▪ Incident are classified
according to causes/effects
16
8
Discussion Question
17
18
9
The Incident Response Plan
19
20
10
Incident Response Teams
21
22
11
Team Composition
Good to Know
24
12
Incident Response Technology Concepts
25
Skills
• • Technical
Personal Skills
Technical Skills
Communication
• Writing skills foundation skills
• Leadership • Incident-handling
• Presentation skills skills
• Team building
• Problem solving
• Time
management
26
13
Multi-disciplinary Teams
27
Good to Know
28
14
Current State of Incident Response
29
Forensics
30
15
Communication
▪ Developing communications
during an incident takes time
away from other time-critical
activities.
▪ Messaging criteria can differ
depending on the incident.
▪ Templates can help to make
communication easier and
faster.
31
32
16
Quality-associated Factors
33
Time-associated Factors
34
17
Response and Recovery
35
36
18
Discussion Question
37
38
19
Plan Integration
39
Management Support
40
20
Questions
41
42
21
Section One
Practice Questions
Practice Question
44
22
Practice Question
45
Practice Question
46
23
Practice Question
47
Section Two
24
Task Statements
49
50
25
Task to Knowledge Statements
51
Key Terms
26
Training
53
54
27
Testing Considerations
55
Types of Tests
▪ Checklist review: Recovery
checklists are reviewed to ensure
they are current.
▪ Structured walkthrough: Team
members physically implement that
plans on paper and review each
step.
▪ Simulation test: The IRT role-plays a
prepared disaster scenarios without
activating the recovery site.
▪ Parallel test: The recovery site is
brought to a state of operational
readiness, but the primary site
continues as normal.
▪ Full interruption test: Operations are
shut down at the primary site and
shifted to the recovery site.
56
28
Testing Progression
Testing
infrastructure,
Testing critical
infrastructure and applications and
recovery of end user
Testing critical involvement
infrastructure and applications
communication
Table-top
walkthrough
with disaster
scenarios
Table-top
walkthrough
of plans
57
Testing Categories
58
29
Good to Know
59
Testing Phases
60
30
Evaluation Criteria
▪ Evaluation criteria is depend on
the type of test:
– Paper tests focus on process.
– Tests involving real systems
should balance process with
demonstrated outcomes.
▪ Testing can be used to highlight
the importance of following
procedures and document skills
of the IRT.
▪ An independent third party
should monitor and evaluate the
test.
▪ Make note of procedures that did
not work.
61
62
31
Questions
63
64
32
Section Two
Practice Questions
Practice Question
66
33
Practice Question
67
Practice Question
68
34
Practice Question
A. Governance
B. Risk management
C. Compliance
D. Information security
69
Section Three
35
Task Statements
▪ T4.3 Develop and implement processes to ensure the
timely identification of information security incidents that
could impact the business.
▪ T4.4 Establish and maintain incident notification and
escalation processes to ensure that the appropriate
stakeholders are involved in incident response
management.
▪ T4.5 Establish and maintain incident notification and
escalation processes to ensure that the appropriate
stakeholders are involved in incident response
management.
▪ T4.9 Conduct post-incident reviews to determine the root
cause of information security incidents, develop
corrective actions, reassess risk, evaluate response
effectiveness and take appropriate remedial actions.
71
K4.2 Significant experience over time has normalized a basic standard for
incident response planning.
K4.4 How incidents are evaluated and classified has implications for
procedures and trend analysis.
K4.6 Incidents can move quickly, and having clear thresholds for notification
and escalation helps to get the right people involved at the right time.
K4.7 Knowing what functions need to be completed and who is doing them is
important in avoiding gaps in planning and execution.
72
36
Task to Knowledge Statements
73
74
37
Key Terms
75
Key Terms
Key Term Definition
Intrusion detection Inspects network and host security activity to identify suspicious
system patterns that may indicate a network or system attack.
Intrusion prevention A system designed to not only detect attacks, but also to prevent the
system intended victim hosts from being affected by the attacks.
76
38
Effectiveness and Efficiency
77
39
SIEM
79
Incident Management
System Considerations
▪ Some considerations for incident management
systems include:
– Operating costs: In the absence of an automated incident
management system, staff must perform these tasks
manually. Training and maintenance costs are higher, and
the risk of human error is higher.
– Recovery costs: An automated system can detect and
escalate incidents faster than a manual process, reducing
further damage.
80
40
Manual Reporting
81
Notification
82
41
Investigation
83
Triage
84
42
Escalation
85
External Notification
86
43
Preserving/Collecting Evidence
87
Documentation
88
44
Post-incident Review
89
90
45
Discussion Question
91
Good to Know
92
46
Questions
93
94
47
Section Three
Practice Questions
Practice Question
96
48
Practice Question
97
Practice Question
98
49
Practice Question
99
Domain 4
Summary
50
Summary
101
Summary
102
51
Summary
103
52