Principles of Incident Response and

Disaster Recovery 2nd Edition Whitman

Solutions Manual
Visit to download the full and correct content document: https://testbankdeal.com/dow
nload/principles-of-incident-response-and-disaster-recovery-2nd-edition-whitman-solu
tions-manual/
PIRDR2 Ch06 Review Questions

1. What is the formal definition of a CSIRT?

The Computer Security Incident Response Team (CSIRT) is the set of people, policies,

procedures, technologies, and information necessary to detect, react, and recover from an

incident that could potentially result in unwanted modification, damage, destruction, or

disclosure of the organization’s information.

2. What is the difference in the roles between the CSIRT and the IRPT?

Whereas the IRPT is primarily responsible for developing and implementing the policy

and plans associated with incident response (IR), the CSIRT is responsible for responding

to a notice from some predefined entity as to the possibility of an incident.

3. What is the most essential reason to involve upper management in the CSIRT

formation process?

Only when top management authorizes it will subordinate managers ensure that these

individuals are allowed to spend time away from their primary responsibilities to work on

team development activities.

4. Is management approval a simple, one-time action?

Management support is not a one-time thing, needed only for the start-up of the CSIRT

organization. The support must be constant and ongoing in order to sustain the efforts of

the team and ensure long-term success in their efforts in managing incidents.

5. Among the skills needed by the CSIRT staff, what is required beyond technical skill?

In addition to the technical skills, managerial experience at creating and following policy

and plans is highly desirable.

6. What are the structures most often used to develop CSIRTs?

Models used to develop IR teams tend to fall into one of three structural categories:

central IR teams, distributed IR teams, or coordinating teams.

7. What are the most likely staffing models for CSIRTs?

IR teams are often developed along one of these three staffing models: employees,

partially outsourced, or fully outsourced.

8. How does the need for 24/7 operations affect staffing decisions?

Larger organizations, as well as smaller ones that support critical infrastructures with

high availability, usually need IR staff to be available 24/7.

9. How does the need to manage employee morale affect staffing decisions for CSIRTs?

IR work is very stressful, as are the on-call responsibilities of most team members. This

makes it likely that IR team members will become overly stressed. Many organizations

struggle to find willing, available, experienced, and properly skilled people to participate,

particularly in 24-hour support.

10. How does the organizational structure impact staffing design for CSIRTs?

If an organization has independent departments, IR may be more effective if each

department has its own IR team.

11. Once created, must a plan be maintained? How often should it be revisited?

Any plan will become outdated if not routinely reviewed and modified. At a minimum,

the CSIRT development plan should be reviewed annually.

12. What are the guiding documents for CSIRT creation or maintenance?

The formal Incident Response Policy and the existing CSIRT plans that are derived from

it must be the guiding documents.

13. What should be among the first tasks performed by an IR planning committee when

forming a CSIRT?

Establishing the scope and responsibilities of the CSIRT is one of the first tasks to be

performed.

14. What is meant by the “scope of operations” for a CSIRT?

This is an explanation of what systems fall under the responsibility of the CSIRT.

15. What purpose does the CSIRT mission statement provide?

A mission statement establishes the tone for the team and provides a path to the

obtainment of its goals and objectives.

16. What are the two approaches that define a CSIRT’s philosophy with respect to

incident response?

At one extreme is the protect and forget approach. At the other extreme is the apprehend

and prosecute approach.

17. The services of a CSIRT can be grouped into which three categories?

CSIRT services can be grouped into three categories: reactive services, proactive

services, and security quality management services.

18. Identify one advantage and one disadvantage of full-interruption testing of CSIRT

plans.

Because each student may choose a different answer, see the text section on this topic to

verify student responses.

19. What is an AAR, and why is it valuable to organizations?

The AAR is a detailed examination of the events that occurred, from first detection to

final recovery. It is a useful tool in assessing and improving the operations of the CSIRT.
20. Why are performance measures collected for CSIRT activities?

This information can be used as a baseline in determining the effect of the CSIRT on the

constituency and also used to tune and adjust CSIRT operations to make them more

effective.