CISM EXAM PREP

DOMAIN 4
INFORMATION SECURITY INCIDENT MANAGEMENT
DOMAIN 4

Plan, establish and manage the capability to detect,

investigate, respond to and recover from information security
incidents to minimize business impact.
This domain reviews the essential knowledge necessary to
establish an effective program to respond to and
subsequently manage incidents that threaten an
organization’s information systems and infrastructure.
DOMAIN OBJECTIVES

Ensure that the CISM Candidate has the knowledge

necessary to:
• Identify, analyze, manage and respond effectively to unexpected
events that may adversely affect the organization’s information
assets and/or its ability to operate.
• Identify the components of an incident response plan.
• Evaluate the effectiveness of an incident response plan.
• Understand the relationship between an incident response plan, a
disaster recovery plan and a business continuity plan.
ON THE CISM EXAM

This domain represents 19% (approximately 28 questions) of the CISM exam

Domain 1:
Domain 4:
Information
Information Security
Security
Incident
Governance, 24%
Management, 19%

Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%
DOMAIN 4 OVERVIEW

Planning and Integration

Readiness and Assessment
Identification and Response Refer to the CISM Job
Practice for Task and
Knowledge Statements.
INCIDENT RESPONSE CONCEPTS

Incident handling involves:

• Detection and reporting
• Triage
• Analysis
• Incident response

Effective incident management ensures that incidents are detected, recorded and
managed to limit impacts.
Incident response encompasses the planning, coordination and execution of appropriate
mitigation, containment and recovery strategies and actions.
SECTION ONE
PLANNING AND INTEGRATION
TASK STATEMENTS

T4.1 Establish and maintain an organizational definition of, and severity hierarchy for,
information security incidents to allow accurate classification and categorization of and
response to incidents.
T4.2 Establish and maintain an incident response plan to ensure an effective and timely
response to information security incidents.
T4.8 Establish and maintain communication plans and processes to manage
communication with internal and external entities.
T4.10 Establish maintain integration among the incident response plan, business
continuity plan and disaster recovery plan.
TASK TO KNOWLEDGE STATEMENTS

How does Section One relate to each of the following knowledge statements?

Knowledge Statement Connection

K4.1 The ideas behind incident response as a function of

information risk management inform and influence the
design of the program.
K4.2 Significant experience over time has normalized a basic
standard for incident response planning.
K4.3 Incident response activities may be linked to broader
activities for business continuity and disaster recovery.
K4.4 How incidents are evaluated and classified has implications
for procedures and trend analysis.
K4.5 An understanding of the ways in which the impact of
incidents may be contained helps ensure an effective,
comprehensive approach to incident response.
TASK TO KNOWLEDGE STATEMENTS

How does Section One relate to each of the following knowledge statements?

Knowledge Statement Connection

K4.6 Incidents can move quickly, and having clear thresholds for
notification and escalation helps to get the right people
involved at the right time.
K4.7 Knowing what functions need to be completed and who is
doing them is important in avoiding gaps in planning and
execution.
K4.9 Special considerations apply to collecting and storing data
and equipment that may be needed as evidence in a court
of law.
K4.10 In addition to organizational requirements, law and
regulation may mandate reporting under certain
circumstances.
K4.16 Regular, realistic evaluation and testing of response plans
is important to their being ready for use when needed.
KEY TERMS

Key Term Definition

Computer forensics The application of the scientific method to digital media to establish factual information
for judicial review.
Event Something that happens at a specific place and/or time.

Gap analysis A method of assessing the differences in performance between the current state of
operations, systems, etc., as compared with the desired state, resulting in a plan to
close any “gaps” discovered.

Incident Any event that is not part of the standard operation of a service and that causes, or may
cause, an interruption to, or a reduction in, the quality of that service.

Incident management team A specific group of people who determines how to manage incidents.

Incident response team A group of people who prepare for and respond to any emergency incident
KEY TERMS

Key Term Definition

Maximum allowable The absolute longest amount of time that the system can be
downtime unavailable without direct or indirect ramifications to the
organization.
Maximum tolerable Maximum time that an enterprise can support processing in
outage alternate mode.
Recovery point Determined based on the acceptable data loss in case of a
objective disruption of operations. It indicates the earliest point in time
that is acceptable to recover the data. The RPO effectively
quantifies the permissible amount of data loss in case of
interruption.
Recovery time The amount of time allowed for the recovery of a business
objective function or resource after a disaster occurs.
Service delivery Directly related to the business needs, SDO is the level of
objective services to be reached during the alternate process mode until
the normal situation is restored.

See www.isaca.org/glossary for more key terms.

MANAGEMENT AND RESPONSE

Incident management is a subset of risk management.

The goals of incident management are to:
• Contain disruptive impact to manageable levels
• Restore normal operations within acceptable time frames

Incident management is driven by risk appetite.

Incident response encompasses the operational capabilities of incident management.
INCIDENT CLASSIFICATION

Classifying incidents:
• Enables an appropriate response for each incident
• Improves cost effectiveness
• Makes it easier to design detective controls

Incident are classified according to causes/effects

 DISCUSSION QUESTION

What are some types of information security

incidents?
COMMON INCIDENT TYPES

Malicious code
attacks

Unauthorized
Hoaxes/social access to IT or
engineering information
sources

Surveillance and Unauthorized use

espionage of services

Unauthorized
changes to systems,
DoS/DDoS attacks
network devices or
Physical Disruption information
THE INCIDENT RESPONSE PLAN

Preparation Identification Containment

Eradication Recovery Assessment

THE PLANNING PROCESS

Knowing the organization’s risk appetite and goals is the first step:
• Determine how your organization defines “acceptable” incident response.
• Analyze gap between current and desired capabilities.
• Build a plan to close the gap using good practices.

Be sure to take needed resources into account.

Use clear language to avoid confusion.
INCIDENT RESPONSE TEAMS

Pre-designated IRTs help to quickly assemble people with useful skills.

• Depending on the incident, specialized skills may be needed.

IRTs may be centralized, distributed or a hybrid model.

IRT structure should be reviewed and approved by senior management
INCIDENT RESPONSE TEAM ORGANIZATION

Central IRT

• A single IRT handles all incidents

Distributed IRT

• Each of several teams is responsible for a logical or physical segment of the infrastructure

Coordinating IRT

• A central team provides guidance to distributed IRTs, develops policies and standards,
provides training and exercises and coordinates response

Outsourced IRT

• Some or part of the IRT may be outsourced to a third party

TEAM COMPOSITION
A typical IRT includes:
• Information security manager
• Steering committee/advisory board
(governance position only)
• Permanent/dedicated team members
• Virtual/temporary team members
Other positions include:
• Incident response manager
• Incident handler
• Investigator
• IT security specialists
• IT specialists/representatives
• Business managers
• Legal, HR, PR
• Risk management specialist
• Physical security/facilities manager
GOOD TO KNOW

Some organizations may have a designated incident

management team (IMT) that determines how to manage
incidents and is separate from the IRT. In other organizations,
the IMT and IRT may be the same group of people. For the
purposes of this course, IMT will be differentiated when
necessary, but in many cases, the IRT will perform these
duties.
INCIDENT RESPONSE TECHNOLOGY CONCEPTS

Security principles (CIA triad, nonrepudiation)

Risk concepts (vulnerability, impact, etc.)

Networking protocols and devices

Operating systems (configuration, common attack methods, review logs, etc.)

Malicious code (viruses, worms, Trojan horses, APTs)

Development (including programming languages)

SKILLS

Personal Skills
• Communication
• Writing skills
• Leadership
• Presentation skills
• Team building
• Problem solving
• Time management
Technical Skills
• Technical foundation skills
• Incident-handling skills
MULTI-DISCIPLINARY TEAMS

Incidents extend beyond information systems.

• Fire, power outages or natural disasters can affect the entire organization.
• Other incidents may involve legal, privacy, HR, etc.

A permanent spot on the IRT may not be needed, but a point of contact is helpful.
GOOD TO KNOW

Staff turnover is a persistent threat to incident response

plans, and it can be especially hard to keep track of who
should be the points of contact for support functions outside
of IT and information security. If the IRT needs to contact one
of these groups, it will be time sensitive, so review the contact
information for everyone listed in the incident response plan
on a regular basis and validate that these are still the correct
people to have included in the plan.
CURRENT STATE OF INCIDENT RESPONSE

Identify what is already in place for incident response

• Surveys
• Self assessment
• External assessment

Identify trends, events and impacts

Perform a gap analysis to determine resources needed or areas of improvement
FORENSICS

Forensics refers to the gathering of evidence.

Prosecution is an option if evidence is collected and stored properly.
• Many containment and eradication methods may prevent proper evidence collection.
• Inadequate documentation can lead to issues.

Brainstorm scenarios that might require forensic analysis and write them into the plan.
Identify types of forensics that can be handled internally vs. using third-party experts.
COMMUNICATION

Developing communications during an incident

takes time away from other time-critical activities.
Messaging criteria can differ depending on the
incident.
Templates can help to make communication easier
and faster.
RESPONSE AND CONTINUITY

Business continuity plans (BCPs) document the ways business processes can resume if
the usual way is interrupted.
BCPs are often activated alongside incident response activities.
BCPs include critical factors:
• RTO
• RPO
• SDO
• MTO
QUALITY-ASSOCIATED FACTORS

Recovery point objective:

• The “last known good” point to which data must be restored in the event data has been affected

Service delivery objective:

• An indicator of the degree of recovery that is “good enough” for normal operations within a given
process to resume

Recovery that does not meet RPO/SDO thresholds is not complete and may require
workarounds.
TIME-ASSOCIATED FACTORS

Recovery time objective: Maximum tolerable outage

• The target time to resume • The time at which

an acceptable level of workarounds cease to be
operations adequate to sustain
• Recovery that takes longer operations
than an RTO likely impacts • Recovery that exceeds the
the organization at MTO is outside the
tolerable levels. tolerable threshold and
may threaten the
organization’s survival.
RESPONSE AND RECOVERY

Recovery is specific to the affected systems or data.

After a major disruption, recovery activities may be
more pronounced.
Disaster recovery documents the strategy and
specific activities needed to recover IT capabilities in
the case of a major loss.
TYPES OF RECOVERY CAPACITY

Mirror site: An alternate site that contains the same information as the original
• Configured for high availability

Hot site: A fully operational offsite data processing facility equipped with both hardware
and system software to be used in the event of a disaster
Warm site: Similar to a hot site but not fully equipped with all of the necessary hardware
needed for recovery
Cold site: An IS backup facility that has the necessary electrical and physical
components of a computer facility, but does not have the computer equipment in place
 DISCUSSION QUESTION

Which of the following types of recovery capacity

would the following businesses most likely chose
and why?
• Credit card processor
• Sculpture gallery
• Local credit union
 DISCUSSION QUESTION:
ANSWERS

Credit card processor

• Mirror site: Credit cards are used at all hours of the
day around the world and any downtime may result in
rejected transactions, with potentially dire impact on
reputation and market share.

Sculpture gallery
• Cold site: Information systems most likely have a
minor effect on the business’s operations.

Local credit union

• Warm site: An interruption to certain operations
pending recovery would likely be acceptable to
members in the event of a disaster.
PLAN INTEGRATION

Response, continuity and recovery

often leverage the same resources and
staff.
Recovery often waits until eradication in Response
complete, but it may be possible to
restore IT capabilities at an alternate
site.
Integrating the incident response plan
with the BCP and DRP can help to
Recovery Continuity
identify overlap.
MANAGEMENT SUPPORT

Building the capabilities needed to manage the information risk associated with incidents
requires time, commitment and resources.
Having senior management commitment lends credibility to the program and increase
awareness.
• A business case can be used to demonstrate the cost effectiveness of having an incident
management and response program.
SECTION ONE SUMMARY

Planning and Integration

• Any event can turn into an incident of unpredictable scope and
severity.
• Having a plan that clearly establishes to categorize incidents, who
to involve and how to integrate activities with continuity and
recovery functions helps manage risk.
SECTION ONE
PRACTICE QUESTIONS
PRACTICE QUESTION

Which of the following should be determined FIRST when

establishing a business continuity program?

A. Cost to rebuild information processing facilities

B. Incremental daily cost of the unavailability of systems
C. Location and cost of offsite recovery facilities
D. Composition and mission of individual recovery teams
PRACTICE QUESTION

Which of the following choices should be assessed after the

likelihood of a loss event has been determined?

A. The magnitude of impact

B. Risk tolerance
C. The replacement cost of assets
D. The book value of assets
PRACTICE QUESTION

Which of the following is MOST important when deciding

whether to build an alternate facility or subscribe to a third-
party hot site?

A. Cost to build a redundant processing facility and location

B. Daily cost of losing critical systems and recovery time objectives
C. Infrastructure complexity and system sensitivity
D. Criticality results from the business impact analysis
PRACTICE QUESTION

Which of the following is the FIRST step in developing an

incident response plan?

A. Set the minimum time required to respond to incidents.

B. Establish a process to report incidents to senior management.
C. Ensure the availability of skilled resources.
D. Categorize incidents based on likelihood and impact.
SECTION TWO
READINESS AND ASSESSMENT
TASK STATEMENTS

T4.6 Organize, train and equip incident response teams to respond to information
security incidents in an effective and timely manner.
T4.7 Test, review and revise (as applicable) the incident response plan periodically to
ensure an effective response to information security incidents and to improve response
capabilities
TASK TO KNOWLEDGE STATEMENTS

How does Section Two relate to each of the following knowledge statements?

Knowledge Statement Connection

K4.7 Knowing what functions need to be completed and who is

doing them is important in avoiding gaps in planning and
execution.
K4.8 An effective incident response program requires
appropriate preparation and resources.
K4.9 Special considerations apply to collecting and storing data
and equipment that may be needed as evidence in a court
of law.
K4.11 Identifying and addressing the underlying cause of
symptoms is essential to effective information risk
management.
TASK TO KNOWLEDGE STATEMENTS

How does Section Two relate to each of the following knowledge statements?

Knowledge Statement Connection

K4.14 Plans are most effective when they take into account all of
the resources available to the organizations, including
those provided externally.
K4.16 Regular, realistic evaluation and testing of response plans
is important to their being ready for use when needed.
K4.18 Organizations need objective methods of measuring the
effectiveness of their plans as a basis for refinement
KEY TERMS

Key Term Definition

Full interruption test A test where operations are shut down at the primary site and shifted to the
recovery site in accordance with the recovery plan

Full operational test A test where the plan is completely executed short of an actual service
disruption
Parallel test A test where the recovery site is brought to a state of operational readiness,
but operations at the primary site continue normally

Preparedness test A localized version of a full test where actual resources are expended in a
simulation of a system crash
Simulation test A test where the team role-plays a prepared scenario
Walk-through A thorough demonstration or explanation that details each step of a process

See www.isaca.org/glossary for more key terms.

TRAINING

Incident response needs to be practiced in order to

be executed quickly.
Focus training on criteria and standards to promote
creative thinking with in the framework.
Use skills assessments to ensure that the IRT
includes all necessary skillsets.
THE ROLE OF TESTING

Testing increases the likelihood that a plan will work by:

• Assessing the technical soundness of the plan
• Increasing each participant’s familiarity with the plan

Testing uses time and resources, so objectives and criteria should be clear.
Focus on:
• Identifying gaps
• Verifying assumptions
• Validating timelines
• Determining the effectiveness of strategies
• Evaluating the performance of personnel
• Determining the accuracy an currency of plan information
TESTING CONSIDERATIONS

Test response plans on a regular basis.

• At least annually

Prior to each test:

• Take steps to limit the risk of disruption.
• Ensure that business managers understand and accept the residual risk.
• Verify that fallback arrangements exist to restore operations at any point during the test if
necessary.
TYPES OF TESTS

• Recovery checklists are reviewed to ensure they are

Checklist review current.

• Team members physically implement that plans on

Structured walkthrough paper and review each step.

• The IRT role-plays a prepared disaster scenarios

Simulation test without activating the recovery site.

• The recovery site is brought to a state of operational

Parallel test readiness, but the primary site continues as normal.

• Operations are shut down at the primary site and

Full interruption test shifted to the recovery site.
TESTING PROGRESSION

Testing
infrastructure,
Testing critical
infrastructure and applications and
recovery of critical end user
Testing applications involvement
infrastructure and
communication

Table-top
walkthrough
with disaster
scenarios

Table-top
walkthrough
of plans
TESTING CATEGORIES

Paper tests
• On-paper walkthroughs to increase awareness

Preparedness tests
• Live rehearsals on real systems in order to identify deficiencies

Full operational tests

• Mimic real-world conditions, but are not quite an actual interruption
GOOD TO KNOW

Despite the inherent value of using a surprise, realistic

exercise to assess your incident response program,
unannounced full operational tests are rare. That’s because
they tend to be expensive, not only in terms of time and
resources devoted to the test but also lost productivity and
potential impact to real-world systems that might be targeted.
Even in the event of a truly unannounced exercised, key
people within the organization need to know that what is
happening is an evaluation. The greater the potential impact
of an exercise, the higher the level at which it must be
approved, and something that risks operations needs
approval from the top.
TESTING PHASES

Actual
operational Cleanup of
Set the
activities are group
Pretest stage for the Test executed to Posttest activities is
actual test
test specific performed
objectives
EVALUATION CRITERIA

Evaluation criteria is depend on the type of test:

• Paper tests focus on process.
• Tests involving real systems should balance process with demonstrated outcomes.

Testing can be used to highlight the importance of following procedures and document
skills of the IRT.
An independent third party should monitor and evaluate the test.
Make note of procedures that did not work.
THE IMPORTANCE OF PROCEDURES

As people become familiar with the plan, they will begin to anticipate the steps of the
process.
In incident response, a structured approach must be followed.
Discourage working from memory, documenting activities solely as a formality, etc.
Reinforce this behavior with refresher training and checklists.
SECTION TWO SUMMARY

Readiness and Assessment

• Training and testing help improve performance during responses to
real-world incidents by building familiarity and offering opportunities
to identify and correct deficiencies in a plan.
• Testing should be monitored and evaluated by an independent
third party to ensure objectivity.
SECTION TWO
PRACTICE QUESTIONS
PRACTICE QUESTION

Observations made by staff during a disaster recovery test

are PRIMARILY reviewed to:

A. identify people who have not followed the process.

B. determine lessons learned.
C. identify equipment that is needed.
D. maintain evidence of review.
PRACTICE QUESTION

Different types of tests exist for testing the effectiveness of

recovery plans. Which of the following choices occurs during
a parallel test that does not occur during a simulation test?

A. The team members step through the individual recovery tasks.

B. The primary site operations are interrupted.
C. A fictitious scenario is used for the test.
D. The recovery site is brought to operational readiness.
PRACTICE QUESTION

In a large organization, effective management of security

incidents will be MOST dependent on:

A. clear policies detailing incident severity levels.

B. broadly dispersed intrusion detection capabilities.
C. training employees to recognize security incidents.
D. effective communication and reporting processes.
PRACTICE QUESTION

Which of the following functions is responsible for determining

the members of the enterprise’s response teams?

A. Governance
B. Risk management
C. Compliance
D. Information security
SECTION THREE
IDENTIFICATION AND RESPONSE
TASK STATEMENTS

T4.3 Develop and implement processes to ensure the timely identification of information
security incidents that could impact the business.
T4.4 Establish and maintain incident notification and escalation processes to ensure that
the appropriate stakeholders are involved in incident response management.
T4.5 Establish and maintain incident notification and escalation processes to ensure that
the appropriate stakeholders are involved in incident response management.
T4.9 Conduct post-incident reviews to determine the root cause of information security
incidents, develop corrective actions, reassess risk, evaluate response effectiveness and
take appropriate remedial actions.
TASK TO KNOWLEDGE STATEMENTS

How does Section Three relate to each of the following knowledge statements?

Knowledge Statement Connection

K4.1 The ideas behind incident response as a function of information risk

management inform and influence the design of the program.

K4.2 Significant experience over time has normalized a basic standard for
incident response planning.

K4.3 Incident response activities may be linked to broader activities for

business continuity and disaster recovery.

K4.4 How incidents are evaluated and classified has implications for
procedures and trend analysis.

K4.6 Incidents can move quickly, and having clear thresholds for
notification and escalation helps to get the right people involved at
the right time.
K4.7 Knowing what functions need to be completed and who is doing
them is important in avoiding gaps in planning and execution.
TASK TO KNOWLEDGE STATEMENTS

How does Section Three relate to each of the following knowledge statements?

Knowledge Statement Connection

K4.8 An effective incident response program requires

appropriate preparation and resources.
K4.9 Special considerations apply to collecting and storing data
and equipment that may be needed as evidence in a court
of law.
K4.10 In addition to organizational requirements, laws and
regulations may mandate reporting under certain
circumstances.
K4.11 Identifying and addressing the underlying cause of
symptoms is essential to effective information risk
management.
K4.12 Having the right methods of estimating cost, damage and
business impact for particular circumstances makes these
activities more effective.
TASK TO KNOWLEDGE STATEMENTS

How does Section Three relate to each of the following knowledge statements?

Knowledge Statement Connection

K4.13 Numerous methods exist to facilitate the gathering an

evaluation of data relating to incident response.
K4.14 Plans are most effective when they take into account all of
the resources available to the organization, including those
provided externally.
K4.15 Adjustments to the information systems environment made
during response activities need to be evaluated for security
implications.
K4.17 Plans and procedures should take into account all
requirements imposed from within and outside the
organization.
K4.18 Organizations need objective methods of measuring the
effectiveness of their plans as a basis for refinement.
KEY TERMS

Key Term Definition

Business impact analysis A process to determine the impact of losing the support of any resource.

Chain of custody A legal principle regarding the validity and integrity of evidence. It requires
accountability for anything that will be used as evidence in a legal proceeding to ensure
that it can be accounted for from the time it was collected until the time it is presented in
a court of law.

Escalation Increasing the scope and intensity of response activities, usually through notification of
higher-level staff within an organization and the addition of resources.

See www.isaca.org/glossary for more key terms.

KEY TERMS

Key Term Definition

Intrusion detection system Inspects network and host security activity to identify suspicious patterns that may
indicate a network or system attack.

Intrusion prevention system A system designed to not only detect attacks, but also to prevent the intended victim
hosts from being affected by the attacks.

Root cause The underlying reason an incident happened

Triage The process of sorting, categorizing, and prioritizing events/items

See www.isaca.org/glossary for more key terms.

EFFECTIVENESS AND EFFICIENCY

An incident response plan should be effective and

efficient.
• Do as much as is needed to manage the risk.
• Do as little as possible beyond what is needed to
manage a risk.

The key is knowing what is reasonably likely for a

given event.
INCIDENT MANAGEMENT SYSTEMS

Distributed incident Centralized incident

management systems management systems

• Consist of multiple specific • Pull together data from distinct

incident detection capabilities capabilities for common analysis
• Example: IDS (network- and • Example: SIEM
host-based)
SIEM

An effective SIEM will:

• Consolidate and correlate inputs from multiple systems
• Identify incidents or potential incidents
• Notify staff
• Prioritize incidents based on business impact
• Track incidents until they are closed
• Provide status tracking and notifications
• Integrate with major IT management systems
• Implement good practices guidelines
INCIDENT MANAGEMENT SYSTEM CONSIDERATIONS

Some considerations for incident management systems include:

• Operating costs
• In the absence of an automated incident management system, staff must perform these tasks manually.
Training and maintenance costs are higher, and the risk of human error is higher.
• Recovery costs
• An automated system can detect and escalate incidents faster than a manual process, reducing further
damage.
MANUAL REPORTING

Many incidents are initially detected and reported

manually.
Incidents reported to the Help/Service Desk many
be a network intrusion or malware.
Defining escalation criteria and improving
awareness can help front-line staff identify events.
NOTIFICATION

Time is of the essence.

Incident response procedures should clearly identify who needs to be notified and the
best ways to contact them.
Notification activities are only effective if people understand their responsibilities and
perform them efficiently.
INVESTIGATION

For each event type, the incident response plan

should have:
• A clear series of steps for the initial investigation
• Time estimates for how long each step should take
• Who should perform the step (by role)

A structured approach is important.

TRIAGE

Triage: A process of sorting, categorizing, prioritizing and assigning incoming

reports/events
Typically three categories:
• Problems that cannot be readily resolved
• Problems that can wait
• Problems that can be efficiently address with available resources

Use BIAs and recovery plans to guide this process.

ESCALATION

Investigation will often determine no need for further action and initiate the “end of the
emergency.”
Escalate an incident whenever a cause for concern is uncovered OR the timeframe for
completing a task is exceed.
The incident response plan should identify people to be notified along with the new steps
to complete the ongoing response.
EXTERNAL NOTIFICATION

Some events may necessitate communication to people outside the organization.

Failure to comply with requirements for communication can result in penalties.
Consult with legal, HR, etc. to ensure that the right people are informed.
PRESERVING/COLLECTING EVIDENCE

Two opinions on how to preserve evidence on an

affected system:
• Cut power to preserve temporary storage files
• Keep power on to avoid losing malware/file corruption

Analysis should be performed on a copy of a

system’s storage drives.
Making a bit-level copy using a write-protect diode
and comparing hashes can help to establish the
validity of the investigation.
DOCUMENTATION

Accurate records of an incident as it unfolds are useful.

• Clear timelines can identify root cause.
• Undocumented changes may introduce risks.
• An unbroken chain of custody preserves evidence.

Standardized forms help ensure the right information is recorded.

POST-INCIDENT REVIEW

Take time to review what happened and why:

• Opportunities for improvement in the plan
• Lessons learned
• Calculate the cost of the incident

Use a consistent approach and capture information

while it is still fresh.
ROOT CAUSE ANALYSIS

Without identifying the root cause of an incident, similar incidents may continue to occur.
Answer the following questions:
• Who is involved?
• What has happened?
• Where did the attack originate?
• When (what time frame)?
• Why did it happen?
• How was the system vulnerable or how did the attack occur?
• What was the reason for the attack (i.e., the perpetrator’s motivation)?

Develop recommendations to address the root cause using a risk-based approach.

 DISCUSSION QUESTION

An outsider has gained network access using the

credentials of an unsuspecting insider.
What are some possible root causes?
GOOD TO KNOW

“Addressing” a root cause does not necessarily mean “fixing”

it. The post-incident review is part of the overall program for
managing information risk, and any corrective actions
proposed as a result of the review should reflect a risk-based
approach. If the cost of mitigating a vulnerability is higher
than its potential impact, accepting the risk or transferring it
through a third-party agreement may be preferable.
SECTION THREE SUMMARY

Identification and Response

• When an incident occurs, time is of the essence, but
documentation is a critical part of the process that helps to identify
root causes.
• Unless root causes are identified, similar incidents are likely to
occur in the future despite any actions taken to correct symptoms.
SECTION THREE
PRACTICE QUESTIONS
PRACTICE QUESTION

In the course of examining a computer system for forensic

evidence, data on the suspect media were inadvertently
altered. Which of the following should have been the FIRST
course of action in the investigative process?

A. Perform a backup of the suspect media to new media.

B. Create a bit-by-bit image of the original media source onto new
media.
C. Make a copy of all files that are relevant to the investigation.
D. Run an error-checking program on all logical drives to ensure that
there are no disk errors.
PRACTICE QUESTION

Which of the following is the MOST important consideration

for an organization interacting with the media during a
disaster?

A. Communicating specially drafted messages by an authorized

person
B. Refusing to comment until recovery
C. Referring the media to the authorities
D. Reporting the losses and recovery strategy to the media
PRACTICE QUESTION

Which of the following actions should be taken when an

online trading company discovers a network attack in
progress?

A. Shut off all network access points

B. Dump all event logs to removable media
C. Isolate the affected network segment
D. Enable trace logging on all events
PRACTICE QUESTION

Which of the following choices is the BEST input for the

definition of escalation guidelines?

A. Risk management issues

B. A risk and impact analysis
C. Assurance review reports
D. The effectiveness of resources
DOMAIN 4
SUMMARY
SUMMARY

Incident management, a subset of risk management, aims to

contain the disruptive impact of an incident and restore
normal operations.
Incidents are often classified in order to better tailor response
activities and efforts.
Incident response teams pull together necessary resources to
quickly respond to incidents and generally extend beyond the
IT department.
Standardized templates should be used where possible to
ensure consistency and expedite activities.
SUMMARY

Business continuity and incident response work together to

ensure operations can continue and be recovered effectively
and efficiently.
Test the incident response to gain confidence that it will work
as expected.
Perform testing regularly and in ways designed to reduce the
risk of unexpected disruptions to normal operations.
Use test results to improve the plan and provide education
and training to IRT members.
SUMMARY

Incident management systems may help to identify and

contain incidents at their initial stages.
The incident response plan should include clear steps for
incident investigation and criteria for escalation.
Take preservation of evidence into account as part of the
plan.
Use post-incident reviews to identify the root causes of
incidents and address them on the basis of risk.
THANK YOU